From 7ed119b2ac922f517244a8349d847cce57e75c97 Mon Sep 17 00:00:00 2001 From: Julien Bouquillon Date: Fri, 7 Apr 2023 11:04:59 +0200 Subject: [PATCH 1/4] fix(patches): allow beta.gouv.fr as cert-manager hosts --- .../__snapshots__/ingress-betagouv.prod.yaml | 284 +++++++++++++++++ .../ingress-custom-annotations.prod.yaml | 285 ++++++++++++++++++ .../ingress-custom-certs.prod.yaml | 281 +++++++++++++++++ .../samples/ingress-betagouv/config.yaml | 3 + .../ingress-betagouv/env/prod/values.yaml | 3 + .../ingress-custom-annotations/config.yaml | 3 + .../env/prod/values.yaml | 5 + .../samples/ingress-custom-certs/config.yaml | 3 + .../ingress-custom-certs/env/prod/values.yaml | 3 + plugins/contrib/patches/certs.js | 3 +- plugins/fabrique/kontinuous.yaml | 26 +- 11 files changed, 885 insertions(+), 14 deletions(-) create mode 100644 packages/kontinuous/tests/__snapshots__/ingress-betagouv.prod.yaml create mode 100644 packages/kontinuous/tests/__snapshots__/ingress-custom-annotations.prod.yaml create mode 100644 packages/kontinuous/tests/__snapshots__/ingress-custom-certs.prod.yaml create mode 100644 packages/kontinuous/tests/samples/ingress-betagouv/config.yaml create mode 100644 packages/kontinuous/tests/samples/ingress-betagouv/env/prod/values.yaml create mode 100644 packages/kontinuous/tests/samples/ingress-custom-annotations/config.yaml create mode 100644 packages/kontinuous/tests/samples/ingress-custom-annotations/env/prod/values.yaml create mode 100644 packages/kontinuous/tests/samples/ingress-custom-certs/config.yaml create mode 100644 packages/kontinuous/tests/samples/ingress-custom-certs/env/prod/values.yaml diff --git a/packages/kontinuous/tests/__snapshots__/ingress-betagouv.prod.yaml b/packages/kontinuous/tests/__snapshots__/ingress-betagouv.prod.yaml new file mode 100644 index 0000000000..04dfc1febb --- /dev/null +++ b/packages/kontinuous/tests/__snapshots__/ingress-betagouv.prod.yaml @@ -0,0 +1,284 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`test build manifests with snapshots ingress-betagouv.prod 1`] = ` +"apiVersion: v1 +kind: Namespace +metadata: + annotations: + field.cattle.io/projectId: \\"1234\\" + kontinuous/gitBranch: feature-branch-1 + kontinuous/mainNamespace: \\"true\\" + kapp.k14s.io/exists: \\"\\" + kontinuous/chartPath: project.fabrique.contrib.rancher-namespace + kontinuous/source: project/charts/fabrique/charts/contrib/charts/rancher-namespace/templates/namespace.yaml + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + labels: + application: test-ingress-betagouv + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + kontinuous/deployment.env: test-ingress-betagouv-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: namespace-test-ingress-betagouv-2w4zjtae + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: test-ingress-betagouv +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: netpol-ingress + namespace: test-ingress-betagouv + annotations: + kontinuous/chartPath: project.fabrique.contrib.security-policies + kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/network-policy.yml + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + labels: + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + kontinuous/deployment.env: test-ingress-betagouv-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: networkpolicy-netpol-ingress-61ndxljw + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous +spec: + ingress: + - from: + - podSelector: {} + - from: + - namespaceSelector: + matchLabels: + network-policy/source: ingress-controller + - from: + - namespaceSelector: + matchLabels: + network-policy/source: monitoring + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: default + annotations: + kontinuous/chartPath: project.fabrique.contrib.security-policies + kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/service-account.yaml + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + labels: + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + kontinuous/deployment.env: test-ingress-betagouv-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: serviceaccount-default-2g5dmk74 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + namespace: test-ingress-betagouv +automountServiceAccountToken: false +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: metabase + application: test-ingress-betagouv + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + kontinuous/deployment.env: test-ingress-betagouv-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: configmap-metabase-1tfah3wb + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: metabase + namespace: test-ingress-betagouv + annotations: + kontinuous/chartPath: project.fabrique.contrib.metabase + kontinuous/source: project/charts/fabrique/charts/contrib/charts/metabase/templates/configmap.yaml + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i +data: + MB_APPLICATION_NAME: metabase + MB_DB_TYPE: postgres + MB_ADMIN_EMAIL: admin@fabrique.social.gouv.fr + MB_ANON_TRACKING_ENABLED: \\"false\\" + MB_APPLICATION_LOGO_URL: https://socialgouv.github.io/support/_media/marianne.jpeg + MB_EMAIL_FROM_ADDRESS: contact@fabrique.social.gouv.fr + MB_ENABLE_EMBEDDING: \\"true\\" + MB_ENABLE_PUBLIC_SHARING: \\"true\\" + MB_SITE_LOCALE: fr + MB_SITE_NAME: Fabrique des ministères sociaux + MB_SITE_URL: https://some.beta.gouv.fr +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: metabase + application: test-ingress-betagouv + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + kontinuous/deployment.env: test-ingress-betagouv-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: deployment-metabase-5wn3odrk + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: metabase + namespace: test-ingress-betagouv + annotations: + kontinuous/chartPath: project.fabrique.contrib.metabase + kontinuous/source: project/charts/fabrique/charts/contrib/charts/metabase/templates/deployment.yaml + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + kontinuous/depname.full: project.fabrique.contrib.metabase.deployment.metabase + kontinuous/depname.chartResource: metabase.deployment.metabase + kontinuous/depname.chartName: metabase + kontinuous/depname.chartPath: project.fabrique.contrib.metabase + kontinuous/depname.resourcePath: deployment.metabase + kontinuous/depname.resourceName: metabase + kontinuous/depname.chartNameTopFull: metabase + kontinuous/depname.chartNameTop: metabase + kontinuous/plugin.log: \\"false\\" + reloader.stakater.com/auto: \\"true\\" +spec: + replicas: 1 + selector: + matchLabels: + component: metabase + template: + metadata: + labels: + component: metabase + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + kontinuous/deployment.env: test-ingress-betagouv-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: deployment-metabase-5wn3odrk + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + annotations: + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + runAsNonRoot: true + containers: + - image: metabase/metabase:v0.45.3 + name: metabase + securityContext: + allowPrivilegeEscalation: false + envFrom: + - configMapRef: + name: metabase + ports: + - containerPort: 3000 + name: http + startupProbe: + failureThreshold: 30 + httpGet: + path: /api/health + port: http + periodSeconds: 10 + initialDelaySeconds: 60 + successThreshold: 1 + timeoutSeconds: 10 + readinessProbe: + failureThreshold: 15 + httpGet: + path: /api/health + port: http + initialDelaySeconds: 1 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + livenessProbe: + failureThreshold: 6 + httpGet: + path: /api/health + port: http + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 5 + resources: + limits: + cpu: 1000m + memory: 2048Mi + requests: + cpu: 500m + memory: 512Mi +--- +apiVersion: v1 +kind: Service +metadata: + labels: + component: metabase + application: test-ingress-betagouv + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + kontinuous/deployment.env: test-ingress-betagouv-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: service-metabase-5idimw41 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: metabase + namespace: test-ingress-betagouv + annotations: + kontinuous/chartPath: project.fabrique.contrib.metabase + kontinuous/source: project/charts/fabrique/charts/contrib/charts/metabase/templates/service.yaml + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i +spec: + ports: + - name: http + port: 80 + targetPort: 3000 + selector: + component: metabase + type: ClusterIP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: nginx + kontinuous/chartPath: project.fabrique.contrib.metabase + kontinuous/source: project/charts/fabrique/charts/contrib/charts/metabase/templates/ingress.yaml + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + cert-manager.io: cluster-issuer + cert-manager.io/cluster-issuer: letsencrypt-prod + kubernetes.io/tls-acme: \\"true\\" + labels: + component: metabase + application: test-ingress-betagouv + kontinuous/deployment: test-ingress-betagouv-feature-branch-1-ffac537e6cbbf9-kk9zkm6i + kontinuous/deployment.env: test-ingress-betagouv-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: ingress-metabase-5ybj4te8 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: metabase + namespace: test-ingress-betagouv +spec: + rules: + - host: some.beta.gouv.fr + http: + paths: + - backend: + service: + name: metabase + port: + name: http + path: / + pathType: Prefix + tls: + - hosts: + - some.beta.gouv.fr + secretName: metabase-crt +" +`; diff --git a/packages/kontinuous/tests/__snapshots__/ingress-custom-annotations.prod.yaml b/packages/kontinuous/tests/__snapshots__/ingress-custom-annotations.prod.yaml new file mode 100644 index 0000000000..bfb0669511 --- /dev/null +++ b/packages/kontinuous/tests/__snapshots__/ingress-custom-annotations.prod.yaml @@ -0,0 +1,285 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`test build manifests with snapshots ingress-custom-annotations.prod 1`] = ` +"apiVersion: v1 +kind: Namespace +metadata: + annotations: + field.cattle.io/projectId: \\"1234\\" + kontinuous/gitBranch: feature-branch-1 + kontinuous/mainNamespace: \\"true\\" + kapp.k14s.io/exists: \\"\\" + kontinuous/chartPath: project.fabrique.contrib.rancher-namespace + kontinuous/source: project/charts/fabrique/charts/contrib/charts/rancher-namespace/templates/namespace.yaml + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + labels: + application: test-ingress-custom-annotations + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + kontinuous/deployment.env: test-ingress-custom-annotations-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: namespace-test-ingress-custom-annotations-65i7mxa4 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: test-ingress-custom-annotations +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: netpol-ingress + namespace: test-ingress-custom-annotations + annotations: + kontinuous/chartPath: project.fabrique.contrib.security-policies + kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/network-policy.yml + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + labels: + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + kontinuous/deployment.env: test-ingress-custom-annotations-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: networkpolicy-netpol-ingress-61ndxljw + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous +spec: + ingress: + - from: + - podSelector: {} + - from: + - namespaceSelector: + matchLabels: + network-policy/source: ingress-controller + - from: + - namespaceSelector: + matchLabels: + network-policy/source: monitoring + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: default + annotations: + kontinuous/chartPath: project.fabrique.contrib.security-policies + kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/service-account.yaml + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + labels: + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + kontinuous/deployment.env: test-ingress-custom-annotations-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: serviceaccount-default-2g5dmk74 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + namespace: test-ingress-custom-annotations +automountServiceAccountToken: false +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: metabase + application: test-ingress-custom-annotations + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + kontinuous/deployment.env: test-ingress-custom-annotations-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: configmap-metabase-1tfah3wb + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: metabase + namespace: test-ingress-custom-annotations + annotations: + kontinuous/chartPath: project.fabrique.contrib.metabase + kontinuous/source: project/charts/fabrique/charts/contrib/charts/metabase/templates/configmap.yaml + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 +data: + MB_APPLICATION_NAME: metabase + MB_DB_TYPE: postgres + MB_ADMIN_EMAIL: admin@fabrique.social.gouv.fr + MB_ANON_TRACKING_ENABLED: \\"false\\" + MB_APPLICATION_LOGO_URL: https://socialgouv.github.io/support/_media/marianne.jpeg + MB_EMAIL_FROM_ADDRESS: contact@fabrique.social.gouv.fr + MB_ENABLE_EMBEDDING: \\"true\\" + MB_ENABLE_PUBLIC_SHARING: \\"true\\" + MB_SITE_LOCALE: fr + MB_SITE_NAME: Fabrique des ministères sociaux + MB_SITE_URL: https://metabase-test-ingress-custom-annotations.fabrique.social.gouv.fr +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: metabase + application: test-ingress-custom-annotations + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + kontinuous/deployment.env: test-ingress-custom-annotations-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: deployment-metabase-5wn3odrk + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: metabase + namespace: test-ingress-custom-annotations + annotations: + kontinuous/chartPath: project.fabrique.contrib.metabase + kontinuous/source: project/charts/fabrique/charts/contrib/charts/metabase/templates/deployment.yaml + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + kontinuous/depname.full: project.fabrique.contrib.metabase.deployment.metabase + kontinuous/depname.chartResource: metabase.deployment.metabase + kontinuous/depname.chartName: metabase + kontinuous/depname.chartPath: project.fabrique.contrib.metabase + kontinuous/depname.resourcePath: deployment.metabase + kontinuous/depname.resourceName: metabase + kontinuous/depname.chartNameTopFull: metabase + kontinuous/depname.chartNameTop: metabase + kontinuous/plugin.log: \\"false\\" + reloader.stakater.com/auto: \\"true\\" +spec: + replicas: 1 + selector: + matchLabels: + component: metabase + template: + metadata: + labels: + component: metabase + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + kontinuous/deployment.env: test-ingress-custom-annotations-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: deployment-metabase-5wn3odrk + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + annotations: + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + runAsNonRoot: true + containers: + - image: metabase/metabase:v0.45.3 + name: metabase + securityContext: + allowPrivilegeEscalation: false + envFrom: + - configMapRef: + name: metabase + ports: + - containerPort: 3000 + name: http + startupProbe: + failureThreshold: 30 + httpGet: + path: /api/health + port: http + periodSeconds: 10 + initialDelaySeconds: 60 + successThreshold: 1 + timeoutSeconds: 10 + readinessProbe: + failureThreshold: 15 + httpGet: + path: /api/health + port: http + initialDelaySeconds: 1 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + livenessProbe: + failureThreshold: 6 + httpGet: + path: /api/health + port: http + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 5 + resources: + limits: + cpu: 1000m + memory: 2048Mi + requests: + cpu: 500m + memory: 512Mi +--- +apiVersion: v1 +kind: Service +metadata: + labels: + component: metabase + application: test-ingress-custom-annotations + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + kontinuous/deployment.env: test-ingress-custom-annotations-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: service-metabase-5idimw41 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: metabase + namespace: test-ingress-custom-annotations + annotations: + kontinuous/chartPath: project.fabrique.contrib.metabase + kontinuous/source: project/charts/fabrique/charts/contrib/charts/metabase/templates/service.yaml + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 +spec: + ports: + - name: http + port: 80 + targetPort: 3000 + selector: + component: metabase + type: ClusterIP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: nginx + some: annotation + kontinuous/chartPath: project.fabrique.contrib.metabase + kontinuous/source: project/charts/fabrique/charts/contrib/charts/metabase/templates/ingress.yaml + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + cert-manager.io: cluster-issuer + cert-manager.io/cluster-issuer: letsencrypt-prod + kubernetes.io/tls-acme: \\"true\\" + labels: + component: metabase + application: test-ingress-custom-annotations + kontinuous/deployment: test-ingress-custom-annotations-feature-branch-1-ffac-361bby73 + kontinuous/deployment.env: test-ingress-custom-annotations-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: ingress-metabase-5ybj4te8 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: metabase + namespace: test-ingress-custom-annotations +spec: + rules: + - host: metabase-test-ingress-custom-annotations.fabrique.social.gouv.fr + http: + paths: + - backend: + service: + name: metabase + port: + name: http + path: / + pathType: Prefix + tls: + - hosts: + - metabase-test-ingress-custom-annotations.fabrique.social.gouv.fr + secretName: metabase-crt +" +`; diff --git a/packages/kontinuous/tests/__snapshots__/ingress-custom-certs.prod.yaml b/packages/kontinuous/tests/__snapshots__/ingress-custom-certs.prod.yaml new file mode 100644 index 0000000000..c4b9adce31 --- /dev/null +++ b/packages/kontinuous/tests/__snapshots__/ingress-custom-certs.prod.yaml @@ -0,0 +1,281 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`test build manifests with snapshots ingress-custom-certs.prod 1`] = ` +"apiVersion: v1 +kind: Namespace +metadata: + annotations: + field.cattle.io/projectId: \\"1234\\" + kontinuous/gitBranch: feature-branch-1 + kontinuous/mainNamespace: \\"true\\" + kapp.k14s.io/exists: \\"\\" + kontinuous/chartPath: project.fabrique.contrib.rancher-namespace + kontinuous/source: project/charts/fabrique/charts/contrib/charts/rancher-namespace/templates/namespace.yaml + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + labels: + application: test-ingress-custom-certs + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + kontinuous/deployment.env: test-ingress-custom-certs-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: namespace-test-ingress-custom-certs-1o31hqzy + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: test-ingress-custom-certs +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: netpol-ingress + namespace: test-ingress-custom-certs + annotations: + kontinuous/chartPath: project.fabrique.contrib.security-policies + kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/network-policy.yml + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + labels: + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + kontinuous/deployment.env: test-ingress-custom-certs-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: networkpolicy-netpol-ingress-61ndxljw + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous +spec: + ingress: + - from: + - podSelector: {} + - from: + - namespaceSelector: + matchLabels: + network-policy/source: ingress-controller + - from: + - namespaceSelector: + matchLabels: + network-policy/source: monitoring + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: default + annotations: + kontinuous/chartPath: project.fabrique.contrib.security-policies + kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/service-account.yaml + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + labels: + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + kontinuous/deployment.env: test-ingress-custom-certs-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: serviceaccount-default-2g5dmk74 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + namespace: test-ingress-custom-certs +automountServiceAccountToken: false +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: metabase + application: test-ingress-custom-certs + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + kontinuous/deployment.env: test-ingress-custom-certs-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: configmap-metabase-1tfah3wb + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: metabase + namespace: test-ingress-custom-certs + annotations: + kontinuous/chartPath: project.fabrique.contrib.metabase + kontinuous/source: project/charts/fabrique/charts/contrib/charts/metabase/templates/configmap.yaml + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 +data: + MB_APPLICATION_NAME: metabase + MB_DB_TYPE: postgres + MB_ADMIN_EMAIL: admin@fabrique.social.gouv.fr + MB_ANON_TRACKING_ENABLED: \\"false\\" + MB_APPLICATION_LOGO_URL: https://socialgouv.github.io/support/_media/marianne.jpeg + MB_EMAIL_FROM_ADDRESS: contact@fabrique.social.gouv.fr + MB_ENABLE_EMBEDDING: \\"true\\" + MB_ENABLE_PUBLIC_SHARING: \\"true\\" + MB_SITE_LOCALE: fr + MB_SITE_NAME: Fabrique des ministères sociaux + MB_SITE_URL: https://some.external.host +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: metabase + application: test-ingress-custom-certs + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + kontinuous/deployment.env: test-ingress-custom-certs-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: deployment-metabase-5wn3odrk + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: metabase + namespace: test-ingress-custom-certs + annotations: + kontinuous/chartPath: project.fabrique.contrib.metabase + kontinuous/source: project/charts/fabrique/charts/contrib/charts/metabase/templates/deployment.yaml + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + kontinuous/depname.full: project.fabrique.contrib.metabase.deployment.metabase + kontinuous/depname.chartResource: metabase.deployment.metabase + kontinuous/depname.chartName: metabase + kontinuous/depname.chartPath: project.fabrique.contrib.metabase + kontinuous/depname.resourcePath: deployment.metabase + kontinuous/depname.resourceName: metabase + kontinuous/depname.chartNameTopFull: metabase + kontinuous/depname.chartNameTop: metabase + kontinuous/plugin.log: \\"false\\" + reloader.stakater.com/auto: \\"true\\" +spec: + replicas: 1 + selector: + matchLabels: + component: metabase + template: + metadata: + labels: + component: metabase + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + kontinuous/deployment.env: test-ingress-custom-certs-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: deployment-metabase-5wn3odrk + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + annotations: + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + runAsNonRoot: true + containers: + - image: metabase/metabase:v0.45.3 + name: metabase + securityContext: + allowPrivilegeEscalation: false + envFrom: + - configMapRef: + name: metabase + ports: + - containerPort: 3000 + name: http + startupProbe: + failureThreshold: 30 + httpGet: + path: /api/health + port: http + periodSeconds: 10 + initialDelaySeconds: 60 + successThreshold: 1 + timeoutSeconds: 10 + readinessProbe: + failureThreshold: 15 + httpGet: + path: /api/health + port: http + initialDelaySeconds: 1 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + livenessProbe: + failureThreshold: 6 + httpGet: + path: /api/health + port: http + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 5 + resources: + limits: + cpu: 1000m + memory: 2048Mi + requests: + cpu: 500m + memory: 512Mi +--- +apiVersion: v1 +kind: Service +metadata: + labels: + component: metabase + application: test-ingress-custom-certs + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + kontinuous/deployment.env: test-ingress-custom-certs-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: service-metabase-5idimw41 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: metabase + namespace: test-ingress-custom-certs + annotations: + kontinuous/chartPath: project.fabrique.contrib.metabase + kontinuous/source: project/charts/fabrique/charts/contrib/charts/metabase/templates/service.yaml + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 +spec: + ports: + - name: http + port: 80 + targetPort: 3000 + selector: + component: metabase + type: ClusterIP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: nginx + kontinuous/chartPath: project.fabrique.contrib.metabase + kontinuous/source: project/charts/fabrique/charts/contrib/charts/metabase/templates/ingress.yaml + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + labels: + component: metabase + application: test-ingress-custom-certs + kontinuous/deployment: test-ingress-custom-certs-feature-branch-1-ffac537e6c-edcs2gk7 + kontinuous/deployment.env: test-ingress-custom-certs-prod + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: ingress-metabase-5ybj4te8 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: metabase + namespace: test-ingress-custom-certs +spec: + rules: + - host: some.external.host + http: + paths: + - backend: + service: + name: metabase + port: + name: http + path: / + pathType: Prefix + tls: + - hosts: + - some.external.host + secretName: metabase-crt +" +`; diff --git a/packages/kontinuous/tests/samples/ingress-betagouv/config.yaml b/packages/kontinuous/tests/samples/ingress-betagouv/config.yaml new file mode 100644 index 0000000000..ff779aad47 --- /dev/null +++ b/packages/kontinuous/tests/samples/ingress-betagouv/config.yaml @@ -0,0 +1,3 @@ +dependencies: + fabrique: + import: socialgouv/kontinuous/plugins/fabrique \ No newline at end of file diff --git a/packages/kontinuous/tests/samples/ingress-betagouv/env/prod/values.yaml b/packages/kontinuous/tests/samples/ingress-betagouv/env/prod/values.yaml new file mode 100644 index 0000000000..4b20e3fe00 --- /dev/null +++ b/packages/kontinuous/tests/samples/ingress-betagouv/env/prod/values.yaml @@ -0,0 +1,3 @@ +metabase: + enabled: true + host: some.beta.gouv.fr diff --git a/packages/kontinuous/tests/samples/ingress-custom-annotations/config.yaml b/packages/kontinuous/tests/samples/ingress-custom-annotations/config.yaml new file mode 100644 index 0000000000..ff779aad47 --- /dev/null +++ b/packages/kontinuous/tests/samples/ingress-custom-annotations/config.yaml @@ -0,0 +1,3 @@ +dependencies: + fabrique: + import: socialgouv/kontinuous/plugins/fabrique \ No newline at end of file diff --git a/packages/kontinuous/tests/samples/ingress-custom-annotations/env/prod/values.yaml b/packages/kontinuous/tests/samples/ingress-custom-annotations/env/prod/values.yaml new file mode 100644 index 0000000000..e5a23f2573 --- /dev/null +++ b/packages/kontinuous/tests/samples/ingress-custom-annotations/env/prod/values.yaml @@ -0,0 +1,5 @@ +metabase: + enabled: true + ingress: + annotations: + some: annotation diff --git a/packages/kontinuous/tests/samples/ingress-custom-certs/config.yaml b/packages/kontinuous/tests/samples/ingress-custom-certs/config.yaml new file mode 100644 index 0000000000..ff779aad47 --- /dev/null +++ b/packages/kontinuous/tests/samples/ingress-custom-certs/config.yaml @@ -0,0 +1,3 @@ +dependencies: + fabrique: + import: socialgouv/kontinuous/plugins/fabrique \ No newline at end of file diff --git a/packages/kontinuous/tests/samples/ingress-custom-certs/env/prod/values.yaml b/packages/kontinuous/tests/samples/ingress-custom-certs/env/prod/values.yaml new file mode 100644 index 0000000000..10a6fddbda --- /dev/null +++ b/packages/kontinuous/tests/samples/ingress-custom-certs/env/prod/values.yaml @@ -0,0 +1,3 @@ +metabase: + enabled: true + host: some.external.host diff --git a/plugins/contrib/patches/certs.js b/plugins/contrib/patches/certs.js index eeb7ebe912..69d539ba15 100644 --- a/plugins/contrib/patches/certs.js +++ b/plugins/contrib/patches/certs.js @@ -1,6 +1,7 @@ module.exports = (manifests, options) => { const hasWildcard = (host) => host.endsWith(options.wildcardHost) - const isInternalHost = (host) => host.endsWith(options.internalHost) + const isInternalHost = (host) => + options.internalHosts.some((internalHost) => host.endsWith(internalHost)) const { secretName = "wildcard-crt", diff --git a/plugins/fabrique/kontinuous.yaml b/plugins/fabrique/kontinuous.yaml index 35fea11882..b062dc8f50 100644 --- a/plugins/fabrique/kontinuous.yaml +++ b/plugins/fabrique/kontinuous.yaml @@ -1,7 +1,7 @@ dependencies: contrib: import: socialgouv/kontinuous/plugins/contrib - + valuesCompilers: globalDefaults: enabled: true @@ -13,7 +13,9 @@ dependencies: enabled: true options: wildcardHost: ".dev.fabrique.social.gouv.fr" - internalHost: ".fabrique.social.gouv.fr" + internalHosts: + - ".fabrique.social.gouv.fr" + - ".beta.gouv.fr" rancherProjectId: enabled: true reloader: @@ -59,14 +61,14 @@ dependencies: - azure-pg-admin-user - pg-scaleway # secret-name: - # enabled: true - # reload: false - # required: false - # fromNamespace: <$projectName-ci> - # toNamespace: true - # toAllNamespace: false - # to: azure-pg-admin-user - # from: [azure-pg-admin-user] + # enabled: true + # reload: false + # required: false + # fromNamespace: <$projectName-ci> + # toNamespace: true + # toAllNamespace: false + # to: azure-pg-admin-user + # from: [azure-pg-admin-user] rancherNamespaces: enabled: true cleanFailed: @@ -86,13 +88,12 @@ dependencies: crdApiResources: - sealedsecrets - postDeploy: notifyMattermost: enabled: true options: notifyWebhookUrlVarName: KS_NOTIFY_WEBHOOK_URL - + deploySidecars: failfast: enabled: false @@ -109,7 +110,6 @@ dependencies: waitCheckInterval: 1s logsAll: true - config: webhookUri: https://kontinuous.fabrique.social.gouv.fr From daadf1ab7b3f73f49e2d3e2131145e96072150b1 Mon Sep 17 00:00:00 2001 From: Julien Bouquillon Date: Fri, 7 Apr 2023 16:00:51 +0200 Subject: [PATCH 2/4] Update kontinuous.yaml --- plugins/fabrique/kontinuous.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/fabrique/kontinuous.yaml b/plugins/fabrique/kontinuous.yaml index b062dc8f50..77c3b234e5 100644 --- a/plugins/fabrique/kontinuous.yaml +++ b/plugins/fabrique/kontinuous.yaml @@ -16,6 +16,7 @@ dependencies: internalHosts: - ".fabrique.social.gouv.fr" - ".beta.gouv.fr" + - ".travail.gouv.fr" rancherProjectId: enabled: true reloader: From 0e7467dcb839deb7aae44ac163fbbe872b611985 Mon Sep 17 00:00:00 2001 From: devthejo Date: Mon, 10 Apr 2023 12:52:09 +0200 Subject: [PATCH 3/4] feat(certs-patch): annotation + more granularity --- plugins/contrib/patches/certs.js | 57 ++++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 17 deletions(-) diff --git a/plugins/contrib/patches/certs.js b/plugins/contrib/patches/certs.js index 69d539ba15..ff35bec93f 100644 --- a/plugins/contrib/patches/certs.js +++ b/plugins/contrib/patches/certs.js @@ -1,15 +1,21 @@ module.exports = (manifests, options) => { - const hasWildcard = (host) => host.endsWith(options.wildcardHost) - const isInternalHost = (host) => - options.internalHosts.some((internalHost) => host.endsWith(internalHost)) - const { + annotationEnableKey = "kontinuous/use-cert-manager", + defaultEnabled = true, + detectWildcard = true, + internalHosts = [], + detectInternal = internalHosts.length > 0, secretName = "wildcard-crt", clusterIssuer = "letsencrypt-prod", namespaceLabels = { cert: "wildcard", }, } = options + + const hasWildcard = (host) => host.endsWith(options.wildcardHost) + const isInternalHost = (host) => + internalHosts.some((internalHost) => host.endsWith(internalHost)) + const wildcardNamespaces = new Set() for (const manifest of manifests) { @@ -24,20 +30,37 @@ module.exports = (manifests, options) => { tlsEntry.secretName = secretName } - // apply cert-manager annotations only for internal, non-wildcard hosts - if (!hosts.every(hasWildcard) && hosts.every(isInternalHost)) { - if (!manifest.metadata) { - manifest.metadata = {} - } - if (!manifest.metadata.annotations) { - manifest.metadata.annotations = {} - } - Object.assign(manifest.metadata.annotations, { - "cert-manager.io": "cluster-issuer", - "cert-manager.io/cluster-issuer": clusterIssuer, - "kubernetes.io/tls-acme": "true", - }) + let enabled = defaultEnabled + + const annotationEnableValue = + manifest.metadata?.annotations?.[annotationEnableKey] + if ( + annotationEnableValue !== undefined && + annotationEnableValue !== null && + annotationEnableValue !== "" + ) { + enabled = annotationEnableValue !== "false" + } else if (detectWildcard && hosts.some(hasWildcard)) { + enabled = false + } else if (detectInternal && !hosts.every(isInternalHost)) { + enabled = false + } + + if (!enabled) { + continue + } + + if (!manifest.metadata) { + manifest.metadata = {} + } + if (!manifest.metadata.annotations) { + manifest.metadata.annotations = {} } + Object.assign(manifest.metadata.annotations, { + "cert-manager.io": "cluster-issuer", + "cert-manager.io/cluster-issuer": clusterIssuer, + "kubernetes.io/tls-acme": "true", + }) } } From d954eb371da2997df877257d708299f08e44abcc Mon Sep 17 00:00:00 2001 From: devthejo Date: Tue, 11 Apr 2023 13:12:39 +0200 Subject: [PATCH 4/4] fix: add some tests --- .../ingress-cert-optout.dev.yaml | 118 ++++++++++++++++++ .../samples/ingress-cert-optout/config.yaml | 3 + .../templates/ingress.yaml | 22 ++++ plugins/contrib/patches/certs.js | 1 - 4 files changed, 143 insertions(+), 1 deletion(-) create mode 100644 packages/kontinuous/tests/__snapshots__/ingress-cert-optout.dev.yaml create mode 100644 packages/kontinuous/tests/samples/ingress-cert-optout/config.yaml create mode 100644 packages/kontinuous/tests/samples/ingress-cert-optout/templates/ingress.yaml diff --git a/packages/kontinuous/tests/__snapshots__/ingress-cert-optout.dev.yaml b/packages/kontinuous/tests/__snapshots__/ingress-cert-optout.dev.yaml new file mode 100644 index 0000000000..45c3a9fb57 --- /dev/null +++ b/packages/kontinuous/tests/__snapshots__/ingress-cert-optout.dev.yaml @@ -0,0 +1,118 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`test build manifests with snapshots ingress-cert-optout.dev 1`] = ` +"apiVersion: v1 +kind: Namespace +metadata: + annotations: + field.cattle.io/projectId: \\"1234\\" + kontinuous/gitBranch: feature-branch-1 + kontinuous/mainNamespace: \\"true\\" + kapp.k14s.io/exists: \\"\\" + kontinuous/chartPath: project.fabrique.contrib.rancher-namespace + kontinuous/source: project/charts/fabrique/charts/contrib/charts/rancher-namespace/templates/namespace.yaml + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + janitor/ttl: 7d + labels: + application: test-ingress-cert-optout + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: namespace-test-ingress-cert-optout-feature-branch-1-2p8sssrl + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: test-ingress-cert-optout-feature-branch-1 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: netpol-ingress + namespace: test-ingress-cert-optout-feature-branch-1 + annotations: + kontinuous/chartPath: project.fabrique.contrib.security-policies + kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/network-policy.yml + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + labels: + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: networkpolicy-netpol-ingress-61ndxljw + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous +spec: + ingress: + - from: + - podSelector: {} + - from: + - namespaceSelector: + matchLabels: + network-policy/source: ingress-controller + - from: + - namespaceSelector: + matchLabels: + network-policy/source: monitoring + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: default + annotations: + kontinuous/chartPath: project.fabrique.contrib.security-policies + kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/service-account.yaml + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + labels: + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: serviceaccount-default-2g5dmk74 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + namespace: test-ingress-cert-optout-feature-branch-1 +automountServiceAccountToken: false +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: files-public + annotations: + kubernetes.io/ingress.class: nginx + kontinuous/use-cert-manager: \\"false\\" + kontinuous/chartPath: project + kontinuous/source: project/templates/ingress.yaml + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + labels: + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: ingress-files-public-5krby9jg + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + namespace: test-ingress-cert-optout-feature-branch-1 +spec: + tls: + - hosts: + - test.fabrique.social.gouv.fr + rules: + - host: test.fabrique.social.gouv.fr + http: + paths: + - path: / + pathType: Exact + backend: + service: + name: app + port: + number: 80 +" +`; diff --git a/packages/kontinuous/tests/samples/ingress-cert-optout/config.yaml b/packages/kontinuous/tests/samples/ingress-cert-optout/config.yaml new file mode 100644 index 0000000000..ff779aad47 --- /dev/null +++ b/packages/kontinuous/tests/samples/ingress-cert-optout/config.yaml @@ -0,0 +1,3 @@ +dependencies: + fabrique: + import: socialgouv/kontinuous/plugins/fabrique \ No newline at end of file diff --git a/packages/kontinuous/tests/samples/ingress-cert-optout/templates/ingress.yaml b/packages/kontinuous/tests/samples/ingress-cert-optout/templates/ingress.yaml new file mode 100644 index 0000000000..b6870ca2d6 --- /dev/null +++ b/packages/kontinuous/tests/samples/ingress-cert-optout/templates/ingress.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: files-public + annotations: + kubernetes.io/ingress.class: nginx + kontinuous/use-cert-manager: "false" +spec: + tls: + - hosts: + - test.fabrique.social.gouv.fr + rules: + - host: test.fabrique.social.gouv.fr + http: + paths: + - path: / + pathType: Exact + backend: + service: + name: app + port: + number: 80 \ No newline at end of file diff --git a/plugins/contrib/patches/certs.js b/plugins/contrib/patches/certs.js index 14234b2286..ff35bec93f 100644 --- a/plugins/contrib/patches/certs.js +++ b/plugins/contrib/patches/certs.js @@ -1,5 +1,4 @@ module.exports = (manifests, options) => { - const { annotationEnableKey = "kontinuous/use-cert-manager", defaultEnabled = true,