diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index dba6d199..98c4ff7b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -13,12 +13,12 @@ name: "CodeQL" on: push: - branches: [ main ] + branches: [main] pull_request: # The branches below must be a subset of the branches above - branches: [ main ] + branches: [main] schedule: - - cron: '15 10 * * 3' + - cron: "15 10 * * 3" jobs: analyze: @@ -32,40 +32,40 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'go', 'javascript' ] + language: ["go", "javascript"] # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] # Learn more: # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed steps: - - name: Checkout repository - uses: actions/checkout@v2 + - name: Checkout repository + uses: actions/checkout@v4 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v1 + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language - #- run: | - # make bootstrap - # make release + #- run: | + # make bootstrap + # make release - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 03ead35c..1cb9d7d5 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 ref: main @@ -33,14 +33,16 @@ jobs: - update-source steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 ref: main - name: Setup Go - uses: actions/setup-go@v2 + uses: actions/checkout@v4 with: - go-version: "1.20" + go-version-file: go.mod + - run: go version + - name: Create tag run: | git tag v${{ inputs.version }} @@ -75,7 +77,7 @@ jobs: - create-release steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 ref: main @@ -105,7 +107,7 @@ jobs: - create-release steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 ref: main @@ -135,7 +137,7 @@ jobs: - create-release steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 ref: main diff --git a/Makefile b/Makefile index a4c4983c..78c8620b 100644 --- a/Makefile +++ b/Makefile @@ -113,9 +113,9 @@ endif .PHONY: test-all-k8s-versions test-all-k8s-versions: go manifests generate fmt vet envtest ## Run tests on targeting k8s versions. ifeq ($(QUICK_BUILD),no) - -KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use 1.26.x -p path)" $(GO) test ./... -coverprofile $(COVER_PROFILE) - -KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use 1.25.x -p path)" $(GO) test ./... -coverprofile $(COVER_PROFILE) - -KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use 1.24.x -p path)" $(GO) test ./... -coverprofile $(COVER_PROFILE) + -KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use 1.30.x -p path)" $(GO) test ./... -coverprofile $(COVER_PROFILE) + -KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use 1.29.x -p path)" $(GO) test ./... -coverprofile $(COVER_PROFILE) + -KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use 1.28.x -p path)" $(GO) test ./... -coverprofile $(COVER_PROFILE) endif .PHONY: clear-snapshots-ui @@ -266,12 +266,12 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi ##--------------------------------------------------------------------- ## Tool Versions -GO_VERSION ?= 1.20.4 -KUSTOMIZE_VERSION ?= v5.0.1 -CONTROLLER_TOOLS_VERSION ?= v0.12.0 +GO_VERSION ?= 1.22.3 +KUSTOMIZE_VERSION ?= v5.4.1 +CONTROLLER_TOOLS_VERSION ?= v0.15.0 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. -ENVTEST_K8S_VERSION ?= 1.26.x +ENVTEST_K8S_VERSION ?= 1.30.x ## Location to install dependencies to LOCALBIN ?= $(shell pwd)/bin diff --git a/api/v1alpha1/workspace_types_test.go b/api/v1alpha1/workspace_types_test.go index bd17a966..4cc5cbf1 100644 --- a/api/v1alpha1/workspace_types_test.go +++ b/api/v1alpha1/workspace_types_test.go @@ -8,7 +8,7 @@ import ( corev1 "k8s.io/api/core/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ) func TestNetworkRule_Default(t *testing.T) { @@ -43,7 +43,7 @@ func TestNetworkRule_Default(t *testing.T) { Protocol: "http", PortNumber: 1111, HTTPPath: "/path", - TargetPortNumber: pointer.Int32(0), + TargetPortNumber: ptr.To(int32(0)), Public: false, }, want: NetworkRule{ @@ -51,7 +51,7 @@ func TestNetworkRule_Default(t *testing.T) { Protocol: "http", PortNumber: 1111, HTTPPath: "/path", - TargetPortNumber: pointer.Int32(0), + TargetPortNumber: ptr.To(int32(0)), Public: false, }, }, @@ -62,7 +62,7 @@ func TestNetworkRule_Default(t *testing.T) { Protocol: "http", PortNumber: 1111, HTTPPath: "/path", - TargetPortNumber: pointer.Int32(2222), + TargetPortNumber: ptr.To(int32(2222)), Public: true, }, want: NetworkRule{ @@ -70,7 +70,7 @@ func TestNetworkRule_Default(t *testing.T) { Protocol: "http", PortNumber: 1111, HTTPPath: "/path", - TargetPortNumber: pointer.Int32(2222), + TargetPortNumber: ptr.To(int32(2222)), Public: true, }, }, @@ -81,7 +81,7 @@ func TestNetworkRule_Default(t *testing.T) { Protocol: "http", PortNumber: 1111, HTTPPath: "", - TargetPortNumber: pointer.Int32(2222), + TargetPortNumber: ptr.To(int32(2222)), Public: false, }, want: NetworkRule{ @@ -89,7 +89,7 @@ func TestNetworkRule_Default(t *testing.T) { Protocol: "http", PortNumber: 1111, HTTPPath: "/", - TargetPortNumber: pointer.Int32(2222), + TargetPortNumber: ptr.To(int32(2222)), Public: false, }, }, @@ -100,7 +100,7 @@ func TestNetworkRule_Default(t *testing.T) { Protocol: "", PortNumber: 1111, HTTPPath: "path", - TargetPortNumber: pointer.Int32(2222), + TargetPortNumber: ptr.To(int32(2222)), Public: false, }, want: NetworkRule{ @@ -108,7 +108,7 @@ func TestNetworkRule_Default(t *testing.T) { Protocol: "http", PortNumber: 1111, HTTPPath: "path", - TargetPortNumber: pointer.Int32(2222), + TargetPortNumber: ptr.To(int32(2222)), Public: false, }, }, @@ -135,7 +135,7 @@ func TestNetworkRule_portName(t *testing.T) { name: "✅ OK", netRule: &NetworkRule{ PortNumber: 1111, - TargetPortNumber: pointer.Int32(2222), + TargetPortNumber: ptr.To(int32(2222)), }, want: "port1111", }, @@ -161,7 +161,7 @@ func TestNetworkRule_ServicePort(t *testing.T) { CustomHostPrefix: "name", PortNumber: 1111, HTTPPath: "/path", - TargetPortNumber: pointer.Int32(2222), + TargetPortNumber: ptr.To(int32(2222)), }, want: corev1.ServicePort{ Name: "port1111", diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 7d91b505..34aa3f16 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* MIT License diff --git a/charts/Makefile b/charts/Makefile index ac820664..d237df9a 100644 --- a/charts/Makefile +++ b/charts/Makefile @@ -9,12 +9,12 @@ helm-dependency-update: cd cosmo; ../$(HELM) dependency update chartsnap: - go install github.com/cosmo-workspace/controller-testtools/cmd/chartsnap@latest + -helm plugin install https://github.com/jlandowner/helm-chartsnap TEST_VALUES ?= cosmo/test test: chartsnap helm helm-dependency-update - chartsnap --chart cosmo --values $(TEST_VALUES) --helm-path $(HELM) $(CHARTSNAP_OPT) + helm chartsnap -c cosmo --values $(TEST_VALUES) -n cosmo-system $(CHARTSNAP_OPT) test-list: grep -R '{{[-|] if .*}}' cosmo/templates/* | grep .Values | awk -F':' '{print $$2}' | sed -n 's/.*\(.Values[^ ]*\).*/\1/p' | tr -d ')' | sort | uniq | awk -F'.Values.' '{print $$2}' > cosmo/test/if-values.list diff --git a/charts/cosmo/Chart.lock b/charts/cosmo/Chart.lock index 5bb5b268..57df870a 100644 --- a/charts/cosmo/Chart.lock +++ b/charts/cosmo/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: traefik repository: https://traefik.github.io/charts - version: 23.0.1 -digest: sha256:42e94181cdffc906bcfbb56c2833ac7a1a2c9919437ea200cb141d2c7b6a2b38 -generated: "2023-07-03T16:53:58.777276317+09:00" + version: 28.0.0 +digest: sha256:22326d90a5d813d9486df54e7e909154b9960fd129a826b29b6cc2197e0f85e0 +generated: "2024-05-09T15:40:19.505948468+09:00" diff --git a/charts/cosmo/Chart.yaml b/charts/cosmo/Chart.yaml index 8c010931..64ad9c86 100644 --- a/charts/cosmo/Chart.yaml +++ b/charts/cosmo/Chart.yaml @@ -17,7 +17,7 @@ maintainers: email: jlandowner8@gmail.com dependencies: - name: traefik - version: "23.0.1" + version: "28.0.0" repository: https://traefik.github.io/charts condition: traefik.enabled keywords: diff --git a/charts/cosmo/crds/cosmo-workspace.github.io_clusterinstances.yaml b/charts/cosmo/crds/cosmo-workspace.github.io_clusterinstances.yaml index 97e5a574..cb617ffb 100644 --- a/charts/cosmo/crds/cosmo-workspace.github.io_clusterinstances.yaml +++ b/charts/cosmo/crds/cosmo-workspace.github.io_clusterinstances.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: clusterinstances.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -29,14 +29,19 @@ spec: description: ClusterInstance is the Schema for the instances API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -63,35 +68,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a - valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container - that triggered the event) or if no container name - is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to - have some well-defined way of referencing a part of - an object. TODO: this design is not final and this - field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this - reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -130,33 +140,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic diff --git a/charts/cosmo/crds/cosmo-workspace.github.io_clustertemplates.yaml b/charts/cosmo/crds/cosmo-workspace.github.io_clustertemplates.yaml index 201282d3..3b4f2614 100644 --- a/charts/cosmo/crds/cosmo-workspace.github.io_clustertemplates.yaml +++ b/charts/cosmo/crds/cosmo-workspace.github.io_clustertemplates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: clustertemplates.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -26,14 +26,19 @@ spec: description: ClusterTemplate is the Schema for the Templates API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/charts/cosmo/crds/cosmo-workspace.github.io_instances.yaml b/charts/cosmo/crds/cosmo-workspace.github.io_instances.yaml index 1474edcb..ace8fe1b 100644 --- a/charts/cosmo/crds/cosmo-workspace.github.io_instances.yaml +++ b/charts/cosmo/crds/cosmo-workspace.github.io_instances.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: instances.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -29,14 +29,19 @@ spec: description: Instance is the Schema for the instances API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -63,35 +68,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a - valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container - that triggered the event) or if no container name - is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to - have some well-defined way of referencing a part of - an object. TODO: this design is not final and this - field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this - reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -130,33 +140,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic diff --git a/charts/cosmo/crds/cosmo-workspace.github.io_templates.yaml b/charts/cosmo/crds/cosmo-workspace.github.io_templates.yaml index 3030efd3..d639d211 100644 --- a/charts/cosmo/crds/cosmo-workspace.github.io_templates.yaml +++ b/charts/cosmo/crds/cosmo-workspace.github.io_templates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: templates.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -26,14 +26,19 @@ spec: description: Template is the Schema for the Templates API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/charts/cosmo/crds/cosmo-workspace.github.io_users.yaml b/charts/cosmo/crds/cosmo-workspace.github.io_users.yaml index e560de31..552983ba 100644 --- a/charts/cosmo/crds/cosmo-workspace.github.io_users.yaml +++ b/charts/cosmo/crds/cosmo-workspace.github.io_users.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: users.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -36,14 +36,19 @@ spec: description: User is the Schema for the workspaces API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -98,33 +103,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -140,33 +152,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic diff --git a/charts/cosmo/crds/cosmo-workspace.github.io_workspaces.yaml b/charts/cosmo/crds/cosmo-workspace.github.io_workspaces.yaml index c938d789..fed0aa5e 100644 --- a/charts/cosmo/crds/cosmo-workspace.github.io_workspaces.yaml +++ b/charts/cosmo/crds/cosmo-workspace.github.io_workspaces.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: workspaces.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -29,14 +29,19 @@ spec: description: Workspace is the Schema for the workspaces API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -110,33 +115,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic diff --git a/charts/cosmo/templates/dashboard/ingressroute.yaml b/charts/cosmo/templates/dashboard/ingressroute.yaml index b37f7553..72bad099 100644 --- a/charts/cosmo/templates/dashboard/ingressroute.yaml +++ b/charts/cosmo/templates/dashboard/ingressroute.yaml @@ -19,7 +19,7 @@ spec: routes: {{- if .Values.dashboard.localRunTest.enabled }} - kind: Rule - match: Host(`{{ .Values.dashboard.ingressRoute.host }}.{{ .Values.domain }}`) && (Path(`/`) || PathPrefix(`/@`,`/src`,`/manifest.json`,`/node_modules`,`/logo`)) + match: Host(`{{ .Values.dashboard.ingressRoute.host }}.{{ .Values.domain }}`) && (Path(`/`) || PathPrefix(`/@`) || PathPrefix(`/src`) || PathPrefix(`/manifest.json`) || PathPrefix(`/node_modules`) || PathPrefix(`/logo`)) priority: 1002 services: - kind: Service @@ -29,7 +29,7 @@ spec: scheme: {{ if not .Values.dashboard.tls.enabled -}}http{{- else -}}https{{ end }} {{- end }} - kind: Rule - match: Host(`{{ .Values.dashboard.ingressRoute.host }}.{{ .Values.domain }}`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`, `/dashboard.v1alpha1.WebAuthnService/`)) + match: Host(`{{ .Values.dashboard.ingressRoute.host }}.{{ .Values.domain }}`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) priority: 1001 services: - kind: Service diff --git a/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap b/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap index 3ddf38a8..9f134abe 100644 --- a/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap +++ b/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap @@ -1,1192 +1,1241 @@ -[test-certManager-existing-issuer] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: ClusterIssuer - name: test - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: ClusterIssuer - name: test - secretName: webhook-server-cert -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: ClusterIssuer + name: test + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: ClusterIssuer + name: test + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-healthz.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-healthz.snap index c95a4480..0167bb1f 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-healthz.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-healthz.snap @@ -1,1192 +1,1242 @@ -[test-controllerManager-disable-healthz] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=0 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=0 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics-kubeRbacProxy.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics-kubeRbacProxy.snap index 795f09ef..94a28218 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics-kubeRbacProxy.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics-kubeRbacProxy.snap @@ -1,1189 +1,1239 @@ -[test-controllerManager-disable-metrics-kubeRbacProxy] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8080 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=0.0.0.0:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - - containerPort: 8080 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8080 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0.0.0.0:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service + - containerPort: 9443 + name: webhook-server + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' spec: - ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics.snap index 1f6227f1..c0092305 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics.snap @@ -1,1163 +1,1211 @@ -[test-controllerManager-disable-metrics] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=0 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: + ports: + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: - name: cosmo-auth - namespace: testns + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: - ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-webhook.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-webhook.snap index 391fa998..4f8df1f6 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-webhook.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-webhook.snap @@ -1,997 +1,1045 @@ -[test-controllerManager-disable-webhook] -SnapShot = """ -- object: - apiVersion: apps/v1 - kind: Deployment +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: null - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-hostnetwork.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-hostnetwork.snap index 49ed94bc..1cbe1551 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-hostnetwork.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-hostnetwork.snap @@ -1,1208 +1,1258 @@ -[test-controllerManager-hostnetwork] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9999 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9999 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9999 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9999 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9999 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9999 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9999 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9999 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-disable-ingressroute.snap b/charts/cosmo/test/__snapshots__/test-dashboard-disable-ingressroute.snap index f1cc788d..fe76e54d 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-disable-ingressroute.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-disable-ingressroute.snap @@ -1,1161 +1,1210 @@ -[test-dashboard-disable-ingressroute] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cDovL2Rhc2hib2FyZC5leGFtcGxlLmNvbS8jL3NpZ25pbg==" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: http +spec: + type: LoadBalancer + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --insecure - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTP - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: null - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: null -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cDovL2Rhc2hib2FyZC5leGFtcGxlLmNvbS8jL3NpZ25pbg== - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: http - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: LoadBalancer -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --insecure + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-bind.snap b/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-bind.snap index b0c6b3c9..478d56e0 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-bind.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-bind.snap @@ -1,1214 +1,1264 @@ -[test-dashboard-enable-ldap-bind] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - - --ldap-url=ldap://example.com:389 - - --ldap-insecure-skip-verify=false - - --ldap-start-tls=false - - --ldap-binddn= - - --ldap-search-binddn= - - --ldap-search-password= - - --ldap-search-basedn= - - --ldap-search-filter= - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + - --ldap-url=ldap://example.com:389 + - --ldap-insecure-skip-verify=false + - --ldap-start-tls=false + - --ldap-binddn= + - --ldap-search-binddn= + - --ldap-search-password= + - --ldap-search-basedn= + - --ldap-search-filter= + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-searchfilter.snap b/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-searchfilter.snap index 255186db..54acff55 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-searchfilter.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-searchfilter.snap @@ -1,1214 +1,1264 @@ -[test-dashboard-enable-ldap-searchfilter] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - - --ldap-url=ldap://example.com:389 - - --ldap-insecure-skip-verify=false - - --ldap-start-tls=false - - --ldap-binddn= - - --ldap-search-binddn=cn=admin,dc=cosmo,dc=io - - --ldap-search-password=pass - - --ldap-search-basedn=dc=cosmo,dc=io - - --ldap-search-filter=(uid=%s) - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + - --ldap-url=ldap://example.com:389 + - --ldap-insecure-skip-verify=false + - --ldap-start-tls=false + - --ldap-binddn= + - --ldap-search-binddn=cn=admin,dc=cosmo,dc=io + - --ldap-search-password=pass + - --ldap-search-basedn=dc=cosmo,dc=io + - --ldap-search-filter=(uid=%s) + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-fixed-session-key.snap b/charts/cosmo/test/__snapshots__/test-dashboard-fixed-session-key.snap index ad00bb46..9092c58d 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-fixed-session-key.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-fixed-session-key.snap @@ -1,1206 +1,1256 @@ -[test-dashboard-fixed-session-key] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: hash_key + COOKIE_BLOCKKEY: block_key + COOKIE_SESSION_NAME: sess_name +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: block_key - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: hash_key - COOKIE_SESSION_NAME: sess_name - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: false - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-timeout.snap b/charts/cosmo/test/__snapshots__/test-dashboard-timeout.snap index 8ae13db0..057666f7 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-timeout.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-timeout.snap @@ -1,1206 +1,1256 @@ -[test-dashboard-timeout] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=90 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=600 - - --timeout-seconds=300 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=90 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=600 + - --timeout-seconds=300 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-default.snap b/charts/cosmo/test/__snapshots__/test-default.snap index 848ba3e3..91453feb 100644 --- a/charts/cosmo/test/__snapshots__/test-default.snap +++ b/charts/cosmo/test/__snapshots__/test-default.snap @@ -1,1206 +1,1256 @@ -[test-default] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-fullnameOverride.snap b/charts/cosmo/test/__snapshots__/test-fullnameOverride.snap index 91c2213f..1cb96042 100644 --- a/charts/cosmo/test/__snapshots__/test-fullnameOverride.snap +++ b/charts/cosmo/test/__snapshots__/test-fullnameOverride.snap @@ -1,1206 +1,1256 @@ -[test-fullnameOverride] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: tae + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tae-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tae-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tae-cosmo-system +subjects: +- kind: ServiceAccount + name: tae + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: tae + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tae + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 + serviceAccountName: tae + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent name: tae - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/tae - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: tae - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: tae - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: tae - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: tae-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: tae-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tae-testns - subjects: - - kind: ServiceAccount - name: tae - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: tae-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns - spec: + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/tae" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: tae - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: tae +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: tae-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: tae - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-localRunTest.snap b/charts/cosmo/test/__snapshots__/test-localRunTest.snap index a74a4261..99d15b29 100644 --- a/charts/cosmo/test/__snapshots__/test-localRunTest.snap +++ b/charts/cosmo/test/__snapshots__/test-localRunTest.snap @@ -1,1251 +1,1303 @@ -[test-localRunTest] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + - name: cosmo-dashboard-ui-server + port: 3000 + protocol: TCP + targetPort: 3000 +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/@`,`/src`,`/manifest.json`,`/node_modules`,`/logo`)) - priority: 1002 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-ui-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - kind: Endpoints - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - subsets: - - addresses: - - ip: 127.0.0.1 - ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - - name: cosmo-dashboard-ui-server - port: 3000 - protocol: TCP -- object: - apiVersion: v1 - kind: Endpoints - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - subsets: - - addresses: - - ip: 127.0.0.1 - ports: - - port: 9443 - protocol: TCP -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - - name: cosmo-dashboard-ui-server - port: 3000 - protocol: TCP - targetPort: 3000 - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Endpoints +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +subsets: +- addresses: + - ip: 127.0.0.1 + ports: + - port: 9443 + protocol: TCP +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Endpoints +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +subsets: +- addresses: + - ip: 127.0.0.1 + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + - name: cosmo-dashboard-ui-server + port: 3000 + protocol: TCP +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/@`) || PathPrefix(`/src`) || PathPrefix(`/manifest.json`) || PathPrefix(`/node_modules`) || PathPrefix(`/logo`)) + priority: 1002 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-ui-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-logging.snap b/charts/cosmo/test/__snapshots__/test-logging.snap index 938d0599..b9500b70 100644 --- a/charts/cosmo/test/__snapshots__/test-logging.snap +++ b/charts/cosmo/test/__snapshots__/test-logging.snap @@ -1,1208 +1,1258 @@ -[test-logging] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=debug - - --zap-time-encoding=iso8601 - - --zap-devel=true - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=debug - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --zap-devel=true - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=debug + - --zap-time-encoding=iso8601 + - --zap-devel=true + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=debug + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --zap-devel=true + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-nameOverride.snap b/charts/cosmo/test/__snapshots__/test-nameOverride.snap index ff6b270e..4035c938 100644 --- a/charts/cosmo/test/__snapshots__/test-nameOverride.snap +++ b/charts/cosmo/test/__snapshots__/test-nameOverride.snap @@ -1,1206 +1,1256 @@ -[test-nameOverride] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-tae + namespace: cosmo-system + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-tae-cosmo-system + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-tae-cosmo-system + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-tae-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-tae + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-tae + namespace: cosmo-system + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-tae + namespace: cosmo-system + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: tae - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-tae - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-tae - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-tae - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-tae-testns - subjects: - - kind: ServiceAccount - name: testrelease-tae - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-tae + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-tae + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-tae" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: tae - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-tae +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-tae-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-podAnnotations-podLabels.snap b/charts/cosmo/test/__snapshots__/test-podAnnotations-podLabels.snap index 92145e7d..89bd1a71 100644 --- a/charts/cosmo/test/__snapshots__/test-podAnnotations-podLabels.snap +++ b/charts/cosmo/test/__snapshots__/test-podAnnotations-podLabels.snap @@ -1,1212 +1,1262 @@ -[test-podAnnotations-podLabels] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - annotations: - test-ann: hello - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - test-label: world - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - annotations: - test-ann: hello - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - test-label: world - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + test-label: world + annotations: + test-ann: hello spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + test-label: world + annotations: + test-ann: hello spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-traefik-diabled.snap b/charts/cosmo/test/__snapshots__/test-traefik-diabled.snap index fb8f3791..e48e4ee2 100644 --- a/charts/cosmo/test/__snapshots__/test-traefik-diabled.snap +++ b/charts/cosmo/test/__snapshots__/test-traefik-diabled.snap @@ -1,923 +1,952 @@ -[test-traefik-diabled] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=traefik - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=traefik + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' spec: - ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service - metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: - ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -""" + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-use-existing-serviceaccount.snap b/charts/cosmo/test/__snapshots__/test-use-existing-serviceaccount.snap index 9a32d45c..a35f45f2 100644 --- a/charts/cosmo/test/__snapshots__/test-use-existing-serviceaccount.snap +++ b/charts/cosmo/test/__snapshots__/test-use-existing-serviceaccount.snap @@ -1,1182 +1,1230 @@ -[test-use-existing-serviceaccount] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: test + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: test + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: test + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: test - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: test - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: test - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: test - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: test - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: test + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: test + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/values.yaml b/charts/cosmo/values.yaml index bf6e3195..6224eb16 100644 --- a/charts/cosmo/values.yaml +++ b/charts/cosmo/values.yaml @@ -251,9 +251,11 @@ traefik: namespaceOverride: cosmo-system # Enable plugins - experimental: - plugins: - enabled: true + # local plugin is not supported by this options on 28.0.0 + # so add configs manually via additionalVolumes, additionalVolumeMounts and additionalArguments + # experimental: + # plugins: + # enabled: true deployment: # Installing local plugins by init containers @@ -269,10 +271,14 @@ traefik: additionalVolumes: - name: local-plugins emptyDir: {} + - name: plugins + emptyDir: {} additionalVolumeMounts: - name: local-plugins mountPath: /plugins-local + - name: plugins + mountPath: "/plugins-storage" # Load cosmo-auth plugin additionalArguments: diff --git a/cmd/controller-manager/main.go b/cmd/controller-manager/main.go index e827ba87..9c36e85a 100644 --- a/cmd/controller-manager/main.go +++ b/cmd/controller-manager/main.go @@ -15,8 +15,11 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" - traefikv1 "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikio/v1alpha1" + traefikv1 "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1" "github.com/cosmo-workspace/cosmo/internal/controllers" "github.com/cosmo-workspace/cosmo/internal/webhooks" @@ -86,13 +89,17 @@ MIT 2023 cosmo-workspace/cosmo printOptions() mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - MetricsBindAddress: o.MetricsAddr, - Port: o.Port, + Scheme: scheme, + Metrics: server.Options{ + BindAddress: o.MetricsAddr, + }, HealthProbeBindAddress: o.ProbeAddr, LeaderElection: o.EnableLeaderElection, LeaderElectionID: "04c57811.cosmo-workspace", - CertDir: o.CertDir, + WebhookServer: webhook.NewServer(webhook.Options{ + Port: o.Port, + CertDir: o.CertDir, + }), }) if err != nil { setupLog.Error(err, "unable to start manager") @@ -162,31 +169,37 @@ MIT 2023 cosmo-workspace/cosmo // Webhook (&webhooks.InstanceMutationWebhookHandler{ - Client: mgr.GetClient(), - Log: clog.NewLogger(ctrl.Log.WithName("InstanceMutationWebhook")), + Client: mgr.GetClient(), + Log: clog.NewLogger(ctrl.Log.WithName("InstanceMutationWebhook")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&webhooks.InstanceValidationWebhookHandler{ Client: mgr.GetClient(), Log: clog.NewLogger(ctrl.Log.WithName("InstanceValidationWebhook")), + Decoder: admission.NewDecoder(mgr.GetScheme()), FieldManager: controllerFieldManager, }).SetupWebhookWithManager(mgr) (&webhooks.WorkspaceMutationWebhookHandler{ - Client: mgr.GetClient(), - Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceMutationWebhook")), + Client: mgr.GetClient(), + Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceMutationWebhook")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&webhooks.WorkspaceValidationWebhookHandler{ - Client: mgr.GetClient(), - Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceValidationWebhook")), + Client: mgr.GetClient(), + Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceValidationWebhook")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&webhooks.UserMutationWebhookHandler{ - Client: mgr.GetClient(), - Log: clog.NewLogger(ctrl.Log.WithName("UserMutationWebhook")), + Client: mgr.GetClient(), + Log: clog.NewLogger(ctrl.Log.WithName("UserMutationWebhook")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&webhooks.UserValidationWebhookHandler{ - Client: mgr.GetClient(), - Log: clog.NewLogger(ctrl.Log.WithName("UserValidationWebhook")), + Client: mgr.GetClient(), + Log: clog.NewLogger(ctrl.Log.WithName("UserValidationWebhook")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) ctx := ctrl.SetupSignalHandler() diff --git a/config/crd/bases/cosmo-workspace.github.io_clusterinstances.yaml b/config/crd/bases/cosmo-workspace.github.io_clusterinstances.yaml index 97e5a574..cb617ffb 100644 --- a/config/crd/bases/cosmo-workspace.github.io_clusterinstances.yaml +++ b/config/crd/bases/cosmo-workspace.github.io_clusterinstances.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: clusterinstances.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -29,14 +29,19 @@ spec: description: ClusterInstance is the Schema for the instances API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -63,35 +68,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a - valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container - that triggered the event) or if no container name - is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to - have some well-defined way of referencing a part of - an object. TODO: this design is not final and this - field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this - reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -130,33 +140,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic diff --git a/config/crd/bases/cosmo-workspace.github.io_clustertemplates.yaml b/config/crd/bases/cosmo-workspace.github.io_clustertemplates.yaml index 201282d3..3b4f2614 100644 --- a/config/crd/bases/cosmo-workspace.github.io_clustertemplates.yaml +++ b/config/crd/bases/cosmo-workspace.github.io_clustertemplates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: clustertemplates.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -26,14 +26,19 @@ spec: description: ClusterTemplate is the Schema for the Templates API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/config/crd/bases/cosmo-workspace.github.io_instances.yaml b/config/crd/bases/cosmo-workspace.github.io_instances.yaml index 1474edcb..ace8fe1b 100644 --- a/config/crd/bases/cosmo-workspace.github.io_instances.yaml +++ b/config/crd/bases/cosmo-workspace.github.io_instances.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: instances.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -29,14 +29,19 @@ spec: description: Instance is the Schema for the instances API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -63,35 +68,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a - valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container - that triggered the event) or if no container name - is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to - have some well-defined way of referencing a part of - an object. TODO: this design is not final and this - field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this - reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -130,33 +140,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic diff --git a/config/crd/bases/cosmo-workspace.github.io_templates.yaml b/config/crd/bases/cosmo-workspace.github.io_templates.yaml index 3030efd3..d639d211 100644 --- a/config/crd/bases/cosmo-workspace.github.io_templates.yaml +++ b/config/crd/bases/cosmo-workspace.github.io_templates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: templates.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -26,14 +26,19 @@ spec: description: Template is the Schema for the Templates API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/config/crd/bases/cosmo-workspace.github.io_users.yaml b/config/crd/bases/cosmo-workspace.github.io_users.yaml index e560de31..552983ba 100644 --- a/config/crd/bases/cosmo-workspace.github.io_users.yaml +++ b/config/crd/bases/cosmo-workspace.github.io_users.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: users.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -36,14 +36,19 @@ spec: description: User is the Schema for the workspaces API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -98,33 +103,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -140,33 +152,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic diff --git a/config/crd/bases/cosmo-workspace.github.io_workspaces.yaml b/config/crd/bases/cosmo-workspace.github.io_workspaces.yaml index c938d789..fed0aa5e 100644 --- a/config/crd/bases/cosmo-workspace.github.io_workspaces.yaml +++ b/config/crd/bases/cosmo-workspace.github.io_workspaces.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: workspaces.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -29,14 +29,19 @@ spec: description: Workspace is the Schema for the workspaces API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -110,33 +115,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic diff --git a/dockerfile/controller-manager.Dockerfile b/dockerfile/controller-manager.Dockerfile index 23abef15..58802e2f 100644 --- a/dockerfile/controller-manager.Dockerfile +++ b/dockerfile/controller-manager.Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM golang:1.20 as builder +FROM golang:1.22 as builder ENV GO111MODULE=on diff --git a/dockerfile/dashboard.Dockerfile b/dockerfile/dashboard.Dockerfile index 5be75e22..63643e70 100644 --- a/dockerfile/dashboard.Dockerfile +++ b/dockerfile/dashboard.Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20 as base +FROM golang:1.22 as base ENV GO111MODULE=on diff --git a/dockerfile/traefik-plugins.Dockerfile b/dockerfile/traefik-plugins.Dockerfile index 8a2bf5b6..0da0a0f7 100644 --- a/dockerfile/traefik-plugins.Dockerfile +++ b/dockerfile/traefik-plugins.Dockerfile @@ -1,5 +1,5 @@ ### see https://traefik.io/blog/using-private-plugins-in-traefik-proxy-2-5/ -FROM golang:1.20 +FROM golang:1.22 WORKDIR /cosmo diff --git a/go.mod b/go.mod index 4e420eea..80fdd447 100644 --- a/go.mod +++ b/go.mod @@ -1,76 +1,84 @@ module github.com/cosmo-workspace/cosmo -go 1.20 +go 1.22.0 + +toolchain go1.22.3 require ( - github.com/bufbuild/connect-go v1.7.0 - github.com/envoyproxy/protoc-gen-validate v1.0.1 - github.com/evanphx/json-patch/v5 v5.6.0 - github.com/gkampitakis/go-snaps v0.4.3 - github.com/go-ldap/ldap/v3 v3.4.4 - github.com/go-logr/logr v1.2.4 - github.com/go-webauthn/webauthn v0.8.6 - github.com/google/go-cmp v0.5.9 - github.com/google/uuid v1.3.0 - github.com/gorilla/securecookie v1.1.1 - github.com/gorilla/sessions v1.2.1 - github.com/mattn/go-isatty v0.0.18 - github.com/onsi/ginkgo/v2 v2.9.5 - github.com/onsi/gomega v1.27.7 - github.com/pelletier/go-toml/v2 v2.0.7 - github.com/sethvargo/go-password v0.2.0 - github.com/spf13/afero v1.9.5 - github.com/spf13/cobra v1.7.0 - github.com/traefik/traefik/v2 v2.10.1 - go.uber.org/zap v1.24.0 - golang.org/x/crypto v0.11.0 - google.golang.org/protobuf v1.30.0 - k8s.io/api v0.26.3 - k8s.io/apimachinery v0.26.3 - k8s.io/cli-runtime v0.26.3 - k8s.io/client-go v0.26.3 - k8s.io/klog/v2 v2.100.1 - k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 - sigs.k8s.io/controller-runtime v0.14.6 - sigs.k8s.io/kustomize/api v0.12.1 - sigs.k8s.io/yaml v1.3.0 + github.com/bufbuild/connect-go v1.10.0 + github.com/envoyproxy/protoc-gen-validate v1.0.4 + github.com/evanphx/json-patch/v5 v5.9.0 + github.com/gkampitakis/go-snaps v0.5.4 + github.com/go-ldap/ldap/v3 v3.4.8 + github.com/go-logr/logr v1.4.1 + github.com/go-webauthn/webauthn v0.10.2 + github.com/google/go-cmp v0.6.0 + github.com/google/uuid v1.6.0 + github.com/gorilla/securecookie v1.1.2 + github.com/gorilla/sessions v1.2.2 + github.com/mattn/go-isatty v0.0.20 + github.com/onsi/ginkgo/v2 v2.17.3 + github.com/onsi/gomega v1.33.1 + github.com/pelletier/go-toml/v2 v2.2.2 + github.com/sethvargo/go-password v0.3.0 + github.com/spf13/afero v1.11.0 + github.com/spf13/cobra v1.8.0 + github.com/traefik/traefik/v3 v3.0.0 + go.uber.org/zap v1.27.0 + golang.org/x/crypto v0.23.0 + google.golang.org/protobuf v1.34.1 + k8s.io/api v0.30.0 + k8s.io/apimachinery v0.30.0 + k8s.io/cli-runtime v0.30.0 + k8s.io/client-go v0.30.0 + k8s.io/klog/v2 v2.120.1 + k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 + sigs.k8s.io/controller-runtime v0.18.2 + sigs.k8s.io/kustomize/api v0.17.1 + sigs.k8s.io/yaml v1.4.0 ) require ( - github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect + github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect + github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect + github.com/aws/aws-sdk-go v1.44.327 // indirect github.com/beorn7/perks v1.0.1 // indirect - github.com/cenkalti/backoff/v4 v4.2.0 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/emicklei/go-restful/v3 v3.9.0 // indirect - github.com/evanphx/json-patch v4.12.0+incompatible // indirect - github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/fxamacker/cbor/v2 v2.4.0 // indirect - github.com/gkampitakis/ciinfo v0.2.4 // indirect + github.com/blang/semver/v4 v4.0.0 // indirect + github.com/cenkalti/backoff/v4 v4.3.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/emicklei/go-restful/v3 v3.12.0 // indirect + github.com/evanphx/json-patch v5.9.0+incompatible // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fxamacker/cbor/v2 v2.6.0 // indirect + github.com/gkampitakis/ciinfo v0.3.0 // indirect github.com/gkampitakis/go-diff v1.3.2 // indirect - github.com/go-acme/lego/v4 v4.10.2 // indirect - github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect - github.com/go-errors/errors v1.0.1 // indirect - github.com/go-jose/go-jose/v3 v3.0.0 // indirect - github.com/go-logr/zapr v1.2.3 // indirect - github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.20.0 // indirect - github.com/go-openapi/swag v0.19.14 // indirect - github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect - github.com/go-webauthn/x v0.1.4 // indirect + github.com/go-acme/lego/v4 v4.16.1 // indirect + github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect + github.com/go-errors/errors v1.5.1 // indirect + github.com/go-jose/go-jose/v4 v4.0.1 // indirect + github.com/go-kit/kit v0.10.1-0.20200915143503-439c4d2ed3ea // indirect + github.com/go-logfmt/logfmt v0.5.1 // indirect + github.com/go-logr/zapr v1.3.0 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/swag v0.23.0 // indirect + github.com/go-task/slim-sprig/v3 v3.0.0 // indirect + github.com/go-webauthn/x v0.1.9 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v5 v5.0.0 // indirect + github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect - github.com/google/btree v1.0.1 // indirect - github.com/google/gnostic v0.5.7-v3refs // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/google/btree v1.1.2 // indirect + github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-tpm v0.9.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22 // indirect + github.com/google/pprof v0.0.0-20240507183855-6f11f98ebb1c // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/gorilla/mux v1.8.0 // indirect - github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect - github.com/imdario/mergo v0.3.12 // indirect + github.com/gorilla/mux v1.8.1 // indirect + github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect + github.com/http-wasm/http-wasm-host-go v0.6.0 // indirect + github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -78,9 +86,11 @@ require ( github.com/kr/text v0.2.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/mailru/easyjson v0.7.7 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect - github.com/miekg/dns v1.1.50 // indirect + github.com/maruel/natural v1.1.1 // indirect + github.com/mattn/go-colorable v0.1.13 // indirect + github.com/miekg/dns v1.1.59 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/moby/term v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect @@ -88,40 +98,40 @@ require ( github.com/patrickmn/go-cache v2.1.0+incompatible // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_golang v1.15.1 // indirect - github.com/prometheus/client_model v0.3.0 // indirect - github.com/prometheus/common v0.42.0 // indirect - github.com/prometheus/procfs v0.9.0 // indirect - github.com/rogpeppe/go-internal v1.9.0 // indirect - github.com/sirupsen/logrus v1.9.0 // indirect + github.com/prometheus/client_golang v1.19.0 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.53.0 // indirect + github.com/prometheus/procfs v0.14.0 // indirect + github.com/rogpeppe/go-internal v1.12.0 // indirect + github.com/rs/zerolog v1.29.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/tidwall/gjson v1.14.4 // indirect + github.com/tidwall/gjson v1.17.1 // indirect github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.1 // indirect github.com/tidwall/sjson v1.2.5 // indirect github.com/traefik/paerser v0.2.0 // indirect github.com/x448/float16 v0.8.4 // indirect - github.com/xlab/treeprint v1.1.0 // indirect - go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect - go.uber.org/atomic v1.7.0 // indirect - go.uber.org/multierr v1.6.0 // indirect - golang.org/x/mod v0.10.0 // indirect - golang.org/x/net v0.10.0 // indirect - golang.org/x/oauth2 v0.5.0 // indirect - golang.org/x/sys v0.10.0 // indirect - golang.org/x/term v0.10.0 // indirect - golang.org/x/text v0.11.0 // indirect - golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.9.1 // indirect - gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect - google.golang.org/appengine v1.6.7 // indirect + github.com/xlab/treeprint v1.2.0 // indirect + go.starlark.net v0.0.0-20240507195648-35fe9f26b4bc // indirect + go.uber.org/multierr v1.11.0 // indirect + golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect + golang.org/x/mod v0.17.0 // indirect + golang.org/x/net v0.25.0 // indirect + golang.org/x/oauth2 v0.20.0 // indirect + golang.org/x/sync v0.7.0 // indirect + golang.org/x/sys v0.20.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/text v0.15.0 // indirect + golang.org/x/time v0.5.0 // indirect + golang.org/x/tools v0.21.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.26.3 // indirect - k8s.io/component-base v0.26.3 // indirect - k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect - sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect - sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + k8s.io/apiextensions-apiserver v0.30.0 // indirect + k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/kustomize/kyaml v0.17.0 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/go.sum b/go.sum index 9a1ecda3..6f7d7c50 100644 --- a/go.sum +++ b/go.sum @@ -1,238 +1,269 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= -cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= -cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= -cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= -cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= -cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= -cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= -cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= -cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= -cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= -cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= -cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= -cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY= -cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= -cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= -cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= -cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= -cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= -cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= -cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= -cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= -cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= -cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= -cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= -cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= -cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= -cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= -cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo= -dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e h1:NeAW1fUYUEWhft7pkxDf6WoUvEZJ/uOKsvtpjLnn8MU= -github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= +github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= +github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= -github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= -github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= +github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= +github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= +github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= +github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= +github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g= +github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= +github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= +github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= +github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= +github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.44.327 h1:ZS8oO4+7MOBLhkdwIhgtVeDzCeWOlTfKJS7EgggbIEY= +github.com/aws/aws-sdk-go v1.44.327/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= +github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/bufbuild/connect-go v1.7.0 h1:MGp82v7SCza+3RhsVhV7aMikwxvI3ZfD72YiGt8FYJo= -github.com/bufbuild/connect-go v1.7.0/go.mod h1:GmMJYR6orFqD0Y6ZgX8pwQ8j9baizDrIQMm1/a6LnHk= -github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4= -github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/bufbuild/connect-go v1.10.0 h1:QAJ3G9A1OYQW2Jbk3DeoJbkCxuKArrvZgDt47mjdTbg= +github.com/bufbuild/connect-go v1.10.0/go.mod h1:CAIePUgkDR5pAFaylSMtNK45ANQjp9JvpluG20rhpV8= +github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ= +github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= +github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= -github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= -github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= +github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= +github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= +github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M= +github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= +github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= -github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v1.0.1 h1:kt9FtLiooDc0vbwTLhdg3dyNX1K9Qwa1EK9LcD4jVUQ= -github.com/envoyproxy/protoc-gen-validate v1.0.1/go.mod h1:0vj8bNkYbSTNS2PIyH87KZaeN4x9zpL9Qt8fQC7d+vs= -github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= -github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= -github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= -github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= -github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88= -github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= -github.com/gkampitakis/ciinfo v0.2.4 h1:Ip1hf4K7ISRuVlDrheuhaeffg1VOhlyeFGaQ/vTxrtE= -github.com/gkampitakis/ciinfo v0.2.4/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= +github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= +github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= +github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= +github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= +github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA= +github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/gkampitakis/ciinfo v0.3.0 h1:gWZlOC2+RYYttL0hBqcoQhM7h1qNkVqvRCV1fOvpAv8= +github.com/gkampitakis/ciinfo v0.3.0/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M= github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk= -github.com/gkampitakis/go-snaps v0.4.3 h1:0awAg/9gGT63bcaWmigfbGt+tsuIKlI/TiqLP5e+2Cc= -github.com/gkampitakis/go-snaps v0.4.3/go.mod h1:oEL8WdkP4EpHdMA3wrNRjfRiV9wV3OhU/JpX9l4joA0= -github.com/go-acme/lego/v4 v4.10.2 h1:5eW3qmda5v/LP21v1Hj70edKY1jeFZQwO617tdkwp6Q= -github.com/go-acme/lego/v4 v4.10.2/go.mod h1:EMbf0Jmqwv94nJ5WL9qWnSXIBZnvsS9gNypansHGc6U= -github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A= -github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= -github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w= -github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= -github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= -github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= -github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs= -github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= -github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= -github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= -github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= -github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= -github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= -github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= -github.com/go-webauthn/webauthn v0.8.6 h1:bKMtL1qzd2WTFkf1mFTVbreYrwn7dsYmEPjTq6QN90E= -github.com/go-webauthn/webauthn v0.8.6/go.mod h1:emwVLMCI5yx9evTTvr0r+aOZCdWJqMfbRhF0MufyUog= -github.com/go-webauthn/x v0.1.4 h1:sGmIFhcY70l6k7JIDfnjVBiAAFEssga5lXIUXe0GtAs= -github.com/go-webauthn/x v0.1.4/go.mod h1:75Ug0oK6KYpANh5hDOanfDI+dvPWHk788naJVG/37H8= +github.com/gkampitakis/go-snaps v0.5.4 h1:GX+dkKmVsRenz7SoTbdIEL4KQARZctkMiZ8ZKprRwT8= +github.com/gkampitakis/go-snaps v0.5.4/go.mod h1:ZABkO14uCuVxBHAXAfKG+bqNz+aa1bGPAg8jkI0Nk8Y= +github.com/go-acme/lego/v4 v4.16.1 h1:JxZ93s4KG0jL27rZ30UsIgxap6VGzKuREsSkkyzeoCQ= +github.com/go-acme/lego/v4 v4.16.1/go.mod h1:AVvwdPned/IWpD/ihHhMsKnveF7HHYAz/CmtXi7OZoE= +github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk= +github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= +github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= +github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U= +github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/kit v0.10.1-0.20200915143503-439c4d2ed3ea h1:CnEQOUv4ilElSwFB9g/lVmz206oLE4aNZDYngIY1Gvg= +github.com/go-kit/kit v0.10.1-0.20200915143503-439c4d2ed3ea/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o= +github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ= +github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= +github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA= +github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= +github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/go-webauthn/webauthn v0.10.2 h1:OG7B+DyuTytrEPFmTX503K77fqs3HDK/0Iv+z8UYbq4= +github.com/go-webauthn/webauthn v0.10.2/go.mod h1:Gd1IDsGAybuvK1NkwUTLbGmeksxuRJjVN2PE/xsPxHs= +github.com/go-webauthn/x v0.1.9 h1:v1oeLmoaa+gPOaZqUdDentu6Rl7HkSSsmOT6gxEQHhE= +github.com/go-webauthn/x v0.1.9/go.mod h1:pJNMlIMP1SU7cN8HNlKJpLEnFHCygLCvaLZ8a1xeoQA= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= -github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= -github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= -github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= -github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= -github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= -github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= +github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= +github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk= github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22 h1:ub2sxhs2A0HRa2dWHavvmWxiVGXNfE9wI+gcTMwED8A= -github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20240507183855-6f11f98ebb1c h1:GCixZ7sgey01Kjw8pxBzCD0uVrubxl8SRzRgI0jwP+A= +github.com/google/pprof v0.0.0-20240507183855-6f11f98ebb1c/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= -github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= -github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= -github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= -github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= -github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= +github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= +github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= -github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI= +github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA= +github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo= github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= -github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= -github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/gorilla/sessions v1.2.2 h1:lqzMYz6bOfvn2WriPUjNByzeXIlVzURcPmgMczkmTjY= +github.com/gorilla/sessions v1.2.2/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE= +github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= +github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= -github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/http-wasm/http-wasm-host-go v0.6.0 h1:Vd4XvcFB3NMgWp2VLCQaiqYgLneN2lChbyN9NGoNDro= +github.com/http-wasm/http-wasm-host-go v0.6.0/go.mod h1:zQB3w+df4hryDEqBorGyA1DwPJ86LfKIASNLFuj6CuI= +github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= +github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= +github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= +github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo= +github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= +github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg= +github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo= +github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o= +github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= +github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8= +github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= +github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= +github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= -github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -241,88 +272,178 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= +github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4= +github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/mattn/go-isatty v0.0.18 h1:DOKFKCQ7FNG2L1rbrmstDN4QVRdS89Nkh85u68Uwp98= -github.com/mattn/go-isatty v0.0.18/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= -github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA= -github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME= +github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= +github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs= +github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= +github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= +github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= -github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k= -github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= -github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg= +github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= +github.com/nats-io/nats-server/v2 v2.1.2/go.mod h1:Afk+wRZqkMQs/p45uXdrVLuab3gwv3Z8C4HTBu8GD/k= +github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzEE/Zbp4w= +github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= +github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= +github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= +github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= +github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU= +github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= +github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= +github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= +github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis= +github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74= +github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxSfWAKL3wpBW7V8scJMt8N8gnaMCS9E/cA= +github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= +github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= +github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= +github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc= github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ= -github.com/pelletier/go-toml/v2 v2.0.7 h1:muncTPStnKRos5dpVKULv2FVd4bMOhNePj9CjgDb8Us= -github.com/pelletier/go-toml/v2 v2.0.7/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek= +github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= +github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= +github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= +github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= +github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI= -github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og= +github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= +github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= -github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= -github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= -github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= -github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= -github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= +github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA= +github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE= +github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= +github.com/prometheus/procfs v0.14.0 h1:Lw4VdGGoKEZilJsayHf0B+9YgLGREba2C6xr+Fdfq6s= +github.com/prometheus/procfs v0.14.0/go.mod h1:XL+Iwz8k8ZabyZfMFHPiilCniixqQarAy5Mu67pHlNQ= +github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= +github.com/rs/zerolog v1.29.0 h1:Zes4hju04hjbvkVkOhdl2HpZa+0PmVwigmo8XoORE5w= +github.com/rs/zerolog v1.29.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= -github.com/sethvargo/go-password v0.2.0 h1:BTDl4CC/gjf/axHMaDQtw507ogrXLci6XRiLc7i/UHI= -github.com/sethvargo/go-password v0.2.0/go.mod h1:Ym4Mr9JXLBycr02MFuVQ/0JHidNetSgbzutTr3zsYXE= -github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= -github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/spf13/afero v1.9.5 h1:stMpOSZFs//0Lv29HduCmli3GUfpFoF3Y1Q/aXj/wVM= -github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ= -github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= -github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= +github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/sethvargo/go-password v0.3.0 h1:OLFHZ91Z7NiNP3dnaPxLxCDXlb6TBuxFzMvv6bu+Ptw= +github.com/sethvargo/go-password v0.3.0/go.mod h1:p6we8DZ0eyYXof9pon7Cqrw98N4KTaYiadDml1dUEEw= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= +github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= +github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= +github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= +github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= -github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM= -github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U= +github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= @@ -330,412 +451,271 @@ github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY= github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/traefik/paerser v0.2.0 h1:zqCLGSXoNlcBd+mzqSCLjon/I6phqIjeJL2xFB2ysgQ= github.com/traefik/paerser v0.2.0/go.mod h1:afzaVcgF8A+MpTnPG4wBr4whjanCSYA6vK5RwaYVtRc= -github.com/traefik/traefik/v2 v2.10.1 h1:YP034U+yUkHZizCkokUMdV0wecuROJntxwqH5P70Krs= -github.com/traefik/traefik/v2 v2.10.1/go.mod h1:prn4IYzwqrxXeZUfpdl9eICqpcKV9teQD//LFOD/srk= +github.com/traefik/traefik/v3 v3.0.0 h1:5QehwnFdbTMvLW0WZFw47YKD3i9WO5L5e/l0n/cJ/V0= +github.com/traefik/traefik/v3 v3.0.0/go.mod h1:7AglinDE1SUEb/r8MIu7+YqiLY/J7wakEJHyVTYa628= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= -github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= -github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= +github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= -go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= +go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc= -go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= -go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= -go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= -go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= -go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= -go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= -go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= -go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= -go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +go.starlark.net v0.0.0-20240507195648-35fe9f26b4bc h1:WMJEq47tB89BoJ5HUfoMZVtN+0u6f32LgIfQlu3mMF8= +go.starlark.net v0.0.0-20240507195648-35fe9f26b4bc/go.mod h1:YKMCv9b1WrfWmeqdV5MAuEHWsu5iC+fe6kYl2sQjdI8= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= -golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= -golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= -golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= -golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= -golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= -golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= -golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= -golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= -golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= -golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= -golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= +golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo= +golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191220142924-d4481acd189f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= -golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= -golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= -golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= -golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= -golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= -golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= -golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= -golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= -golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= +golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY= -gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= -google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= -google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= -google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= -google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= -google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= -google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= -google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= -google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= -google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190530194941-fb225487d101/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= -google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= -google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= -google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= -google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= -google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= -google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= -google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= -google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= -google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.26.3 h1:emf74GIQMTik01Aum9dPP0gAypL8JTLl/lHa4V9RFSU= -k8s.io/api v0.26.3/go.mod h1:PXsqwPMXBSBcL1lJ9CYDKy7kIReUydukS5JiRlxC3qE= -k8s.io/apiextensions-apiserver v0.26.3 h1:5PGMm3oEzdB1W/FTMgGIDmm100vn7IaUP5er36dB+YE= -k8s.io/apiextensions-apiserver v0.26.3/go.mod h1:jdA5MdjNWGP+njw1EKMZc64xAT5fIhN6VJrElV3sfpQ= -k8s.io/apimachinery v0.26.3 h1:dQx6PNETJ7nODU3XPtrwkfuubs6w7sX0M8n61zHIV/k= -k8s.io/apimachinery v0.26.3/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= -k8s.io/cli-runtime v0.26.3 h1:3ULe0oI28xmgeLMVXIstB+ZL5CTGvWSMVMLeHxitIuc= -k8s.io/cli-runtime v0.26.3/go.mod h1:5YEhXLV4kLt/OSy9yQwtSSNZU2Z7aTEYta1A+Jg4VC4= -k8s.io/client-go v0.26.3 h1:k1UY+KXfkxV2ScEL3gilKcF7761xkYsSD6BC9szIu8s= -k8s.io/client-go v0.26.3/go.mod h1:ZPNu9lm8/dbRIPAgteN30RSXea6vrCpFvq+MateTUuQ= -k8s.io/component-base v0.26.3 h1:oC0WMK/ggcbGDTkdcqefI4wIZRYdK3JySx9/HADpV0g= -k8s.io/component-base v0.26.3/go.mod h1:5kj1kZYwSC6ZstHJN7oHBqcJC6yyn41eR+Sqa/mQc8E= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= -k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= -rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA= -sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= -sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= -sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= -sigs.k8s.io/kustomize/api v0.12.1/go.mod h1:y3JUhimkZkR6sbLNwfJHxvo1TCLwuwm14sCYnkH6S1s= -sigs.k8s.io/kustomize/kyaml v0.13.9 h1:Qz53EAaFFANyNgyOEJbT/yoIHygK40/ZcvU3rgry2Tk= -sigs.k8s.io/kustomize/kyaml v0.13.9/go.mod h1:QsRbD0/KcU+wdk0/L0fIp2KLnohkVzs6fQ85/nOXac4= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= +k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= +k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= +k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= +k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= +k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/cli-runtime v0.30.0 h1:0vn6/XhOvn1RJ2KJOC6IRR2CGqrpT6QQF4+8pYpWQ48= +k8s.io/cli-runtime v0.30.0/go.mod h1:vATpDMATVTMA79sZ0YUCzlMelf6rUjoBzlp+RnoM+cg= +k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= +k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= +k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= +k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= +sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/kustomize/api v0.17.1 h1:MYJBOP/yQ3/5tp4/sf6HiiMfNNyO97LmtnirH9SLNr4= +sigs.k8s.io/kustomize/api v0.17.1/go.mod h1:ffn5491s2EiNrJSmgqcWGzQUVhc/pB0OKNI0HsT/0tA= +sigs.k8s.io/kustomize/kyaml v0.17.0 h1:G2bWs03V9Ur2PinHLzTUJ8Ded+30SzXZKiO92SRDs3c= +sigs.k8s.io/kustomize/kyaml v0.17.0/go.mod h1:6lxkYF1Cv9Ic8g/N7I86cvxNc5iinUo/P2vKsHNmpyE= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= +sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= diff --git a/go.work b/go.work index 0caade13..a1d6ba82 100644 --- a/go.work +++ b/go.work @@ -1,4 +1,6 @@ -go 1.20 +go 1.22.0 + +toolchain go1.22.3 use ( . diff --git a/go.work.sum b/go.work.sum index f303ca0e..c10d5897 100644 --- a/go.work.sum +++ b/go.work.sum @@ -1,58 +1,438 @@ +cloud.google.com/go v0.110.10/go.mod h1:v1OoFqYxiBkUrruItNM3eT4lLByNjxmJSV/xDKJNnic= +cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI= +cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= +cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= +cloud.google.com/go/iam v1.1.5/go.mod h1:rB6P/Ic3mykPbFio+vo7403drjlgvoWfYpJhMXEbzv8= +cloud.google.com/go/storage v1.35.1/go.mod h1:M6M/3V/D3KpzMTJyPOR/HU6n2Si5QdaXYEsng2xgOs8= +dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +github.com/AdamSLevy/jsonrpc2/v14 v14.1.0/go.mod h1:ZakZtbCXxCz82NJvq7MoREtiQesnDfrtF6RFUGzQfLo= +github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.1.0/go.mod h1:copqlcjMWc/wgQ1N2fzsJFQxDdqKGg1EQt8T5wJMOGE= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.1.0/go.mod h1:y2zXtLSMM/X5Mfawq0lOftpWn3f4V6OCsRdINsvWBPI= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs= +github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= -github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= +github.com/DataDog/appsec-internal-go v1.0.0/go.mod h1:+Y+4klVWKPOnZx6XESG7QHydOaUGEXyH2j/vSg9JiNM= +github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0/go.mod h1:HzySONXnAgSmIQfL6gOv9hWprKJkx8CicuXuUbmgWfo= +github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.0-devel.0.20230725154044-2549ba9058df/go.mod h1:5Q39ZOIOwZMnFyRadp+5gH1bFdjmb+Pgxe+j5XOwaTg= +github.com/DataDog/datadog-go/v5 v5.3.0/go.mod h1:XRDJk1pTc00gm+ZDiBKsjh7oOOtJfYfglVCmFb8C2+Q= +github.com/DataDog/go-libddwaf v1.5.0/go.mod h1:Fpnmoc2k53h6desQrH1P0/gR52CUzkLNFugE5zWwUBQ= +github.com/DataDog/go-tuf v1.0.2-0.5.2/go.mod h1:zBcq6f654iVqmkk8n2Cx81E1JnNTMOAx1UEO/wZR+P0= +github.com/DataDog/sketches-go v1.4.2/go.mod h1:xJIXldczJyyjnbDop7ZZcLxJdV3+7Kra7H1KMgpgkLk= +github.com/ExpediaDotCom/haystack-client-go v0.0.0-20190315171017-e7edbdf53a61/go.mod h1:62qWSDaEI0BLykU+zQza5CAKgW0lOy9oBSz3/DvYz4w= +github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= +github.com/Microsoft/hcsshim v0.11.4/go.mod h1:smjE4dvqPX9Zldna+t5FG3rnoHhaB7QYxPRqGcpAD9w= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= +github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87/go.mod h1:iGLljf5n9GjT6kc0HBvyI1nOKnGQbNB66VzSNbK5iks= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2/go.mod h1:QlXr/TrICfQ/ANa76sLeQyhAJyNR9sEcfNuZBkY9jgY= +github.com/alecthomas/kingpin/v2 v2.3.2/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE= +github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE= +github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE= +github.com/aliyun/alibaba-cloud-sdk-go v1.61.1755/go.mod h1:RcDobYh8k5VP6TNybz9m++gL3ijVI5wueVr0EM10VsU= +github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129/go.mod h1:rFgpPQZYZ8vdbc+48xibu8ALc3yeyd64IhHS+PU6Yyg= +github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= +github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/armon/go-radix v1.0.1-0.20221118154546-54df44f2176c/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= -github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4/go.mod h1:usURWEKSNNAcAZuzRn/9ZYPT8aZQkR7xcCtunK/LkJo= +github.com/aws/aws-sdk-go-v2/config v1.26.6/go.mod h1:uKU6cnDmYCvJ+pxO9S4cWDb2yWWIH5hra+32hVh1MI4= +github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw= +github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10/go.mod h1:FHbKWQtRBYUz4vO5WBWjzMD2by126ny5y/1EoaWoLfI= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.10/go.mod h1:byqfyxJBshFk0fF9YmK0M0ugIO8OWjzH2T3bPG4eGuA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.10/go.mod h1:jMx5INQFYFYB3lQD9W0D8Ohgq6Wnl7NYOJ2TQndbulI= +github.com/aws/aws-sdk-go-v2/service/lightsail v1.34.0/go.mod h1:35MKNS46RX7Lb9EIFP2bPy3WrJu+bxU6QgLis8K1aa4= +github.com/aws/aws-sdk-go-v2/service/route53 v1.37.0/go.mod h1:8qqfpG4mug2JLlEyWPSFhEGvJiaZ9iPmMDDMYc5Xtas= +github.com/aws/aws-sdk-go-v2/service/s3 v1.48.1/go.mod h1:4qXHrG1Ne3VGIMZPCB8OjH/pLFO94sKABIusjh0KWPU= +github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8= +github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U= +github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/bytedance/sonic v1.10.0/go.mod h1:iZcSUejdk5aukTND/Eu/ivjQuEL0Cu9/rf50Hi0u/g4= +github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= +github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs= +github.com/chromedp/chromedp v0.9.2/go.mod h1:LkSXJKONWTCHAfQasKFUZI+mxqS4tZqhmtGzzhLsnLs= +github.com/chromedp/sysutil v1.0.0/go.mod h1:kgWmDdq8fTzXYcKIBqIYvRRTnYb9aNS9moAV0xufSww= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/civo/civogo v0.3.11/go.mod h1:7+GeeFwc4AYTULaEshpT2vIcl3Qq8HPoxA17viX3l6g= +github.com/cloudflare/cloudflare-go v0.86.0/go.mod h1:wYW/5UP02TUfBToa/yKbQHV+r6h1NnJ1Je7XjuGM4Jw= +github.com/containerd/containerd v1.7.11/go.mod h1:5UluHxHTX2rdvYuZ5OJTC5m/KJNs0Zs9wVoJm9zf5ZE= +github.com/containerd/containerd v1.7.12/go.mod h1:/5OMpE1p0ylxtEUGY8kuCYkDRzJm9NO1TFMWjUpdevk= +github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= +github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd/go.mod h1:BbQgeDS5i0tNvypwEoF1oNjOJw8knRAE1DnVvjDstcQ= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= +github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/cpu/goacmedns v0.1.1/go.mod h1:MuaouqEhPAHxsbqjgnck5zeghuwBP1dLnPoobeGqugQ= +github.com/cpuguy83/dockercfg v0.3.1/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc= +github.com/deepmap/oapi-codegen v1.9.1/go.mod h1:PLqNAhdedP8ttRpBBkzLKU3bp+Fpy+tTgeAMlztR2cw= +github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f/go.mod h1:xH/i4TFMt8koVQZ6WFms69WAsDWr2XsYL3Hkl7jkoLE= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= +github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= +github.com/dnsimple/dnsimple-go v1.2.0/go.mod h1:z/cs26v/eiRvUyXsHQBLd8lWF8+cD6GbmkPH84plM4U= +github.com/docker/cli v24.0.9+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v24.0.9+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v25.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= +github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/donovanhide/eventsource v0.0.0-20170630084216-b8f31a59085e/go.mod h1:56wL82FO0bfMU5RvfXoIwSOP2ggqqxT+tAfNEIyxuHw= +github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= +github.com/ebitengine/purego v0.5.0-alpha.1/go.mod h1:ah1In8AOtksoNK6yk5z1HTJeUkC1Ez4Wk2idgGslMwQ= +github.com/elastic/go-sysinfo v1.7.1/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0= +github.com/elastic/go-windows v1.0.0/go.mod h1:TsU0Nrp7/y3+VwE82FoZF8gC/XFg/Elz6CcloAxnPgU= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= +github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/exoscale/egoscale v0.102.3/go.mod h1:RPf2Gah6up+6kAEayHTQwqapzXlm93f0VQas/UEGU5c= +github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= +github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= +github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/gambol99/go-marathon v0.0.0-20180614232016-99a156b96fb2/go.mod h1:GLyXJD41gBO/NPKVPGQbhyyC06eugGy15QEZyUkE2/s= +github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU= +github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-playground/validator/v10 v10.15.1/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU= +github.com/go-resty/resty/v2 v2.11.0/go.mod h1:iiP/OpA0CkcL3IGt1O0+/SIItFUbkkyw5BGXiVdTu+A= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-viper/mapstructure/v2 v2.0.0-alpha.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/go-zookeeper/zk v1.0.3/go.mod h1:nOB03cncLtlp4t+UAkGSV+9beXP/akpekBwL+UX1Qcw= +github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM= +github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= +github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY= +github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= +github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= +github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/cel-go v0.17.8/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= +github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= +github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= +github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM= github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= +github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba/go.mod h1:EFYHy8/1y2KfgTAsx7Luu7NGhoxtuVHnNo8jE7FikKc= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= +github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= +github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= +github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= +github.com/googleapis/google-cloud-go-testing v0.0.0-20210719221736-1c9a4c676720/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= +github.com/gophercloud/gophercloud v1.0.0/go.mod h1:Q8fZtyi5zZxPS/j9aj3sSxtvj41AdQMDwyo1myduD5c= +github.com/gophercloud/utils v0.0.0-20210216074907-f6de111f2eae/go.mod h1:wx8HMD8oQD0Ryhz6+6ykq75PJ79iPyEqYHfwZ4l7OsA= github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/gravitational/trace v1.1.16-0.20220114165159-14a9a7dd6aaf/go.mod h1:zXqxTI6jXDdKnlf8s+nT+3c8LrwUEy3yNpO4XJL90lA= +github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0/go.mod h1:qmOFXW2epJhM0qSnUUYpldc7gVz2KMQwJ/QYCDIa7XU= +github.com/hashicorp/consul/api v1.26.1/go.mod h1:B4sQTeaSO16NtynqrAdwOlahJ7IUDZM9cj2420xYL8A= +github.com/hashicorp/cronexpr v1.1.2/go.mod h1:P4wA0KBl9C5q2hABiMO7cp6jcIg96CDh1Efb3g1PWA4= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= +github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/nomad/api v0.0.0-20231213195942-64e3dca9274b/go.mod h1:ijDwa6o1uG1jFSq6kERiX2PamKGpZzTmo0XOFNeFZgw= +github.com/hashicorp/nomad/api v0.0.0-20240122103822-8a4bd61caf74/go.mod h1:ijDwa6o1uG1jFSq6kERiX2PamKGpZzTmo0XOFNeFZgw= +github.com/hashicorp/serf v0.10.1/go.mod h1:yL2t6BqATOLGc5HF7qbFkTfXoPIY0WZdWHfEvMqbG+4= github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= -github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/iancoleman/strcase v0.3.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= +github.com/ianlancetaylor/demangle v0.0.0-20240312041847-bd984b5ce465/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw= +github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df/go.mod h1:QMZY7/J/KSQEhKWFeDesPjMj+wCHReeknARU3wqlyN4= +github.com/influxdata/influxdb-client-go/v2 v2.7.0/go.mod h1:Y/0W1+TZir7ypoQZYd2IrnVOKB3Tq6oegAQeSVN/+EU= +github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo= +github.com/infobloxopen/infoblox-go-client v1.1.1/go.mod h1:BXiw7S2b9qJoM8MS40vfgCNB2NLHGusk1DtO16BD9zI= +github.com/instana/go-sensor v1.38.3/go.mod h1:E42MelHWFz11qqaLwvgt0j98v2s2O/bq22UDkGaG0Gg= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak= +github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213/go.mod h1:vNUNkEQ1e29fT/6vq2aBdFsgNPmy8qMdSay1npru+Sw= +github.com/klauspost/compress v1.17.2/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= +github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b/go.mod h1:pcaDhQK0/NJZEvtCO0qQPPropqV0sJOJ6YW7X+9kRwM= +github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= +github.com/kvtools/consul v1.0.2/go.mod h1:bFnzfGJ5ZIRRXCBGBmwhJlLdEWOlrjOcS1WjyAQzaJA= +github.com/kvtools/etcdv3 v1.0.2/go.mod h1:Xr6DbwqjuCEcXAIWmXxw0DX+N5BhuvablXgN90XeqMM= +github.com/kvtools/redis v1.1.0/go.mod h1:cqg3esJOIYMQ1qy5LVIbPZz9kuiBBcFREP2N5b9+Dn0= +github.com/kvtools/valkeyrie v1.0.0/go.mod h1:bDi/OdhJCSbGPMsCgUQl881yuEweKCSItAtTBI+ZjpU= +github.com/kvtools/zookeeper v1.0.2/go.mod h1:6TfxUwJ7IuBk5srgnoe528W0ftanNECHgOiShx/t0Aw= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/labbsr0x/bindman-dns-webhook v1.0.2/go.mod h1:p6b+VCXIR8NYKpDr8/dg1HKfQoRHCdcsROXKvmoehKA= +github.com/labbsr0x/goh v1.0.1/go.mod h1:8K2UhVoaWXcCU7Lxoa2omWnC8gyW8px7/lmO61c027w= +github.com/linode/linodego v1.28.0/go.mod h1:5oAsx+uinHtVo6U77nXXXtox7MWzUW6aEkTOKXxA9uo= +github.com/liquidweb/liquidweb-cli v0.6.9/go.mod h1:cE1uvQ+x24NGUL75D0QagOFCG8Wdvmwu8aL9TLmA/eQ= +github.com/liquidweb/liquidweb-go v1.6.4/go.mod h1:B934JPIIcdA+uTq2Nz5PgOtG6CuCaEvQKe/Ge/5GgZ4= +github.com/looplab/fsm v0.1.0/go.mod h1:m2VaOfDHxqXBBMgc26m6yUOwkFn8H2AlJDE+jd/uafI= +github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= github.com/lyft/protoc-gen-star/v2 v2.0.3/go.mod h1:amey7yeodaJhXSbf/TlLvWiqQfLOSpEk//mLlc+axEk= +github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= +github.com/mailgun/minheap v0.0.0-20170619185613-3dbe6c6bf55f/go.mod h1:V3EvCedtJTvUYzJF2GZMRB0JMlai+6cBu3VCTQz33GQ= +github.com/mailgun/multibuf v0.1.2/go.mod h1:E+sUhIy69qgT6EM57kCPdUTlHnjTuxQBO/yf6af9Hes= +github.com/mailgun/timetools v0.0.0-20141028012446-7e6055773c51/go.mod h1:RYmqHbhWwIz3z9eVmQ2rx82rulEMG0t+Q1bzfc9DYN4= +github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f/go.mod h1:8heskWJ5c0v5J9WH89ADhyal1DOZcayll8fSbhB+/9A= +github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= +github.com/mimuret/golang-iij-dpf v0.9.1/go.mod h1:sl9KyOkESib9+KRD3HaGpgi1xk7eoN2+d96LCLsME2M= +github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg= +github.com/mitchellh/hashstructure v1.0.0/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ= +github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= +github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo= +github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU= +github.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA= +github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04/go.mod h1:5sN+Lt1CaY4wsPvgQH/jsuJi4XO2ssZbdsIizr4CVC8= +github.com/natefinch/lumberjack v0.0.0-20201021141957-47ffae23317c/go.mod h1:tanojtwrLPxkEzT+bGGz9kb6bm8+yVwgAE44c3v1Au4= +github.com/nrdcg/auroradns v1.1.0/go.mod h1:O7tViUZbAcnykVnrGkXzIJTHoQCHcgalgAe6X1mzHfk= +github.com/nrdcg/bunny-go v0.0.0-20230728143221-c9dda82568d9/go.mod h1:HUoHXDrFvidN1NK9Wb/mZKNOfDNutKkzF2Pg71M9hHA= +github.com/nrdcg/desec v0.7.0/go.mod h1:e1uRqqKv1mJdd5+SQROAhmy75lKMphLzWIuASLkpeFY= +github.com/nrdcg/dnspod-go v0.4.0/go.mod h1:vZSoFSFeQVm2gWLMkyX61LZ8HI3BaqtHZWgPTGKr6KQ= +github.com/nrdcg/freemyip v0.2.0/go.mod h1:HjF0Yz0lSb37HD2ihIyGz9esyGcxbCrrGFLPpKevbx4= +github.com/nrdcg/goinwx v0.10.0/go.mod h1:mnMSTi7CXBu2io4DzdOBoGFA1XclD0sEPWJaDhNgkA4= +github.com/nrdcg/mailinabox v0.2.0/go.mod h1:0yxqeYOiGyxAu7Sb94eMxHPIOsPYXAjTeA9ZhePhGnc= +github.com/nrdcg/namesilo v0.2.1/go.mod h1:lwMvfQTyYq+BbjJd30ylEG4GPSS6PII0Tia4rRpRiyw= +github.com/nrdcg/nodion v0.1.0/go.mod h1:inbuh3neCtIWlMPZHtEpe43TmRXxHV6+hk97iCZicms= +github.com/nrdcg/porkbun v0.3.0/go.mod h1:jh1DKz96jGHW+NCdG3AmTbbnQeBlNUz1KeSgeN/cBVw= +github.com/nzdjb/go-metaname v1.0.0/go.mod h1:0GR0LshZax1Lz4VrOrfNSE4dGvTp7HGjiemdczXT2H4= +github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= +github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47RKZmLU= +github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM= +github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8= +github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= +github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= +github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/runc v1.1.7/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= +github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= +github.com/oracle/oci-go-sdk v24.3.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= +github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac= +github.com/ovh/go-ovh v1.4.3/go.mod h1:AkPXVtgwB6xlKblMjRKJJmjRp+ogrE7fz2lVgcQY8SY= +github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0= +github.com/pires/go-proxyproto v0.6.1/go.mod h1:Odh9VFOZJCf9G8cLW5o435Xf1J95Jw9Gw5rnCjcwzAY= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= +github.com/pkg/sftp v1.13.6/go.mod h1:tz1ryNURKu77RL+GuCzmoJYxQczL3wLNNpPWagdg4Qk= +github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= +github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A= +github.com/quic-go/quic-go v0.42.0/go.mod h1:132kz4kL3F9vxhW3CtQJLDVwcFe5wdWeJXXijhsO57M= +github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2/go.mod h1:7tZKcyumwBO6qip7RNQ5r77yrssm9bfCowcLEBcU5IA= +github.com/rancher/go-rancher-metadata v0.0.0-20200311180630-7f4c936a06ac/go.mod h1:67sLWL17mVlO1HFROaTBmU71NB4R8UNCesFHhg0f6LQ= +github.com/redis/go-redis/v9 v9.2.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= +github.com/sacloud/api-client-go v0.2.8/go.mod h1:0CV/kWNYlS1hCNdnk6Wx7Wdg8DPFCnv0zOIzdXjeAeY= +github.com/sacloud/go-http v0.1.6/go.mod h1:oLAHoDJRkptf8sq4fE8oERLkdCh0kJWfWu+paoJY7I0= +github.com/sacloud/iaas-api-go v1.11.1/go.mod h1:uBDSa06F/V0OnoR66jGdbH0PVnCJw+NeE9RVbVgMfss= +github.com/sacloud/packages-go v0.0.9/go.mod h1:k+EEUMF2LlncjbNIJNOqLyZ9wjTESPIWIk1OA7x9j2Q= +github.com/scaleway/scaleway-sdk-go v1.0.0-beta.22/go.mod h1:fCa7OJZ/9DRTnOKmxvT6pn+LPWUptQAmHF/SBJUGEcg= +github.com/secure-systems-lab/go-securesystemslib v0.7.0/go.mod h1:/2gYnlnHVQ6xeGtfIqFy7Do03K4cdCY0A/GlJLDKLHI= +github.com/segmentio/fasthash v1.0.3/go.mod h1:waKX8l2N8yckOgmSsXJi7x1ZfdKZ4x7KRMzBtS3oedY= +github.com/shirou/gopsutil/v3 v3.23.11/go.mod h1:1FrWgea594Jp7qmjHUUPlJDTPgcsb9mGnXDxavtikzM= +github.com/shirou/gopsutil/v3 v3.23.12/go.mod h1:1FrWgea594Jp7qmjHUUPlJDTPgcsb9mGnXDxavtikzM= +github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/smartystreets/assertions v1.0.1/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM= +github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM= +github.com/softlayer/softlayer-go v1.1.3/go.mod h1:Pc7F57OgUKaAam7TtpqkUeqL7QyKknfiUI4R49h41/U= +github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e/go.mod h1:fKZCUVdirrxrBpwd9wb+lSoVixvpwAu8eHzbQB2tums= +github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= +github.com/spiffe/go-spiffe/v2 v2.1.1/go.mod h1:5qg6rpqlwIub0JAiF1UK9IMD6BpPTmvG6yfSgDBs5lg= +github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc= +github.com/tailscale/tscert v0.0.0-20220316030059-54bbcb9f74e2/go.mod h1:hL4gB6APAasMR2NNi/JHzqKkxW3EPQlFgLEq9PMi2t0= +github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.490/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y= +github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.490/go.mod h1:l9q4vc1QiawUB1m3RU+87yLvrrxe54jc0w/kEl4DbSQ= +github.com/testcontainers/testcontainers-go v0.27.0/go.mod h1:+HgYZcd17GshBUZv9b+jKFJ198heWPQq3KQIp2+N+7U= +github.com/testcontainers/testcontainers-go v0.30.0/go.mod h1:K+kHNGiM5zjklKjgTtcrEetF3uhWbMUyqAQoyoh8Pf0= +github.com/testcontainers/testcontainers-go/modules/k3s v0.30.0/go.mod h1:CNnA3717kbp5wRxz+gU/cAwX6+4+OOispIsjHmKsEWQ= +github.com/tetratelabs/wazero v1.5.0/go.mod h1:0U0G41+ochRKoPKCJlh0jMg1CHkyfK8kDqiirMmKY8A= +github.com/tinylib/msgp v1.1.8/go.mod h1:qkpG+2ldGg4xRFmx+jfTvZPxfGFhi64BcnL9vkCm/Tw= +github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI= +github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= +github.com/traefik/grpc-web v0.16.0/go.mod h1:2ttniSv7pTgBWIU2HZLokxRfFX3SA60c/DTmQQgVml4= +github.com/traefik/yaegi v0.16.1/go.mod h1:4eVhbPb3LnD2VigQjhYbEJ69vDRFdT2HQNrXx8eEwUY= +github.com/transip/gotransip/v6 v6.23.0/go.mod h1:nzv9eN2tdsUrm5nG5ZX6AugYIU4qgsMwIn2c0EZLk8c= +github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk= +github.com/uber/jaeger-lib v2.2.0+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U= +github.com/ultradns/ultradns-go-sdk v1.6.1-20231103022937-8589b6a/go.mod h1:Xwz7o+ExFtxR/i0aJDnTXuiccQJlOxDgNe6FsZC4TzQ= +github.com/unrolled/render v1.0.2/go.mod h1:gN9T0NhL4Bfbwu8ann7Ry/TGHYfosul+J0obPf6NBdM= +github.com/unrolled/secure v1.0.9/go.mod h1:fO+mEan+FLB0CdEnHf6Q4ZZVNqG+5fuLFnP8p0BXDPI= +github.com/urfave/cli/v2 v2.27.1/go.mod h1:8qnjx1vcq5s2/wpsqoZFndg2CE5tNFyrTvS6SinrnYQ= +github.com/vinyldns/go-vinyldns v0.9.16/go.mod h1:5qIJOdmzAnatKjurI+Tl4uTus7GJKJxb+zitufjHs3Q= +github.com/vulcand/oxy/v2 v2.0.0-20230427132221-be5cf38f3c1c/go.mod h1:A2voDnpONyqdplUDK0lt5y4XHLiBXPBw7iQES8+ZWRw= +github.com/vulcand/predicate v1.2.0/go.mod h1:VipoNYXny6c8N381zGUWkjuuNHiRbeAZhE7Qm9c+2GA= +github.com/vultr/govultr/v2 v2.17.2/go.mod h1:ZFOKGWmgjytfyjeyAdhQlSWwTjh2ig+X49cAp50dzXI= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -golang.org/x/exp v0.0.0-20221205204356-47842c84f3db/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc= +github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU= +github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8= +github.com/yandex-cloud/go-genproto v0.0.0-20220805142335-27b56ddae16f/go.mod h1:HEUYX/p8966tMUHHT+TsS0hF/Ca/NYwqprC5WXSDMfE= +github.com/yandex-cloud/go-sdk v0.0.0-20220805164847-cf028e604997/go.mod h1:2CHKs/YGbCcNn/BPaCkEBwKz/FNCELi+MLILjR9RaTA= +github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= +github.com/zeebo/errs v1.2.2/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= +go.elastic.co/apm/module/apmhttp/v2 v2.4.8/go.mod h1:FzO5ptAs5oKB3xE1/hpxMA0a7mLIycp2RZdBtp4+uTA= +go.elastic.co/apm/module/apmot/v2 v2.4.8/go.mod h1:3LJ0l0GUB03m4tKOOPddFr/N9LVwH5iBI1Joha/BAyE= +go.elastic.co/apm/v2 v2.4.8/go.mod h1:+CiBUdrrAGnGCL9TNx7tQz3BrfYV23L8Ljvotoc87so= +go.elastic.co/fastjson v1.1.0/go.mod h1:boNGISWMjQsUPy/t6yqt2/1Wx4YNPSe+mZjlyw9vKKI= +go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw= +go.etcd.io/etcd/api/v3 v3.5.10/go.mod h1:TidfmT4Uycad3NM/o25fG3J07odo4GBB9hoxaodFCtI= +go.etcd.io/etcd/client/pkg/v3 v3.5.10/go.mod h1:DYivfIviIuQ8+/lCq4vcxuseg2P2XbHygkKwFo9fc8U= +go.etcd.io/etcd/client/v2 v2.305.10/go.mod h1:m3CKZi69HzilhVqtPDcjhSGp+kA1OmbNn0qamH80xjA= +go.etcd.io/etcd/client/v3 v3.5.10/go.mod h1:RVeBnDz2PUEZqTpgqwAtUd8nAPf5kjyFyND7P1VkOKc= +go.etcd.io/etcd/pkg/v3 v3.5.10/go.mod h1:TKTuCKKcF1zxmfKWDkfz5qqYaE3JncKKZPFf8c1nFUs= +go.etcd.io/etcd/raft/v3 v3.5.10/go.mod h1:odD6kr8XQXTy9oQnyMPBOr0TVe+gT0neQhElQ6jbGRc= +go.etcd.io/etcd/server/v3 v3.5.10/go.mod h1:gBplPHfs6YI0L+RpGkTQO7buDbHv5HJGG/Bst0/zIPo= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/collector/pdata v1.2.0/go.mod h1:mKXb6527Syb8PT4P9CZOJNbkuHOHjjGTZNNwSKESJhc= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0/go.mod h1:5z+/ZWJQKXa9YT34fQNx5K8Hd1EoIhvtUygUQPqEOgQ= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0/go.mod h1:SeQhzAEccGVZVEy7aH87Nh0km+utSpo1pTv6eMMop48= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= +go.opentelemetry.io/contrib/propagators/autoprop v0.49.0/go.mod h1:aZTdrjEnMOr6ODgjCQ955njFMLRDo1IJdTNS+agSPjA= +go.opentelemetry.io/contrib/propagators/aws v1.24.0/go.mod h1:7HbFx8Hiiuce72QONjbOtU+3QU+Scs9VOHZIrdmi1rw= +go.opentelemetry.io/contrib/propagators/b3 v1.24.0/go.mod h1:k5wRxKRU2uXx2F8uNJ4TaonuEO/V7/5xoz7kdsDACT8= +go.opentelemetry.io/contrib/propagators/jaeger v1.24.0/go.mod h1:Q5JA/Cfdy/ta+5VeEhrMJRWGyS6UNRwFbl+yS3W1h5I= +go.opentelemetry.io/contrib/propagators/ot v1.24.0/go.mod h1:A406hNQ7A0EWsOFzWI1p53YaYQXe12C9f6wGHUxfh0g= +go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY= +go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.24.0/go.mod h1:B+bcQI1yTY+N0vqMpoZbEN7+XU4tNM0DmUiOwebFJWI= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.24.0/go.mod h1:0PrIIzDteLSmNyxqcGYRL4mDIo8OTuBAOI/Bn1URxac= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0/go.mod h1:iSDOcsnSA5INXzZtwaBPrKp/lWu/V14Dd+llD0oI2EA= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0/go.mod h1:0+KuTDyKL4gjKCF75pHOX4wuzYDUZYfAQdSu43o+Z2I= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.24.0/go.mod h1:CQNu9bj7o7mC6U7+CA/schKEYakYXWr79ucDHTMGhCM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0/go.mod h1:6KW1Fm6R/s6Z3PGXwSJN2K4eT6wQB3vXX6CVnYX9NmM= +go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8= +go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco= +go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A= +go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg= +go.opentelemetry.io/otel/sdk/metric v1.24.0/go.mod h1:I6Y5FjH6rvEnTTAYQz3Mmv2kl6Ek5IIrmwTLqMrrOE0= +go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= +go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU= +go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= +go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7ej/RNTae6MdY= +go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= +go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc= +go.uber.org/ratelimit v0.2.0/go.mod h1:YYBV4e4naJvhpitQrWJu1vCpgB7CboMe0qhltKt6mUg= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go4.org/intern v0.0.0-20230525184215-6c62f75575cb/go.mod h1:Ycrt6raEcnF5FTsLiLKkhBTO6DPX3RCUCUVnks3gFJU= +go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E= +golang.org/x/arch v0.4.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8= golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/telemetry v0.0.0-20240208230135-b75ee8823808/go.mod h1:KG1lNk5ZFNssSZLrpVb4sMXKMpGwGXOxSG3rnu2gZQQ= +golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= +golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +google.golang.org/api v0.152.0/go.mod h1:3qNJX5eOmhiWYc67jRA/3GsDw97UFb5ivv7Y2PrriAY= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= +google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:J7XzRzVy1+IPwWHZUzoD0IccYZIrXILAQpc+Qy9CMhY= +google.golang.org/genproto v0.0.0-20231212172506-995d672761c0/go.mod h1:l/k7rMz0vFTBPy+tFSGvXEd3z+BcoG1k7EHbqm+YBsY= +google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:0xJLfVdJqpAPl8tDg1ujOCGzx6LFLttXT5NhllGOXY4= +google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917/go.mod h1:CmlNWB9lSezaYELKS5Ym1r44VrrbPUa7JTvw+6MbpJ0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f/go.mod h1:L9KNLi232K1/xB6f7AlSX692koaRnKaWSR0stBki0Yc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917/go.mod h1:xtjpI3tXFPP051KaWnhvxkiubL/6dJ18vLVf7q2pTOU= +google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= +google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/DataDog/dd-trace-go.v1 v1.56.1/go.mod h1:KDLJ3CWVOSuVVwu+0ZR5KZo2rP6c7YyBV3v387dIpUU= +gopkg.in/h2non/gock.v1 v1.0.16/go.mod h1:XVuDAssexPLwgxCLMvDTWNU5eqklsydR6I5phZ9oPB8= +gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= +gopkg.in/ns1/ns1-go.v2 v2.7.13/go.mod h1:pfaU0vECVP7DIOr453z03HXS6dFJpXdNRwOyRzwmPSc= +gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +howett.net/plist v0.0.0-20181124034731-591f970eefbb/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0= +inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a/go.mod h1:e83i32mAQOW1LAqEIweALsuK2Uw4mhQadA5r7b0Wobo= +k8s.io/apiserver v0.30.0/go.mod h1:smOIBq8t0MbKZi7O7SyIpjPsiKJ8qa+llcFCluKyqiY= +k8s.io/code-generator v0.30.0/go.mod h1:mBMZhfRR4IunJUh2+7LVmdcWwpouCH5+LNPkZ3t/v7Q= k8s.io/component-base v0.26.1 h1:4ahudpeQXHZL5kko+iDHqLj/FSGAEUnSVO0EBbgDd+4= +k8s.io/component-base v0.30.0 h1:cj6bp38g0ainlfYtaOQuRELh5KSYjhKxM+io7AUIk4o= +k8s.io/component-base v0.30.0/go.mod h1:V9x/0ePFNaKeKYA3bOvIbrNoluTSG+fSJKjLdjOoeXQ= +k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70/go.mod h1:VH3AT8AaQOqiGjMF9p0/IM1Dj+82ZwjfxUP1IxaHE+8= +k8s.io/kms v0.30.0/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +mvdan.cc/xurls/v2 v2.5.0/go.mod h1:yQgaGQ1rFtJUzkmKiHYSSfuQxqfYmd//X6PxvholpeE= +nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0/go.mod h1:z7+wmGM2dfIiLRfrC6jb5kV2Mq/sK1ZP303cxzkV5Y4= +sigs.k8s.io/gateway-api v0.4.0/go.mod h1:r3eiNP+0el+NTLwaTfOrCNXy8TukC+dIM3ggc+fbNWk= +sigs.k8s.io/gateway-api v1.0.0/go.mod h1:4cUgr0Lnp5FZ0Cdq8FdRwCvpiWws7LVhLHGIudLlf4c= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= software.sslmate.com/src/go-pkcs12 v0.2.0/go.mod h1:23rNcYsMabIc1otwLpTkCCPwUq6kQsTyowttG/as0kQ= +software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI= diff --git a/hack/local-run-test/Makefile b/hack/local-run-test/Makefile index eeccd7d0..65ff390b 100644 --- a/hack/local-run-test/Makefile +++ b/hack/local-run-test/Makefile @@ -1,3 +1,6 @@ +GO_VERSION ?= 1.22.3 +K3S_VERSION ?= v1.30.0-rc2-k3s1 + SHELL := /bin/bash BIN := $(shell pwd)/bin PROJ_BIN := $(abspath $(shell pwd)/../../bin) @@ -87,7 +90,7 @@ create-k3d-cluster: k3d kubectl ## Create k3s cluster. @echo ====== $@ ====== @k3d cluster list $(CLUSTER_NAME) > /dev/null 2>&1 && echo "This cluster has already been created" || { \ k3d cluster create $(CLUSTER_NAME) \ - -i rancher/k3s:v1.26.3-k3s1 \ + -i rancher/k3s:$(K3S_VERSION) \ --api-port 43000 \ -p "389:30389@loadbalancer" \ -p "636:30636@loadbalancer" \ @@ -439,7 +442,6 @@ bin/cosmoctl: ../../cmd/cosmoctl/main.go $(GO_SRC) bin: mkdir -p $(BIN) -GO_VERSION ?= 1.20.4 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) GOBIN=$(shell go env GOPATH)/bin diff --git a/internal/cmd/__snapshots__/template_test.snap b/internal/cmd/__snapshots__/template_test.snap index 9414a37e..16e93b96 100644 --- a/internal/cmd/__snapshots__/template_test.snap +++ b/internal/cmd/__snapshots__/template_test.snap @@ -619,7 +619,7 @@ rbac.authorization.k8s.io/v1 RoleBinding cosmoctl-validate-XXXXXXX v1 Service cosmoctl-validate-XXXXXXXX-workspace OK v1 PersistentVolumeClaim cosmoctl-validate-XXXXXXXX-workspace OK apps/v1 Deployment cosmoctl-validate-XXXXXXXX-workspace OK -networking.k8s.io/v1 Ingress cosmoctl-validate-XXXXXXXX-workspace NG dryrun failed: Ingress.extensions \"cosmoctl-validate-XXXXXXXX-workspace\" is invalid: spec.rules[0].host: Invalid value: \"main-cosmoctl-validate-XXXXXXXX-default.{{DOMAIN}}\": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*') +networking.k8s.io/v1 Ingress cosmoctl-validate-XXXXXXXX-workspace NG dryrun failed: Ingress.networking.k8s.io \"cosmoctl-validate-XXXXXXXX-workspace\" is invalid: spec.rules[0].host: Invalid value: \"main-cosmoctl-validate-XXXXXXXX-default.{{DOMAIN}}\": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*') """ ['cosmoctl [template] [validate] ✅ success in normal context: template validate --file - 2'] diff --git a/internal/cmd/suite_test.go b/internal/cmd/suite_test.go index dc846adb..bda93e69 100644 --- a/internal/cmd/suite_test.go +++ b/internal/cmd/suite_test.go @@ -16,6 +16,9 @@ import ( "sigs.k8s.io/controller-runtime/pkg/envtest" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" "github.com/cosmo-workspace/cosmo/internal/webhooks" @@ -79,43 +82,51 @@ var _ = BeforeSuite(func() { testUtil = test.NewTestUtil(k8sClient) mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - Scheme: clientgoscheme.Scheme, - MetricsBindAddress: "0", - CertDir: testEnv.WebhookInstallOptions.LocalServingCertDir, - Port: testEnv.WebhookInstallOptions.LocalServingPort, + Scheme: clientgoscheme.Scheme, + Metrics: server.Options{BindAddress: "0"}, + WebhookServer: webhook.NewServer(webhook.Options{ + CertDir: testEnv.WebhookInstallOptions.LocalServingCertDir, + Port: testEnv.WebhookInstallOptions.LocalServingPort, + }), }) Expect(err).NotTo(HaveOccurred()) // webhook (&webhooks.InstanceMutationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("InstanceMutationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("InstanceMutationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&webhooks.InstanceValidationWebhookHandler{ Client: k8sClient, Log: clog.NewLogger(ctrl.Log.WithName("InstanceValidationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), FieldManager: "cosmo-instance-controller", }).SetupWebhookWithManager(mgr) (&webhooks.WorkspaceMutationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceMutationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceMutationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&webhooks.WorkspaceValidationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceValidationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceValidationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&webhooks.UserMutationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("UserMutationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("UserMutationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&webhooks.UserValidationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("UserValidationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("UserValidationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) go func() { diff --git a/internal/cmd/template/kustomize.go b/internal/cmd/template/kustomize.go index 72b02058..da3589f6 100644 --- a/internal/cmd/template/kustomize.go +++ b/internal/cmd/template/kustomize.go @@ -22,8 +22,8 @@ func NewKustomize(disableNamePrefix bool) *types.Kustomization { label[cosmov1alpha1.LabelKeyTemplateName] = template.DefaultVarsTemplate kust := &types.Kustomization{ - CommonLabels: label, - Namespace: template.DefaultVarsNamespace, + Labels: []types.Label{{Pairs: label, IncludeSelectors: true}}, + Namespace: template.DefaultVarsNamespace, Resources: []string{ DefaultPackagedFile, }, diff --git a/internal/cmd/template/validate.go b/internal/cmd/template/validate.go index d518635c..d0c1d1cf 100644 --- a/internal/cmd/template/validate.go +++ b/internal/cmd/template/validate.go @@ -19,7 +19,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/cli-runtime/pkg/printers" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/yaml" @@ -206,7 +206,7 @@ func (o *validateOption) RunE(cmd *cobra.Command, args []string) error { func (o *validateOption) dryrunApplyOnServer(ctx context.Context, obj client.Object) error { options := &client.PatchOptions{ FieldManager: "cosmoctl-validate", - Force: pointer.Bool(true), + Force: ptr.To(true), DryRun: []string{metav1.DryRunAll}, } diff --git a/internal/cmd/workspace/run_instance.go b/internal/cmd/workspace/run_instance.go index 8bad1e0b..51ae90e7 100644 --- a/internal/cmd/workspace/run_instance.go +++ b/internal/cmd/workspace/run_instance.go @@ -7,8 +7,7 @@ import ( "time" "github.com/spf13/cobra" - - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "github.com/cosmo-workspace/cosmo/pkg/clog" "github.com/cosmo-workspace/cosmo/pkg/cmdutil" @@ -68,7 +67,7 @@ func (o *RunInstanceOption) RunE(cmd *cobra.Command, args []string) error { c := o.Client - if _, err := c.UpdateWorkspace(ctx, o.InstanceName, o.User, kosmo.UpdateWorkspaceOpts{Replicas: pointer.Int64(1)}); err != nil { + if _, err := c.UpdateWorkspace(ctx, o.InstanceName, o.User, kosmo.UpdateWorkspaceOpts{Replicas: ptr.To(int64(1))}); err != nil { return err } diff --git a/internal/cmd/workspace/stop_instance.go b/internal/cmd/workspace/stop_instance.go index 84345a7a..efa70da9 100644 --- a/internal/cmd/workspace/stop_instance.go +++ b/internal/cmd/workspace/stop_instance.go @@ -7,8 +7,7 @@ import ( "time" "github.com/spf13/cobra" - - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "github.com/cosmo-workspace/cosmo/pkg/clog" "github.com/cosmo-workspace/cosmo/pkg/cmdutil" @@ -68,7 +67,7 @@ func (o *StopInstanceOption) RunE(cmd *cobra.Command, args []string) error { c := o.Client - if _, err := c.UpdateWorkspace(ctx, o.InstanceName, o.User, kosmo.UpdateWorkspaceOpts{Replicas: pointer.Int64(0)}); err != nil { + if _, err := c.UpdateWorkspace(ctx, o.InstanceName, o.User, kosmo.UpdateWorkspaceOpts{Replicas: ptr.To(int64(0))}); err != nil { return err } diff --git a/internal/controllers/cluster_instance_controller_test.go b/internal/controllers/cluster_instance_controller_test.go index ed4e27cd..06832f9c 100644 --- a/internal/controllers/cluster_instance_controller_test.go +++ b/internal/controllers/cluster_instance_controller_test.go @@ -147,7 +147,7 @@ spec: } return k8sClient.Get(ctx, key, &pv) }, time.Second*10).Should(Succeed()) - Ω(ObjectSnapshot(&pv)).To(MatchSnapShot()) + Ω(PersistentVolumeSnapshot(&pv)).To(MatchSnapShot()) // StorageClass By("checking StorageClass is as expected") @@ -229,7 +229,7 @@ spec: return *pv.Spec.Capacity.Storage() }, time.Second*30).Should(Equal(expectedQuantity)) - Ω(ObjectSnapshot(&pv)).To(MatchSnapShot()) + Ω(PersistentVolumeSnapshot(&pv)).To(MatchSnapShot()) By("checking if StorageClass not updated") var sc storagev1.StorageClass diff --git a/internal/controllers/suite_test.go b/internal/controllers/suite_test.go index 71798e02..27f305dd 100644 --- a/internal/controllers/suite_test.go +++ b/internal/controllers/suite_test.go @@ -14,15 +14,16 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/rest" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/apiutil" "sigs.k8s.io/controller-runtime/pkg/envtest" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/server" - traefikv1 "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikio/v1alpha1" + traefikv1 "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" "github.com/cosmo-workspace/cosmo/pkg/kosmo/test" @@ -92,8 +93,8 @@ var _ = BeforeSuite(func() { testUtil = test.NewTestUtil(k8sClient) mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - Scheme: scheme.Scheme, - MetricsBindAddress: "0", + Scheme: scheme.Scheme, + Metrics: server.Options{BindAddress: "0"}, }) Expect(err).NotTo(HaveOccurred()) @@ -193,7 +194,7 @@ func ownerRef(obj runtime.Object, scheme *runtime.Scheme) metav1.OwnerReference Kind: gvk.Kind, Name: owner.GetName(), UID: owner.GetUID(), - BlockOwnerDeletion: pointer.Bool(true), - Controller: pointer.Bool(true), + BlockOwnerDeletion: ptr.To(true), + Controller: ptr.To(true), } } diff --git a/internal/controllers/workspace_controller.go b/internal/controllers/workspace_controller.go index 1d11dd86..eb00c26a 100644 --- a/internal/controllers/workspace_controller.go +++ b/internal/controllers/workspace_controller.go @@ -14,7 +14,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client/apiutil" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" - traefikv1 "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikio/v1alpha1" + traefikv1 "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" "github.com/cosmo-workspace/cosmo/pkg/clog" diff --git a/internal/controllers/workspace_controller_test.go b/internal/controllers/workspace_controller_test.go index 3396d894..e9822fc6 100644 --- a/internal/controllers/workspace_controller_test.go +++ b/internal/controllers/workspace_controller_test.go @@ -9,13 +9,12 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + traefikv1 "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" - traefikv1 "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikio/v1alpha1" - cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" "github.com/cosmo-workspace/cosmo/pkg/kubeutil" "github.com/cosmo-workspace/cosmo/pkg/workspace" @@ -133,7 +132,7 @@ spec: Template: cosmov1alpha1.TemplateRef{ Name: tmplName, }, - Replicas: pointer.Int64(1), + Replicas: ptr.To(int64(1)), Vars: map[string]string{ "{{DOMAIN}}": "example.com", "{{IMAGE_TAG}}": "latest", @@ -196,13 +195,13 @@ spec: } // update Workspace spec - ws.Spec.Replicas = pointer.Int64(0) + ws.Spec.Replicas = ptr.To(int64(0)) ws.Spec.Network = []cosmov1alpha1.NetworkRule{ { CustomHostPrefix: "port1", PortNumber: 3000, HTTPPath: "/path", - TargetPortNumber: pointer.Int32(30000), + TargetPortNumber: ptr.To(int32(30000)), Public: false, }, } diff --git a/internal/controllers/workspace_status_controller.go b/internal/controllers/workspace_status_controller.go index 8ee3e0a5..8e60999a 100644 --- a/internal/controllers/workspace_status_controller.go +++ b/internal/controllers/workspace_status_controller.go @@ -5,7 +5,6 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/selection" @@ -14,7 +13,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/handler" - "sigs.k8s.io/controller-runtime/pkg/predicate" + "sigs.k8s.io/controller-runtime/pkg/reconcile" "sigs.k8s.io/controller-runtime/pkg/source" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" @@ -36,10 +35,8 @@ func (r *WorkspaceStatusReconciler) Reconcile(ctx context.Context, req ctrl.Requ log.Debug().Info("start reconcile") - key := r.getWorkspaceNamespacedName(ctx, req.NamespacedName) - var ws cosmov1alpha1.Workspace - if err := r.Get(ctx, key, &ws); err != nil { + if err := r.Get(ctx, req.NamespacedName, &ws); err != nil { return ctrl.Result{}, client.IgnoreNotFound(err) } log = log.WithValues("UID", ws.UID, "Template", ws.Spec.Template.Name) @@ -106,41 +103,32 @@ func (r *WorkspaceStatusReconciler) SetupWithManager(mgr ctrl.Manager) error { return err } - // watch pods which has "cosmo-workspace.github.io/instance" label - predi, _ := predicate.LabelSelectorPredicate(metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: cosmov1alpha1.LabelKeyInstanceName, - Operator: metav1.LabelSelectorOpExists, - }, - }, - }) - err = c.Watch(&source.Kind{Type: &corev1.Pod{}}, &handler.EnqueueRequestForObject{}, predi) + err = c.Watch(source.Kind(mgr.GetCache(), &corev1.Pod{}, handler.TypedEnqueueRequestsFromMapFunc[*corev1.Pod](r.findWorkspaceByPod))) if err != nil { return err } - err = c.Watch(&source.Kind{Type: &corev1.Service{}}, &handler.EnqueueRequestForObject{}, predi) + err = c.Watch(source.Kind(mgr.GetCache(), &corev1.Service{}, handler.TypedEnqueueRequestsFromMapFunc[*corev1.Service](r.findWorkspaceByService))) if err != nil { return err } return nil } -func (r *WorkspaceStatusReconciler) getWorkspaceNamespacedName(ctx context.Context, req types.NamespacedName) types.NamespacedName { - var pod corev1.Pod - if err := r.Get(ctx, req, &pod); err == nil { - // request is Pod with "cosmo-workspace.github.io/instance" label - return types.NamespacedName{Name: pod.Labels[cosmov1alpha1.LabelKeyInstanceName], Namespace: pod.GetNamespace()} - } +func (r *WorkspaceStatusReconciler) findWorkspaceByPod(ctx context.Context, obj *corev1.Pod) []reconcile.Request { + return findWorkspace(ctx, obj, r.Client) +} - var svc corev1.Service - if err := r.Get(ctx, req, &svc); err == nil { - // request is Service with "cosmo-workspace.github.io/instance" label - return types.NamespacedName{Name: svc.Labels[cosmov1alpha1.LabelKeyInstanceName], Namespace: svc.GetNamespace()} - } +func (r *WorkspaceStatusReconciler) findWorkspaceByService(ctx context.Context, obj *corev1.Service) []reconcile.Request { + return findWorkspace(ctx, obj, r.Client) +} - // request is Workspace - return req +func findWorkspace[T client.Object](ctx context.Context, obj T, c client.Client) []reconcile.Request { + var ws cosmov1alpha1.Workspace + if err := c.Get(ctx, types.NamespacedName{Name: obj.GetLabels()[cosmov1alpha1.LabelKeyInstanceName]}, &ws); err == nil { + // request is Pod with "cosmo-workspace.github.io/instance" label + return []reconcile.Request{{NamespacedName: types.NamespacedName{Name: ws.Name, Namespace: ws.Namespace}}} + } + return nil } func listWorkspacePods(ctx context.Context, c client.Client, ws cosmov1alpha1.Workspace) ([]corev1.Pod, error) { diff --git a/internal/dashboard/__snapshots__/root_test.snap b/internal/dashboard/__snapshots__/root_test.snap index 2e82351b..58c6b7cd 100755 --- a/internal/dashboard/__snapshots__/root_test.snap +++ b/internal/dashboard/__snapshots__/root_test.snap @@ -36,7 +36,7 @@ Flags: --signin-url string Dashboard signin url --skip_headers If true, avoid header prefixes in the log messages --skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true) - --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) + --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2) --timeout-seconds int Timeout seconds for response (default 3) --tls-cert string TLS certificate file path (default "tls.crt") --tls-key string TLS key file path (default "tls.key") @@ -89,7 +89,7 @@ Flags: --signin-url string Dashboard signin url --skip_headers If true, avoid header prefixes in the log messages --skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true) - --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) + --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2) --timeout-seconds int Timeout seconds for response (default 3) --tls-cert string TLS certificate file path (default "tls.crt") --tls-key string TLS key file path (default "tls.key") @@ -142,7 +142,7 @@ Flags: --signin-url string Dashboard signin url --skip_headers If true, avoid header prefixes in the log messages --skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true) - --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) + --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2) --timeout-seconds int Timeout seconds for response (default 3) --tls-cert string TLS certificate file path (default "tls.crt") --tls-key string TLS key file path (default "tls.key") @@ -195,7 +195,7 @@ Flags: --signin-url string Dashboard signin url --skip_headers If true, avoid header prefixes in the log messages --skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true) - --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) + --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2) --timeout-seconds int Timeout seconds for response (default 3) --tls-cert string TLS certificate file path (default "tls.crt") --tls-key string TLS key file path (default "tls.key") diff --git a/internal/dashboard/root.go b/internal/dashboard/root.go index a8790ad4..4c2eb80c 100644 --- a/internal/dashboard/root.go +++ b/internal/dashboard/root.go @@ -23,6 +23,8 @@ import ( klog "k8s.io/klog/v2" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" "github.com/cosmo-workspace/cosmo/pkg/auth" @@ -210,10 +212,10 @@ func (o *options) RunE(cmd *cobra.Command, args []string) error { // Setup controller manager mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - MetricsBindAddress: "0", - Port: 9443, - LeaderElection: false, + Scheme: scheme, + Metrics: server.Options{BindAddress: "0"}, + WebhookServer: webhook.NewServer(webhook.Options{Port: 9443}), + LeaderElection: false, }) if err != nil { setupLog.Error(err, "unable to start manager") diff --git a/internal/dashboard/suite_test.go b/internal/dashboard/suite_test.go index 26d967a6..ef6e385b 100644 --- a/internal/dashboard/suite_test.go +++ b/internal/dashboard/suite_test.go @@ -20,6 +20,9 @@ import ( "sigs.k8s.io/controller-runtime/pkg/envtest" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" //+kubebuilder:scaffold:imports @@ -90,43 +93,51 @@ var _ = BeforeSuite(func() { testUtil = test.NewTestUtil(k8sClient) mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - Scheme: clientgoscheme.Scheme, - MetricsBindAddress: "0", - CertDir: testEnv.WebhookInstallOptions.LocalServingCertDir, - Port: testEnv.WebhookInstallOptions.LocalServingPort, + Scheme: clientgoscheme.Scheme, + Metrics: server.Options{BindAddress: "0"}, + WebhookServer: webhook.NewServer(webhook.Options{ + CertDir: testEnv.WebhookInstallOptions.LocalServingCertDir, + Port: testEnv.WebhookInstallOptions.LocalServingPort, + }), }) Expect(err).NotTo(HaveOccurred()) // webhook (&webhooks.InstanceMutationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("InstanceMutationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("InstanceMutationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&webhooks.InstanceValidationWebhookHandler{ Client: k8sClient, Log: clog.NewLogger(ctrl.Log.WithName("InstanceValidationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), FieldManager: "cosmo-instance-controller", }).SetupWebhookWithManager(mgr) (&webhooks.WorkspaceMutationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceMutationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceMutationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&webhooks.WorkspaceValidationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceValidationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceValidationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&webhooks.UserMutationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("UserMutationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("UserMutationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&webhooks.UserValidationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("UserValidationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("UserValidationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) // Setup server diff --git a/internal/dashboard/template_handler.go b/internal/dashboard/template_handler.go index 41db6438..3997afff 100644 --- a/internal/dashboard/template_handler.go +++ b/internal/dashboard/template_handler.go @@ -8,7 +8,7 @@ import ( connect_go "github.com/bufbuild/connect-go" "k8s.io/apimachinery/pkg/api/meta" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" "github.com/cosmo-workspace/cosmo/pkg/clog" @@ -77,7 +77,7 @@ func (s *Server) GetUserAddonTemplates(ctx context.Context, req *connect_go.Requ if ann := v.GetAnnotations(); ann != nil { if b, ok := ann[cosmov1alpha1.UserAddonTemplateAnnKeyDefaultUserAddon]; ok { if defaultAddon, err := strconv.ParseBool(b); err == nil && defaultAddon { - tmpl.IsDefaultUserAddon = pointer.Bool(true) + tmpl.IsDefaultUserAddon = ptr.To(true) } } } diff --git a/internal/dashboard/template_handler_test.go b/internal/dashboard/template_handler_test.go index 38a97f1b..e00e6ee2 100644 --- a/internal/dashboard/template_handler_test.go +++ b/internal/dashboard/template_handler_test.go @@ -8,7 +8,7 @@ import ( . "github.com/cosmo-workspace/cosmo/pkg/snap" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" dashboardv1alpha1 "github.com/cosmo-workspace/cosmo/proto/gen/dashboard/v1alpha1" @@ -69,7 +69,7 @@ var _ = Describe("Dashboard server [Template]", func() { Entry(nil, "admin-user", "not empty", &dashboardv1alpha1.GetWorkspaceTemplatesRequest{}), Entry(nil, "normal-user", "empty", &dashboardv1alpha1.GetWorkspaceTemplatesRequest{}), Entry(nil, "normal-user", "not empty", &dashboardv1alpha1.GetWorkspaceTemplatesRequest{}), - Entry(nil, "normal-user", "not empty", &dashboardv1alpha1.GetWorkspaceTemplatesRequest{UseRoleFilter: pointer.Bool(true)}), + Entry(nil, "normal-user", "not empty", &dashboardv1alpha1.GetWorkspaceTemplatesRequest{UseRoleFilter: ptr.To(true)}), Entry(nil, "role-user", "not empty", &dashboardv1alpha1.GetWorkspaceTemplatesRequest{}), ) diff --git a/internal/dashboard/workspace_handler.go b/internal/dashboard/workspace_handler.go index 8edac968..6c97289a 100644 --- a/internal/dashboard/workspace_handler.go +++ b/internal/dashboard/workspace_handler.go @@ -5,7 +5,7 @@ import ( "net/http" connect_go "github.com/bufbuild/connect-go" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" "github.com/cosmo-workspace/cosmo/pkg/clog" @@ -134,7 +134,7 @@ func (s *Server) UpdateWorkspace(ctx context.Context, req *connect_go.Request[da func convertWorkspaceTodashv1alpha1Workspace(ws cosmov1alpha1.Workspace) *dashv1alpha1.Workspace { replicas := ws.Spec.Replicas if replicas == nil { - replicas = pointer.Int64(1) + replicas = ptr.To(int64(1)) } return &dashv1alpha1.Workspace{ diff --git a/internal/dashboard/workspace_handler_test.go b/internal/dashboard/workspace_handler_test.go index 3ae13980..3fcef132 100644 --- a/internal/dashboard/workspace_handler_test.go +++ b/internal/dashboard/workspace_handler_test.go @@ -9,8 +9,7 @@ import ( . "github.com/cosmo-workspace/cosmo/pkg/snap" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" dashv1alpha1 "github.com/cosmo-workspace/cosmo/proto/gen/dashboard/v1alpha1" @@ -254,21 +253,21 @@ var _ = Describe("Dashboard server [Workspace]", func() { DescribeTable("✅ success in normal context:", run_test, - Entry("admin user can update own workspace's replica", "admin-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "admin-user", WsName: "ws1", Replicas: pointer.Int64(0)}), + Entry("admin user can update own workspace's replica", "admin-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "admin-user", WsName: "ws1", Replicas: ptr.To(int64(0))}), Entry("admin user can update own workspace with no change", "admin-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "admin-user", WsName: "ws1"}), - Entry("normal user can update own workspace's replica", "normal-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "normal-user", WsName: "ws1", Replicas: pointer.Int64(5)}), + Entry("normal user can update own workspace's replica", "normal-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "normal-user", WsName: "ws1", Replicas: ptr.To(int64(5))}), ) DescribeTable("❌ fail with invalid request:", run_test, - Entry("invalid user name", "admin-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "xxxxx", WsName: "ws1", Replicas: pointer.Int64(0)}), - Entry("invalid workspace name", "admin-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "normal-user", WsName: "xxx", Replicas: pointer.Int64(1)}), - Entry("no change", "admin-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "admin-user", WsName: "ws1", Replicas: pointer.Int64(1)}), + Entry("invalid user name", "admin-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "xxxxx", WsName: "ws1", Replicas: ptr.To(int64(0))}), + Entry("invalid workspace name", "admin-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "normal-user", WsName: "xxx", Replicas: ptr.To(int64(1))}), + Entry("no change", "admin-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "admin-user", WsName: "ws1", Replicas: ptr.To(int64(1))}), ) DescribeTable("❌ fail with authorization by role:", run_test, - Entry("normal user cannot update admin's workspace", "normal-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "admin-user", WsName: "ws1", Replicas: pointer.Int64(0)}), + Entry("normal user cannot update admin's workspace", "normal-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "admin-user", WsName: "ws1", Replicas: ptr.To(int64(0))}), ) DescribeTable("❌ fail with an unexpected error at update:", @@ -276,7 +275,7 @@ var _ = Describe("Dashboard server [Workspace]", func() { clientMock.SetUpdateError((*Server).UpdateWorkspace, errors.New("mock update workspace error")) run_test(loginUser, req) }, - Entry("unexpected err", "admin-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "admin-user", WsName: "ws1", Replicas: pointer.Int64(0)}), + Entry("unexpected err", "admin-user", &dashv1alpha1.UpdateWorkspaceRequest{UserName: "admin-user", WsName: "ws1", Replicas: ptr.To(int64(0))}), ) }) diff --git a/internal/webhooks/instance_webhook.go b/internal/webhooks/instance_webhook.go index c249dc38..612f5ef1 100644 --- a/internal/webhooks/instance_webhook.go +++ b/internal/webhooks/instance_webhook.go @@ -26,7 +26,7 @@ import ( type InstanceMutationWebhookHandler struct { Client client.Client Log *clog.Logger - decoder *admission.Decoder + Decoder admission.Decoder } //+kubebuilder:webhook:path=/mutate-cosmo-workspace-github-io-v1alpha1-instance,mutating=true,failurePolicy=fail,sideEffects=None,groups=cosmo-workspace.github.io,resources=instances,verbs=create;update,versions=v1alpha1,name=minstance.kb.io,admissionReviewVersions={v1,v1alpha1} @@ -49,7 +49,7 @@ func (h *InstanceMutationWebhookHandler) Handle(ctx context.Context, req admissi switch req.RequestKind.Kind { case "Instance": inst = &cosmov1alpha1.Instance{} - err := h.decoder.Decode(req, inst) + err := h.Decoder.Decode(req, inst) if err != nil { log.Error(err, "failed to decode request") return admission.Errored(http.StatusBadRequest, err) @@ -65,7 +65,7 @@ func (h *InstanceMutationWebhookHandler) Handle(ctx context.Context, req admissi case "ClusterInstance": inst = &cosmov1alpha1.ClusterInstance{} - err := h.decoder.Decode(req, inst) + err := h.Decoder.Decode(req, inst) if err != nil { log.Error(err, "failed to decode request") return admission.Errored(http.StatusBadRequest, err) @@ -99,15 +99,10 @@ func (h *InstanceMutationWebhookHandler) Handle(ctx context.Context, req admissi return admission.PatchResponseFromRaw(req.Object.Raw, marshaled) } -func (h *InstanceMutationWebhookHandler) InjectDecoder(d *admission.Decoder) error { - h.decoder = d - return nil -} - type InstanceValidationWebhookHandler struct { Client client.Client Log *clog.Logger - decoder *admission.Decoder + Decoder admission.Decoder FieldManager string } @@ -132,7 +127,7 @@ func (h *InstanceValidationWebhookHandler) Handle(ctx context.Context, req admis switch req.RequestKind.Kind { case "Instance": inst = &cosmov1alpha1.Instance{} - err := h.decoder.Decode(req, inst) + err := h.Decoder.Decode(req, inst) if err != nil { return admission.Errored(http.StatusBadRequest, err) } @@ -148,7 +143,7 @@ func (h *InstanceValidationWebhookHandler) Handle(ctx context.Context, req admis case "ClusterInstance": inst = &cosmov1alpha1.ClusterInstance{} - err := h.decoder.Decode(req, inst) + err := h.Decoder.Decode(req, inst) if err != nil { return admission.Errored(http.StatusBadRequest, err) } @@ -205,11 +200,6 @@ func (h *InstanceValidationWebhookHandler) Handle(ctx context.Context, req admis return admission.Allowed("OK") } -func (h *InstanceValidationWebhookHandler) InjectDecoder(d *admission.Decoder) error { - h.decoder = d - return nil -} - func dryrunReconcile(ctx context.Context, c client.Client, fieldManager string, inst cosmov1alpha1.InstanceObject, tmpl cosmov1alpha1.TemplateObject) []error { log := clog.FromContext(ctx).WithCaller() diff --git a/internal/webhooks/suite_test.go b/internal/webhooks/suite_test.go index eb6eb2be..4e1f774c 100644 --- a/internal/webhooks/suite_test.go +++ b/internal/webhooks/suite_test.go @@ -16,6 +16,9 @@ import ( "sigs.k8s.io/controller-runtime/pkg/envtest" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" @@ -76,10 +79,12 @@ var _ = BeforeSuite(func() { Expect(cfg).NotTo(BeNil()) mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - Scheme: scheme.Scheme, - MetricsBindAddress: "0", - CertDir: testEnv.WebhookInstallOptions.LocalServingCertDir, - Port: testEnv.WebhookInstallOptions.LocalServingPort, + Scheme: scheme.Scheme, + Metrics: server.Options{BindAddress: "0"}, + WebhookServer: webhook.NewServer(webhook.Options{ + CertDir: testEnv.WebhookInstallOptions.LocalServingCertDir, + Port: testEnv.WebhookInstallOptions.LocalServingPort, + }), }) Expect(err).NotTo(HaveOccurred()) @@ -87,34 +92,40 @@ var _ = BeforeSuite(func() { Expect(k8sClient).NotTo(BeNil()) (&InstanceMutationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("InstanceMutationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("InstanceMutationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&InstanceValidationWebhookHandler{ Client: k8sClient, Log: clog.NewLogger(ctrl.Log.WithName("InstanceValidationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), FieldManager: instControllerFieldManager, }).SetupWebhookWithManager(mgr) (&WorkspaceMutationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceMutationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceMutationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&WorkspaceValidationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceValidationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("WorkspaceValidationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&UserMutationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("UserMutationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("UserMutationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) (&UserValidationWebhookHandler{ - Client: k8sClient, - Log: clog.NewLogger(ctrl.Log.WithName("UserValidationWebhookHandler")), + Client: k8sClient, + Log: clog.NewLogger(ctrl.Log.WithName("UserValidationWebhookHandler")), + Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) go func() { diff --git a/internal/webhooks/user_webhook.go b/internal/webhooks/user_webhook.go index f2fc8ded..3fbc99bf 100644 --- a/internal/webhooks/user_webhook.go +++ b/internal/webhooks/user_webhook.go @@ -26,7 +26,7 @@ import ( type UserMutationWebhookHandler struct { Client client.Client Log *clog.Logger - decoder *admission.Decoder + Decoder admission.Decoder } //+kubebuilder:webhook:path=/mutate-cosmo-workspace-github-io-v1alpha1-user,mutating=true,failurePolicy=fail,sideEffects=None,groups=cosmo-workspace.github.io,resources=users,verbs=create;update,versions=v1alpha1,name=muser.kb.io,admissionReviewVersions={v1,v1alpha1} @@ -44,7 +44,7 @@ func (h *UserMutationWebhookHandler) Handle(ctx context.Context, req admission.R ctx = clog.IntoContext(ctx, log) user := &cosmov1alpha1.User{} - err := h.decoder.Decode(req, user) + err := h.Decoder.Decode(req, user) if err != nil { log.Error(err, "failed to decode request") return admission.Errored(http.StatusBadRequest, err) @@ -128,15 +128,10 @@ AddonsLoop: return admission.PatchResponseFromRaw(req.Object.Raw, marshaled) } -func (h *UserMutationWebhookHandler) InjectDecoder(d *admission.Decoder) error { - h.decoder = d - return nil -} - type UserValidationWebhookHandler struct { Client client.Client Log *clog.Logger - decoder *admission.Decoder + Decoder admission.Decoder } //+kubebuilder:webhook:path=/validate-cosmo-workspace-github-io-v1alpha1-user,mutating=false,failurePolicy=fail,sideEffects=None,groups=cosmo-workspace.github.io,resources=users,verbs=create;update,versions=v1alpha1,name=vuser.kb.io,admissionReviewVersions={v1,v1alpha1} @@ -154,7 +149,7 @@ func (h *UserValidationWebhookHandler) Handle(ctx context.Context, req admission ctx = clog.IntoContext(ctx, log) user := &cosmov1alpha1.User{} - err := h.decoder.Decode(req, user) + err := h.Decoder.Decode(req, user) if err != nil { log.Error(err, "failed to decode request") return admission.Errored(http.StatusBadRequest, err) @@ -219,11 +214,6 @@ func (h *UserValidationWebhookHandler) Handle(ctx context.Context, req admission return admission.Allowed("Validation OK") } -func (h *UserValidationWebhookHandler) InjectDecoder(d *admission.Decoder) error { - h.decoder = d - return nil -} - func validName(v string) bool { r, _ := regexp.Compile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`) return r.MatchString(v) diff --git a/internal/webhooks/workspace_webhook.go b/internal/webhooks/workspace_webhook.go index cad68965..b06e8460 100644 --- a/internal/webhooks/workspace_webhook.go +++ b/internal/webhooks/workspace_webhook.go @@ -12,7 +12,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/validation" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/webhook" @@ -30,7 +30,7 @@ import ( type WorkspaceMutationWebhookHandler struct { Client client.Client Log *clog.Logger - decoder *admission.Decoder + Decoder admission.Decoder } //+kubebuilder:webhook:path=/mutate-cosmo-workspace-github-io-v1alpha1-workspace,mutating=true,failurePolicy=fail,sideEffects=None,groups=cosmo-workspace.github.io,resources=workspaces,verbs=create;update,versions=v1alpha1,name=mworkspace.kb.io,admissionReviewVersions={v1,v1alpha1} @@ -48,7 +48,7 @@ func (h *WorkspaceMutationWebhookHandler) Handle(ctx context.Context, req admiss ctx = clog.IntoContext(ctx, log) ws := &cosmov1alpha1.Workspace{} - err := h.decoder.Decode(req, ws) + err := h.Decoder.Decode(req, ws) if err != nil { log.Error(err, "failed to decode request") return admission.Errored(http.StatusBadRequest, err) @@ -105,11 +105,6 @@ func (h *WorkspaceMutationWebhookHandler) mutateWorkspace(ctx context.Context, w return nil } -func (h *WorkspaceMutationWebhookHandler) InjectDecoder(d *admission.Decoder) error { - h.decoder = d - return nil -} - func (h *WorkspaceMutationWebhookHandler) migrateTmplServiceToNetworkRule(ctx context.Context, ws *cosmov1alpha1.Workspace, rawTmpl string, cfg cosmov1alpha1.Config) error { unst, err := preTemplateBuild(*ws, rawTmpl) if err != nil { @@ -176,7 +171,7 @@ func networkRulesByServicePorts(svcPorts []corev1.ServicePort) []cosmov1alpha1.N netRule.PortNumber = p.Port if p.TargetPort.IntValue() != 0 { - netRule.TargetPortNumber = pointer.Int32(int32(p.TargetPort.IntValue())) + netRule.TargetPortNumber = ptr.To(int32(p.TargetPort.IntValue())) } netRules = append(netRules, netRule) @@ -206,7 +201,7 @@ func sortNetworkRule(netRules []cosmov1alpha1.NetworkRule, cfg cosmov1alpha1.Con type WorkspaceValidationWebhookHandler struct { Client client.Client Log *clog.Logger - decoder *admission.Decoder + Decoder admission.Decoder } //+kubebuilder:webhook:path=/validate-cosmo-workspace-github-io-v1alpha1-workspace,mutating=false,failurePolicy=fail,sideEffects=None,groups=cosmo-workspace.github.io,resources=workspaces,verbs=create;update,versions=v1alpha1,name=vworkspace.kb.io,admissionReviewVersions={v1,v1alpha1} @@ -223,7 +218,7 @@ func (h *WorkspaceValidationWebhookHandler) Handle(ctx context.Context, req admi log := h.Log.WithValues("UID", req.UID, "GroupVersionKind", req.Kind.String(), "Name", req.Name, "Namespace", req.Namespace) ws := &cosmov1alpha1.Workspace{} - err := h.decoder.Decode(req, ws) + err := h.Decoder.Decode(req, ws) if err != nil { log.Error(err, "failed to decode request") return admission.Errored(http.StatusBadRequest, err) @@ -292,11 +287,6 @@ func (h *WorkspaceValidationWebhookHandler) validateTemplatePermission(ctx conte return nil } -func (h *WorkspaceValidationWebhookHandler) InjectDecoder(d *admission.Decoder) error { - h.decoder = d - return nil -} - func checkNetworkRules(netRules []cosmov1alpha1.NetworkRule) error { for i, netRule := range netRules { if errs := validation.IsValidPortNum(int(netRule.PortNumber)); len(errs) > 0 { diff --git a/internal/webhooks/workspace_webhook_test.go b/internal/webhooks/workspace_webhook_test.go index 03d3dc30..51514c91 100644 --- a/internal/webhooks/workspace_webhook_test.go +++ b/internal/webhooks/workspace_webhook_test.go @@ -15,7 +15,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" @@ -236,7 +236,7 @@ spec: err = k8sClient.Create(ctx, &user) Expect(err).ShouldNot(HaveOccurred()) - rep := pointer.Int64(1) + rep := ptr.To(int64(1)) ws := cosmov1alpha1.Workspace{ TypeMeta: metav1.TypeMeta{ Kind: "Workspace", @@ -580,7 +580,7 @@ func TestNetworkRulesByService(t *testing.T) { { CustomHostPrefix: "main2", PortNumber: 7778, - TargetPortNumber: pointer.Int32(32001), + TargetPortNumber: ptr.To(int32(32001)), }, }, }, diff --git a/pkg/auth/webauthn/__snapshots__/credentials_test.snap b/pkg/auth/webauthn/__snapshots__/credentials_test.snap index ead94b77..bf679b76 100644 --- a/pkg/auth/webauthn/__snapshots__/credentials_test.snap +++ b/pkg/auth/webauthn/__snapshots__/credentials_test.snap @@ -15,21 +15,21 @@ SnapShot = """ \"DisplayName\": \"test-cred1\", \"Timestamp\": 1650456000, \"Cred\": { - \"ID\": \"MVpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ==\", - \"PublicKey\": \"MVFFQ0F5WWdBU0ZZSUp2cTNjeE15NGR6V2JveGRXRHMyM3QwTG9vVE9zZ2FxQ0VvYld5cEVmbTRJbGdndUNmSmczNVhIVmhHSTJ3aDMrK2NiT1NNTkMyZHFOY09MNlUrYmorcUpDaz0=\", - \"AttestationType\": \"none\", - \"Transport\": null, - \"Flags\": { - \"UserPresent\": true, - \"UserVerified\": true, - \"BackupEligible\": false, - \"BackupState\": false + \"id\": \"MVpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ==\", + \"publicKey\": \"MVFFQ0F5WWdBU0ZZSUp2cTNjeE15NGR6V2JveGRXRHMyM3QwTG9vVE9zZ2FxQ0VvYld5cEVmbTRJbGdndUNmSmczNVhIVmhHSTJ3aDMrK2NiT1NNTkMyZHFOY09MNlUrYmorcUpDaz0=\", + \"attestationType\": \"none\", + \"transport\": null, + \"flags\": { + \"userPresent\": true, + \"userVerified\": true, + \"backupEligible\": false, + \"backupState\": false }, - \"Authenticator\": { + \"authenticator\": { \"AAGUID\": \"QUFBQUFBQUFBQUFBQUFBQUFBQUFBQT09\", - \"SignCount\": 0, - \"CloneWarning\": false, - \"Attachment\": \"\" + \"signCount\": 0, + \"cloneWarning\": false, + \"attachment\": \"\" } } }, @@ -38,21 +38,21 @@ SnapShot = """ \"DisplayName\": \"test-cred2\", \"Timestamp\": 1650542400, \"Cred\": { - \"ID\": \"MlpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ==\", - \"PublicKey\": \"MlFFQ0F5WWdBU0ZZSUp2cTNjeE15NGR6V2JveGRXRHMyM3QwTG9vVE9zZ2FxQ0VvYld5cEVmbTRJbGdndUNmSmczNVhIVmhHSTJ3aDMrK2NiT1NNTkMyZHFOY09MNlUrYmorcUpDaz0=\", - \"AttestationType\": \"none\", - \"Transport\": null, - \"Flags\": { - \"UserPresent\": true, - \"UserVerified\": true, - \"BackupEligible\": false, - \"BackupState\": false + \"id\": \"MlpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ==\", + \"publicKey\": \"MlFFQ0F5WWdBU0ZZSUp2cTNjeE15NGR6V2JveGRXRHMyM3QwTG9vVE9zZ2FxQ0VvYld5cEVmbTRJbGdndUNmSmczNVhIVmhHSTJ3aDMrK2NiT1NNTkMyZHFOY09MNlUrYmorcUpDaz0=\", + \"attestationType\": \"none\", + \"transport\": null, + \"flags\": { + \"userPresent\": true, + \"userVerified\": true, + \"backupEligible\": false, + \"backupState\": false }, - \"Authenticator\": { + \"authenticator\": { \"AAGUID\": \"QUFBQUFBQUFBQUFBQUFBQUFBQUFBQT09\", - \"SignCount\": 0, - \"CloneWarning\": false, - \"Attachment\": \"\" + \"signCount\": 0, + \"cloneWarning\": false, + \"attachment\": \"\" } } } @@ -67,21 +67,21 @@ SnapShot = """ \"DisplayName\": \"new name\", \"Timestamp\": 1650456000, \"Cred\": { - \"ID\": \"MVpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ==\", - \"PublicKey\": \"MVFFQ0F5WWdBU0ZZSUp2cTNjeE15NGR6V2JveGRXRHMyM3QwTG9vVE9zZ2FxQ0VvYld5cEVmbTRJbGdndUNmSmczNVhIVmhHSTJ3aDMrK2NiT1NNTkMyZHFOY09MNlUrYmorcUpDaz0=\", - \"AttestationType\": \"none\", - \"Transport\": null, - \"Flags\": { - \"UserPresent\": true, - \"UserVerified\": true, - \"BackupEligible\": false, - \"BackupState\": false + \"id\": \"MVpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ==\", + \"publicKey\": \"MVFFQ0F5WWdBU0ZZSUp2cTNjeE15NGR6V2JveGRXRHMyM3QwTG9vVE9zZ2FxQ0VvYld5cEVmbTRJbGdndUNmSmczNVhIVmhHSTJ3aDMrK2NiT1NNTkMyZHFOY09MNlUrYmorcUpDaz0=\", + \"attestationType\": \"none\", + \"transport\": null, + \"flags\": { + \"userPresent\": true, + \"userVerified\": true, + \"backupEligible\": false, + \"backupState\": false }, - \"Authenticator\": { + \"authenticator\": { \"AAGUID\": \"QUFBQUFBQUFBQUFBQUFBQUFBQUFBQT09\", - \"SignCount\": 0, - \"CloneWarning\": false, - \"Attachment\": \"\" + \"signCount\": 0, + \"cloneWarning\": false, + \"attachment\": \"\" } } } @@ -124,14 +124,14 @@ SnapShot = """ } }, \"data\": { - \"credentials\": \"eyJDcmVkcyI6W3siQmFzZTY0VVJMRW5jb2RlZElkIjoiUVZwTE1uSm5hMjFxVjJ0M1RGaHJZVXRXUTBaa1FqZDZka2RsYkhOblQxVXZaRUZPT0ZoRmNrNDFSVEZtTUU1bGQwRXpUVTlGUjJaT01WaG1TbWhwVEZkYVVITXlNa05HVDJObVdIWjZRalJNVjNOVk1HOVpQUSIsIkRpc3BsYXlOYW1lIjoidGVzdC1jcmVkIiwiVGltZXN0YW1wIjoxNjUwNDU2MDAwLCJDcmVkIjp7IklEIjoiUVZwTE1uSm5hMjFxVjJ0M1RGaHJZVXRXUTBaa1FqZDZka2RsYkhOblQxVXZaRUZPT0ZoRmNrNDFSVEZtTUU1bGQwRXpUVTlGUjJaT01WaG1TbWhwVEZkYVVITXlNa05HVDJObVdIWjZRalJNVjNOVk1HOVpQUT09IiwiUHVibGljS2V5IjoiY0ZGRlEwRjVXV2RCVTBaWlNVcDJjVE5qZUUxNU5HUjZWMkp2ZUdSWFJITXlNM1F3VEc5dlZFOXpaMkZ4UTBWdllsZDVjRVZtYlRSSmJHZG5kVU5tU21jek5WaElWbWhIU1RKM2FETXJLMk5pVDFOTlRrTXlaSEZPWTA5TU5sVXJZbW9yY1VwRGF6MD0iLCJBdHRlc3RhdGlvblR5cGUiOiJub25lIiwiVHJhbnNwb3J0IjpudWxsLCJGbGFncyI6eyJVc2VyUHJlc2VudCI6dHJ1ZSwiVXNlclZlcmlmaWVkIjp0cnVlLCJCYWNrdXBFbGlnaWJsZSI6ZmFsc2UsIkJhY2t1cFN0YXRlIjpmYWxzZX0sIkF1dGhlbnRpY2F0b3IiOnsiQUFHVUlEIjoiUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFUMDkiLCJTaWduQ291bnQiOjAsIkNsb25lV2FybmluZyI6ZmFsc2UsIkF0dGFjaG1lbnQiOiIifX19XX0=\" + \"credentials\": \"eyJDcmVkcyI6W3siQmFzZTY0VVJMRW5jb2RlZElkIjoiUVZwTE1uSm5hMjFxVjJ0M1RGaHJZVXRXUTBaa1FqZDZka2RsYkhOblQxVXZaRUZPT0ZoRmNrNDFSVEZtTUU1bGQwRXpUVTlGUjJaT01WaG1TbWhwVEZkYVVITXlNa05HVDJObVdIWjZRalJNVjNOVk1HOVpQUSIsIkRpc3BsYXlOYW1lIjoidGVzdC1jcmVkIiwiVGltZXN0YW1wIjoxNjUwNDU2MDAwLCJDcmVkIjp7ImlkIjoiUVZwTE1uSm5hMjFxVjJ0M1RGaHJZVXRXUTBaa1FqZDZka2RsYkhOblQxVXZaRUZPT0ZoRmNrNDFSVEZtTUU1bGQwRXpUVTlGUjJaT01WaG1TbWhwVEZkYVVITXlNa05HVDJObVdIWjZRalJNVjNOVk1HOVpQUT09IiwicHVibGljS2V5IjoiY0ZGRlEwRjVXV2RCVTBaWlNVcDJjVE5qZUUxNU5HUjZWMkp2ZUdSWFJITXlNM1F3VEc5dlZFOXpaMkZ4UTBWdllsZDVjRVZtYlRSSmJHZG5kVU5tU21jek5WaElWbWhIU1RKM2FETXJLMk5pVDFOTlRrTXlaSEZPWTA5TU5sVXJZbW9yY1VwRGF6MD0iLCJhdHRlc3RhdGlvblR5cGUiOiJub25lIiwidHJhbnNwb3J0IjpudWxsLCJmbGFncyI6eyJ1c2VyUHJlc2VudCI6dHJ1ZSwidXNlclZlcmlmaWVkIjp0cnVlLCJiYWNrdXBFbGlnaWJsZSI6ZmFsc2UsImJhY2t1cFN0YXRlIjpmYWxzZX0sImF1dGhlbnRpY2F0b3IiOnsiQUFHVUlEIjoiUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFUMDkiLCJzaWduQ291bnQiOjAsImNsb25lV2FybmluZyI6ZmFsc2UsImF0dGFjaG1lbnQiOiIifX19XX0=\" }, \"type\": \"Opaque\" } """ ['WebAuthn should register new WebAuthn credential for new user 3'] -SnapShot = '{"Creds":[{"Base64URLEncodedId":"QVpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ","DisplayName":"test-cred","Timestamp":1650456000,"Cred":{"ID":"QVpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ==","PublicKey":"cFFFQ0F5WWdBU0ZZSUp2cTNjeE15NGR6V2JveGRXRHMyM3QwTG9vVE9zZ2FxQ0VvYld5cEVmbTRJbGdndUNmSmczNVhIVmhHSTJ3aDMrK2NiT1NNTkMyZHFOY09MNlUrYmorcUpDaz0=","AttestationType":"none","Transport":null,"Flags":{"UserPresent":true,"UserVerified":true,"BackupEligible":false,"BackupState":false},"Authenticator":{"AAGUID":"QUFBQUFBQUFBQUFBQUFBQUFBQUFBQT09","SignCount":0,"CloneWarning":false,"Attachment":""}}}]}' +SnapShot = '{"Creds":[{"Base64URLEncodedId":"QVpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ","DisplayName":"test-cred","Timestamp":1650456000,"Cred":{"id":"QVpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ==","publicKey":"cFFFQ0F5WWdBU0ZZSUp2cTNjeE15NGR6V2JveGRXRHMyM3QwTG9vVE9zZ2FxQ0VvYld5cEVmbTRJbGdndUNmSmczNVhIVmhHSTJ3aDMrK2NiT1NNTkMyZHFOY09MNlUrYmorcUpDaz0=","attestationType":"none","transport":null,"flags":{"userPresent":true,"userVerified":true,"backupEligible":false,"backupState":false},"authenticator":{"AAGUID":"QUFBQUFBQUFBQUFBQUFBQUFBQUFBQT09","signCount":0,"cloneWarning":false,"attachment":""}}}]}' ['WebAuthn should register new WebAuthn credential for new user 4'] SnapShot = """ @@ -141,21 +141,21 @@ SnapShot = """ \"DisplayName\": \"test-cred\", \"Timestamp\": 1650456000, \"Cred\": { - \"ID\": \"QVpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ==\", - \"PublicKey\": \"cFFFQ0F5WWdBU0ZZSUp2cTNjeE15NGR6V2JveGRXRHMyM3QwTG9vVE9zZ2FxQ0VvYld5cEVmbTRJbGdndUNmSmczNVhIVmhHSTJ3aDMrK2NiT1NNTkMyZHFOY09MNlUrYmorcUpDaz0=\", - \"AttestationType\": \"none\", - \"Transport\": null, - \"Flags\": { - \"UserPresent\": true, - \"UserVerified\": true, - \"BackupEligible\": false, - \"BackupState\": false + \"id\": \"QVpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ==\", + \"publicKey\": \"cFFFQ0F5WWdBU0ZZSUp2cTNjeE15NGR6V2JveGRXRHMyM3QwTG9vVE9zZ2FxQ0VvYld5cEVmbTRJbGdndUNmSmczNVhIVmhHSTJ3aDMrK2NiT1NNTkMyZHFOY09MNlUrYmorcUpDaz0=\", + \"attestationType\": \"none\", + \"transport\": null, + \"flags\": { + \"userPresent\": true, + \"userVerified\": true, + \"backupEligible\": false, + \"backupState\": false }, - \"Authenticator\": { + \"authenticator\": { \"AAGUID\": \"QUFBQUFBQUFBQUFBQUFBQUFBQUFBQT09\", - \"SignCount\": 0, - \"CloneWarning\": false, - \"Attachment\": \"\" + \"signCount\": 0, + \"cloneWarning\": false, + \"attachment\": \"\" } } } @@ -166,21 +166,21 @@ SnapShot = """ SnapShot = """ [ { - \"ID\": \"QVpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ==\", - \"PublicKey\": \"cFFFQ0F5WWdBU0ZZSUp2cTNjeE15NGR6V2JveGRXRHMyM3QwTG9vVE9zZ2FxQ0VvYld5cEVmbTRJbGdndUNmSmczNVhIVmhHSTJ3aDMrK2NiT1NNTkMyZHFOY09MNlUrYmorcUpDaz0=\", - \"AttestationType\": \"none\", - \"Transport\": null, - \"Flags\": { - \"UserPresent\": true, - \"UserVerified\": true, - \"BackupEligible\": false, - \"BackupState\": false + \"id\": \"QVpLMnJna21qV2t3TFhrYUtWQ0ZkQjd6dkdlbHNnT1UvZEFOOFhFck41RTFmME5ld0EzTU9FR2ZOMVhmSmhpTFdaUHMyMkNGT2NmWHZ6QjRMV3NVMG9ZPQ==\", + \"publicKey\": \"cFFFQ0F5WWdBU0ZZSUp2cTNjeE15NGR6V2JveGRXRHMyM3QwTG9vVE9zZ2FxQ0VvYld5cEVmbTRJbGdndUNmSmczNVhIVmhHSTJ3aDMrK2NiT1NNTkMyZHFOY09MNlUrYmorcUpDaz0=\", + \"attestationType\": \"none\", + \"transport\": null, + \"flags\": { + \"userPresent\": true, + \"userVerified\": true, + \"backupEligible\": false, + \"backupState\": false }, - \"Authenticator\": { + \"authenticator\": { \"AAGUID\": \"QUFBQUFBQUFBQUFBQUFBQUFBQUFBQT09\", - \"SignCount\": 0, - \"CloneWarning\": false, - \"Attachment\": \"\" + \"signCount\": 0, + \"cloneWarning\": false, + \"attachment\": \"\" } } ] diff --git a/pkg/auth/webauthn/credentials_test.go b/pkg/auth/webauthn/credentials_test.go index 4c92f4ed..f72c46c0 100644 --- a/pkg/auth/webauthn/credentials_test.go +++ b/pkg/auth/webauthn/credentials_test.go @@ -18,7 +18,7 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/rest" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/envtest" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" @@ -242,7 +242,7 @@ var _ = Describe("WebAuthn", func() { Expect(creds).To(MatchSnapShot()) By("update cred1 name") - err = wu.UpdateCredential(ctx, cred1.Base64URLEncodedId, pointer.String("new name")) + err = wu.UpdateCredential(ctx, cred1.Base64URLEncodedId, ptr.To("new name")) Expect(err).NotTo(HaveOccurred()) By("remove cred2") @@ -402,15 +402,15 @@ var _ = Describe("WebAuthn", func() { DescribeTable("✅ success in normal context:", run_test, - Entry("update display name", false, "D09Kc9k4zeoxF1Bq1o0ePtUpTnZDOMDMOwQGnXaiqTU", pointer.String("new display name")), - Entry("update display name to empty", false, "D09Kc9k4zeoxF1Bq1o0ePtUpTnZDOMDMOwQGnXaiqTU", pointer.String("")), + Entry("update display name", false, "D09Kc9k4zeoxF1Bq1o0ePtUpTnZDOMDMOwQGnXaiqTU", ptr.To("new display name")), + Entry("update display name to empty", false, "D09Kc9k4zeoxF1Bq1o0ePtUpTnZDOMDMOwQGnXaiqTU", ptr.To("")), Entry("update display name to empty", false, "D09Kc9k4zeoxF1Bq1o0ePtUpTnZDOMDMOwQGnXaiqTU", nil), - Entry("no change", false, "D09Kc9k4zeoxF1Bq1o0ePtUpTnZDOMDMOwQGnXaiqTU", pointer.String("Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36")), + Entry("no change", false, "D09Kc9k4zeoxF1Bq1o0ePtUpTnZDOMDMOwQGnXaiqTU", ptr.To("Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36")), ) DescribeTable("❌ fail with invalid request:", run_test, - Entry("credential not found", true, "notfound", pointer.String("new display name")), + Entry("credential not found", true, "notfound", ptr.To("new display name")), ) }) diff --git a/pkg/kosmo/client_test.go b/pkg/kosmo/client_test.go index 6f86d10a..ec2e05ca 100644 --- a/pkg/kosmo/client_test.go +++ b/pkg/kosmo/client_test.go @@ -33,6 +33,10 @@ func init() { utilruntime.Must(cosmov1alpha1.AddToScheme(scheme)) tmpl1 = &cosmov1alpha1.Template{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "cosmo-workspace.github.io/v1alpha1", + Kind: "Template", + }, ObjectMeta: metav1.ObjectMeta{ Name: "tmpl1", Labels: map[string]string{ diff --git a/pkg/kosmo/template_test.go b/pkg/kosmo/template_test.go index 0853203c..694e9972 100644 --- a/pkg/kosmo/template_test.go +++ b/pkg/kosmo/template_test.go @@ -71,7 +71,8 @@ func TestClient_GetTemplate(t *testing.T) { }) } if !tt.wantErr && !equality.Semantic.DeepEqual(got, tt.want) { - t.Errorf("Client.GetTemplate() = %v, want %v", got, tt.want) + diff := cmp.Diff(got, tt.want) + t.Errorf("Client.GetTemplate() = %v, want %v\ndiff = %s", got, tt.want, diff) } }) } diff --git a/pkg/kosmo/test/test_util.go b/pkg/kosmo/test/test_util.go index 09f805b4..9f117c8f 100644 --- a/pkg/kosmo/test/test_util.go +++ b/pkg/kosmo/test/test_util.go @@ -7,7 +7,7 @@ import ( . "github.com/onsi/gomega" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" @@ -214,7 +214,7 @@ func (c *TestUtil) CreateWorkspace(userName string, name string, template string Template: cosmov1alpha1.TemplateRef{ Name: template, }, - Replicas: pointer.Int64(1), + Replicas: ptr.To(int64(1)), Vars: vars, } err = c.kosmoClient.Create(ctx, ws) @@ -233,7 +233,7 @@ func (c *TestUtil) StopWorkspace(userName string, name string) { ctx := context.Background() ws, err := c.kosmoClient.GetWorkspaceByUserName(ctx, name, userName) Expect(err).ShouldNot(HaveOccurred()) - ws.Spec.Replicas = pointer.Int64(0) + ws.Spec.Replicas = ptr.To(int64(0)) err = c.kosmoClient.Update(ctx, ws) Expect(err).ShouldNot(HaveOccurred()) } diff --git a/pkg/kubeutil/client_test.go b/pkg/kubeutil/client_test.go index 58345e96..2f103809 100644 --- a/pkg/kubeutil/client_test.go +++ b/pkg/kubeutil/client_test.go @@ -18,7 +18,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/types" corev1apply "k8s.io/client-go/applyconfigurations/core/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/yaml" @@ -182,7 +182,7 @@ spec: By("checking other properties is not modified") // fix spec to applied values - currentPodApplyCfg.Spec.Containers[0].Image = pointer.String("nginx:next") + currentPodApplyCfg.Spec.Containers[0].Image = ptr.To("nginx:next") Expect(currentPodApplyCfg).Should(Equal(podApplyCfg)) }) diff --git a/pkg/kubeutil/test/gomega/equality_test.go b/pkg/kubeutil/test/gomega/equality_test.go index e18410af..6ec7c85f 100644 --- a/pkg/kubeutil/test/gomega/equality_test.go +++ b/pkg/kubeutil/test/gomega/equality_test.go @@ -384,6 +384,8 @@ func TestEqualityDeepEqualMatcher_FailureMessage(t *testing.T) { EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -408,6 +410,8 @@ func TestEqualityDeepEqualMatcher_FailureMessage(t *testing.T) { EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -467,6 +471,7 @@ func TestEqualityDeepEqualMatcher_FailureMessage(t *testing.T) { Reason: "", NominatedNodeName: "", HostIP: "", + HostIPs: nil, PodIP: "", PodIPs: nil, StartTime: nil, @@ -474,6 +479,8 @@ func TestEqualityDeepEqualMatcher_FailureMessage(t *testing.T) { ContainerStatuses: nil, QOSClass: "", EphemeralContainerStatuses: nil, + Resize: "", + ResourceClaimStatuses: nil, }, } shouled be equal to @@ -512,6 +519,8 @@ shouled be equal to EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -536,6 +545,8 @@ shouled be equal to EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -595,6 +606,7 @@ shouled be equal to Reason: "", NominatedNodeName: "", HostIP: "", + HostIPs: nil, PodIP: "", PodIPs: nil, StartTime: nil, @@ -602,6 +614,8 @@ shouled be equal to ContainerStatuses: nil, QOSClass: "", EphemeralContainerStatuses: nil, + Resize: "", + ResourceClaimStatuses: nil, }, } diff: : v1.Pod{ @@ -617,7 +631,7 @@ diff: : v1.Pod{ + Name: "nginx2", Image: "nginx:alpine", Command: nil, - ... // 19 identical fields + ... // 21 identical fields }, }, EphemeralContainers: nil, @@ -732,6 +746,8 @@ func TestEqualityDeepEqualMatcher_NegatedFailureMessage(t *testing.T) { EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -756,6 +772,8 @@ func TestEqualityDeepEqualMatcher_NegatedFailureMessage(t *testing.T) { EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -815,6 +833,7 @@ func TestEqualityDeepEqualMatcher_NegatedFailureMessage(t *testing.T) { Reason: "", NominatedNodeName: "", HostIP: "", + HostIPs: nil, PodIP: "", PodIPs: nil, StartTime: nil, @@ -822,6 +841,8 @@ func TestEqualityDeepEqualMatcher_NegatedFailureMessage(t *testing.T) { ContainerStatuses: nil, QOSClass: "", EphemeralContainerStatuses: nil, + Resize: "", + ResourceClaimStatuses: nil, }, } not to equal @@ -860,6 +881,8 @@ not to equal EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -884,6 +907,8 @@ not to equal EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -943,6 +968,7 @@ not to equal Reason: "", NominatedNodeName: "", HostIP: "", + HostIPs: nil, PodIP: "", PodIPs: nil, StartTime: nil, @@ -950,6 +976,8 @@ not to equal ContainerStatuses: nil, QOSClass: "", EphemeralContainerStatuses: nil, + Resize: "", + ResourceClaimStatuses: nil, }, }`, }, diff --git a/pkg/kubeutil/test/gomega/loosedeepequal_test.go b/pkg/kubeutil/test/gomega/loosedeepequal_test.go index 33790942..f3eb1f01 100644 --- a/pkg/kubeutil/test/gomega/loosedeepequal_test.go +++ b/pkg/kubeutil/test/gomega/loosedeepequal_test.go @@ -391,6 +391,8 @@ func TestLooseDeepEqualMatcher_FailureMessage(t *testing.T) { EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -415,6 +417,8 @@ func TestLooseDeepEqualMatcher_FailureMessage(t *testing.T) { EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -474,6 +478,7 @@ func TestLooseDeepEqualMatcher_FailureMessage(t *testing.T) { Reason: "", NominatedNodeName: "", HostIP: "", + HostIPs: nil, PodIP: "", PodIPs: nil, StartTime: nil, @@ -481,6 +486,8 @@ func TestLooseDeepEqualMatcher_FailureMessage(t *testing.T) { ContainerStatuses: nil, QOSClass: "", EphemeralContainerStatuses: nil, + Resize: "", + ResourceClaimStatuses: nil, }, } shouled be equal to @@ -519,6 +526,8 @@ shouled be equal to EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -543,6 +552,8 @@ shouled be equal to EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -602,6 +613,7 @@ shouled be equal to Reason: "", NominatedNodeName: "", HostIP: "", + HostIPs: nil, PodIP: "", PodIPs: nil, StartTime: nil, @@ -609,6 +621,8 @@ shouled be equal to ContainerStatuses: nil, QOSClass: "", EphemeralContainerStatuses: nil, + Resize: "", + ResourceClaimStatuses: nil, }, } diff: : &v1.Pod{ @@ -624,7 +638,7 @@ diff: : &v1.Pod{ + Name: "nginx2", Image: "nginx:alpine", Command: nil, - ... // 19 identical fields + ... // 21 identical fields }, }, EphemeralContainers: nil, @@ -750,6 +764,8 @@ func TestLooseDeepEqualMatcher_NegatedFailureMessage(t *testing.T) { EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -774,6 +790,8 @@ func TestLooseDeepEqualMatcher_NegatedFailureMessage(t *testing.T) { EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -833,6 +851,7 @@ func TestLooseDeepEqualMatcher_NegatedFailureMessage(t *testing.T) { Reason: "", NominatedNodeName: "", HostIP: "", + HostIPs: nil, PodIP: "", PodIPs: nil, StartTime: nil, @@ -840,6 +859,8 @@ func TestLooseDeepEqualMatcher_NegatedFailureMessage(t *testing.T) { ContainerStatuses: nil, QOSClass: "", EphemeralContainerStatuses: nil, + Resize: "", + ResourceClaimStatuses: nil, }, } not to equal @@ -878,6 +899,8 @@ not to equal EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -902,6 +925,8 @@ not to equal EnvFrom: nil, Env: nil, Resources: {Limits: nil, Requests: nil, Claims: nil}, + ResizePolicy: nil, + RestartPolicy: nil, VolumeMounts: nil, VolumeDevices: nil, LivenessProbe: nil, @@ -961,6 +986,7 @@ not to equal Reason: "", NominatedNodeName: "", HostIP: "", + HostIPs: nil, PodIP: "", PodIPs: nil, StartTime: nil, @@ -968,6 +994,8 @@ not to equal ContainerStatuses: nil, QOSClass: "", EphemeralContainerStatuses: nil, + Resize: "", + ResourceClaimStatuses: nil, }, }`, }, diff --git a/pkg/snap/object_snapshot.go b/pkg/snap/object_snapshot.go index c1ffce55..3eb30a07 100644 --- a/pkg/snap/object_snapshot.go +++ b/pkg/snap/object_snapshot.go @@ -77,6 +77,12 @@ func ServiceSnapshot(in *corev1.Service) *corev1.Service { return obj } +func PersistentVolumeSnapshot(obj *corev1.PersistentVolume) client.Object { + o := ObjectSnapshot(obj).(*corev1.PersistentVolume) + o.Status.LastPhaseTransitionTime = nil + return o +} + func ObjectSnapshot(obj client.Object) client.Object { t := obj.DeepCopyObject() o := t.(client.Object) diff --git a/pkg/useraddon/useraddon_test.go b/pkg/useraddon/useraddon_test.go index 2bf9bb1f..e598e671 100644 --- a/pkg/useraddon/useraddon_test.go +++ b/pkg/useraddon/useraddon_test.go @@ -8,7 +8,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" "github.com/cosmo-workspace/cosmo/pkg/template" @@ -358,8 +358,8 @@ func TestPatchUserAddonInstanceAsDesired(t *testing.T) { Kind: "User", Name: tt.args.user.GetName(), UID: tt.args.user.GetUID(), - BlockOwnerDeletion: pointer.BoolPtr(true), - Controller: pointer.BoolPtr(true), + BlockOwnerDeletion: ptr.To(true), + Controller: ptr.To(true), } if !equality.Semantic.DeepEqual(ownerRef[0], expectedRef) { t.Errorf("EmptyInstanceObject() owner ref = %v, want %v", ownerRef[0], expectedRef) diff --git a/pkg/workspace/traefik_ingressroute.go b/pkg/workspace/traefik_ingressroute.go index 8a962669..bfe22d76 100644 --- a/pkg/workspace/traefik_ingressroute.go +++ b/pkg/workspace/traefik_ingressroute.go @@ -4,7 +4,7 @@ import ( "fmt" "strings" - traefikv1 "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikio/v1alpha1" + traefikv1 "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/intstr" ctrl "sigs.k8s.io/controller-runtime" diff --git a/pkg/workspace/traefik_ingressroute_test.go b/pkg/workspace/traefik_ingressroute_test.go index ca92f8dc..71aaebf6 100644 --- a/pkg/workspace/traefik_ingressroute_test.go +++ b/pkg/workspace/traefik_ingressroute_test.go @@ -4,12 +4,12 @@ import ( "testing" "github.com/gkampitakis/go-snaps/snaps" - traefikv1 "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikio/v1alpha1" + traefikv1 "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/kubernetes/scheme" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" ) @@ -59,7 +59,7 @@ func TestTraefikIngressRouteConfig_PatchTraefikIngressRouteAsDesired(t *testing. PortNumber: 8080, HTTPPath: "/", CustomHostPrefix: "main", - TargetPortNumber: pointer.Int32(18080), + TargetPortNumber: ptr.To(int32(18080)), Public: false, }, { diff --git a/pkg/workspace/workspace_test.go b/pkg/workspace/workspace_test.go index ef2f664e..74b5c7e3 100644 --- a/pkg/workspace/workspace_test.go +++ b/pkg/workspace/workspace_test.go @@ -7,7 +7,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" ) @@ -38,7 +38,7 @@ func TestPatchWorkspaceInstanceAsDesired(t *testing.T) { Template: cosmov1alpha1.TemplateRef{ Name: "tmpl1", }, - Replicas: pointer.Int64(1), + Replicas: ptr.To(int64(1)), Vars: map[string]string{ "VAR1": "VAL1", }, @@ -46,12 +46,12 @@ func TestPatchWorkspaceInstanceAsDesired(t *testing.T) { { PortNumber: 8080, HTTPPath: "/", - TargetPortNumber: pointer.Int32(18080), + TargetPortNumber: ptr.To(int32(18080)), }, { PortNumber: 9999, HTTPPath: "/", - TargetPortNumber: pointer.Int32(19999), + TargetPortNumber: ptr.To(int32(19999)), }, }, }, @@ -84,7 +84,7 @@ func TestPatchWorkspaceInstanceAsDesired(t *testing.T) { Template: cosmov1alpha1.TemplateRef{ Name: "tmpl1", }, - Replicas: pointer.Int64(0), + Replicas: ptr.To(int64(0)), }, Status: cosmov1alpha1.WorkspaceStatus{ Config: cosmov1alpha1.Config{ @@ -115,7 +115,7 @@ func TestPatchWorkspaceInstanceAsDesired(t *testing.T) { Template: cosmov1alpha1.TemplateRef{ Name: "tmpl1", }, - Replicas: pointer.Int64(0), + Replicas: ptr.To(int64(0)), }, Status: cosmov1alpha1.WorkspaceStatus{ Config: cosmov1alpha1.Config{ @@ -151,7 +151,7 @@ func TestSvcPorts(t *testing.T) { netRule := func(ruleName, host, path string, portNumber, targetPortNumber int32) cosmov1alpha1.NetworkRule { var targetp *int32 if targetPortNumber != 0 { - targetp = pointer.Int32(int32(targetPortNumber)) + targetp = ptr.To(int32(int32(targetPortNumber))) } return cosmov1alpha1.NetworkRule{ PortNumber: portNumber, diff --git a/traefik/plugins/cosmo-workspace/cosmoauth/Makefile b/traefik/plugins/cosmo-workspace/cosmoauth/Makefile index e7fc0bcd..4246e9c3 100644 --- a/traefik/plugins/cosmo-workspace/cosmoauth/Makefile +++ b/traefik/plugins/cosmo-workspace/cosmoauth/Makefile @@ -12,7 +12,7 @@ yaegi_test: yaegi test -v . vendor: - go mod vendor + GOWORK=off go mod vendor clean: rm -rf ./vendor \ No newline at end of file diff --git a/traefik/plugins/cosmo-workspace/cosmoauth/go.mod b/traefik/plugins/cosmo-workspace/cosmoauth/go.mod index 13bcf732..7d065220 100644 --- a/traefik/plugins/cosmo-workspace/cosmoauth/go.mod +++ b/traefik/plugins/cosmo-workspace/cosmoauth/go.mod @@ -1,22 +1,25 @@ module github.com/cosmo-workspace/cosmoauth -go 1.20 +go 1.22.0 + +toolchain go1.22.3 require ( github.com/cosmo-workspace/cosmo v0.0.0 // from this go workspace - github.com/gorilla/sessions v1.2.1 + github.com/gorilla/sessions v1.2.2 ) -require github.com/gkampitakis/go-snaps v0.4.3 +require github.com/gkampitakis/go-snaps v0.5.4 require ( - github.com/gkampitakis/ciinfo v0.2.4 // indirect + github.com/gkampitakis/ciinfo v0.3.0 // indirect github.com/gkampitakis/go-diff v1.3.2 // indirect - github.com/gorilla/securecookie v1.1.1 // indirect + github.com/gorilla/securecookie v1.1.2 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/kr/text v0.2.0 // indirect - github.com/rogpeppe/go-internal v1.9.0 // indirect - github.com/tidwall/gjson v1.14.4 // indirect + github.com/maruel/natural v1.1.1 // indirect + github.com/rogpeppe/go-internal v1.12.0 // indirect + github.com/tidwall/gjson v1.17.1 // indirect github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.1 // indirect github.com/tidwall/sjson v1.2.5 // indirect diff --git a/traefik/plugins/cosmo-workspace/cosmoauth/go.sum b/traefik/plugins/cosmo-workspace/cosmoauth/go.sum index 571fc654..1efaa21e 100644 --- a/traefik/plugins/cosmo-workspace/cosmoauth/go.sum +++ b/traefik/plugins/cosmo-workspace/cosmoauth/go.sum @@ -1,24 +1,29 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/gkampitakis/ciinfo v0.2.4 h1:Ip1hf4K7ISRuVlDrheuhaeffg1VOhlyeFGaQ/vTxrtE= -github.com/gkampitakis/ciinfo v0.2.4/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= +github.com/gkampitakis/ciinfo v0.3.0 h1:gWZlOC2+RYYttL0hBqcoQhM7h1qNkVqvRCV1fOvpAv8= +github.com/gkampitakis/ciinfo v0.3.0/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M= github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk= -github.com/gkampitakis/go-snaps v0.4.3 h1:0awAg/9gGT63bcaWmigfbGt+tsuIKlI/TiqLP5e+2Cc= -github.com/gkampitakis/go-snaps v0.4.3/go.mod h1:oEL8WdkP4EpHdMA3wrNRjfRiV9wV3OhU/JpX9l4joA0= -github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= -github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= -github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI= -github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= +github.com/gkampitakis/go-snaps v0.5.4 h1:GX+dkKmVsRenz7SoTbdIEL4KQARZctkMiZ8ZKprRwT8= +github.com/gkampitakis/go-snaps v0.5.4/go.mod h1:ZABkO14uCuVxBHAXAfKG+bqNz+aa1bGPAg8jkI0Nk8Y= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA= +github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo= +github.com/gorilla/sessions v1.2.2 h1:lqzMYz6bOfvn2WriPUjNByzeXIlVzURcPmgMczkmTjY= +github.com/gorilla/sessions v1.2.2/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= +github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= -github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= -github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM= -github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U= +github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=