Skip to content

Commit

Permalink
Update CRD labels, retention policy and split-installation documentation
Browse files Browse the repository at this point in the history 
* CRDs now have a label so that they can be removed at once for
uninstallation
* CRDs gained a annotation to tell Helm not to remove them when
uninstalling the chart, this solves a user experience problem where
people uninstall the chart before installing it again, and lose
their functions
* Updated and corrected the split-installation of CRDs, and
offered a way to use statically generated CRDs in a combined
file whilst retaining version compatibility with the main chart

Tested e2e with Role, ClusterRole and upgrading previous CRDs

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>
  • Loading branch information
@alexellis
alexellis committed May 13, 2024
1 parent e60ca0b commit d5b07cd
Show file tree
Hide file tree
Showing 20 changed files with 8,361 additions and 3,729 deletions.
2,116 changes: 2,116 additions & 0 deletions artifacts/crds/crds.yaml
View file

Large diffs are not rendered by default.

124 changes: 63 additions & 61 deletions artifacts/crds/iam.openfaas.com_jwtissuers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: openfaas
name: jwtissuers.iam.openfaas.com
spec:
group: iam.openfaas.com
Expand All @@ -13,65 +15,65 @@ spec:
singular: jwtissuer
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.iss
name: Issuer
type: string
- jsonPath: .spec.aud
name: Audience
type: string
- jsonPath: .spec.tokenExpiry
name: Expiry
type: string
name: v1
schema:
openAPIV3Schema:
description: JwtIssuer is used to define a JWT issuer for a function
type: object
required:
- spec
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: JwtIssuerSpec is the spec for a JwtIssuer resource
type: object
required:
- aud
- iss
properties:
aud:
description: |-
Audience is the intended audience of the JWT, at times, like with Auth0 this is the
client ID of the app, and not our validating server
type: array
items:
type: string
iss:
description: Issuer is the issuer of the JWT
- additionalPrinterColumns:
- jsonPath: .spec.iss
name: Issuer
type: string
- jsonPath: .spec.aud
name: Audience
type: string
- jsonPath: .spec.tokenExpiry
name: Expiry
type: string
name: v1
schema:
openAPIV3Schema:
description: JwtIssuer is used to define a JWT issuer for a function
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: JwtIssuerSpec is the spec for a JwtIssuer resource
properties:
aud:
description: |-
Audience is the intended audience of the JWT, at times, like with Auth0 this is the
client ID of the app, and not our validating server
items:
type: string
issInternal:
description: |-
IssuerInternal provides an alternative URL to use to download the public key
for this issuer. It's useful for the system issuer.
type: string
tokenExpiry:
type: string
served: true
storage: true
subresources: {}
type: array
iss:
description: Issuer is the issuer of the JWT
type: string
issInternal:
description: |-
IssuerInternal provides an alternative URL to use to download the public key
for this issuer. It's useful for the system issuer.
type: string
tokenExpiry:
type: string
required:
- aud
- iss
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
159 changes: 78 additions & 81 deletions artifacts/crds/iam.openfaas.com_policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
labels:
app.kubernetes.io/name: openfaas
name: policies.iam.openfaas.com
spec:
group: iam.openfaas.com
Expand All @@ -13,86 +15,81 @@ spec:
singular: policy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.statement
name: Statement
type: string
name: v1
schema:
openAPIV3Schema:
description: Policy is used to define a policy for a function
type: object
required:
- spec
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
type: object
required:
- statement
properties:
statement:
type: array
items:
type: object
required:
- action
- effect
- resource
- sid
properties:
action:
description: Action is a set of actions that the policy applies to i.e. Function:Read
type: array
items:
type: string
condition:
description: |-
Condition is a set of conditions that the policy applies to
{
"StringLike": {
"jwt:https://my-identity-provider.com#sub-id": [
"1234567890",
"0987654321"
],
}
}
type: object
additionalProperties:
type: object
additionalProperties:
type: array
items:
type: string
effect:
description: Effect is the effect of the policy - only Allow is supported
- additionalPrinterColumns:
- jsonPath: .spec.statement
name: Statement
type: string
name: v1
schema:
openAPIV3Schema:
description: Policy is used to define a policy for a function
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
statement:
items:
properties:
action:
description: Action is a set of actions that the policy applies
to i.e. Function:Read
items:
type: string
resource:
description: |-
Resource is a set of resources that the policy applies to - only namespaces are supported at
present
type: array
items:
type: string
sid:
description: SID is the unique identifier for the policy
type: array
condition:
additionalProperties:
additionalProperties:
items:
type: string
type: array
type: object
description: "Condition is a set of conditions that the policy
applies to\n{\n\t\"StringLike\": {\n\t\t\"jwt:https://my-identity-provider.com#sub-id\":
[\n\t\t\t\"1234567890\",\n\t\t\t\"0987654321\"\n\t\t],\n\t}\n}"
type: object
effect:
description: Effect is the effect of the policy - only Allow
is supported
type: string
resource:
description: |-
Resource is a set of resources that the policy applies to - only namespaces are supported at
present
items:
type: string
served: true
storage: true
subresources: {}
type: array
sid:
description: SID is the unique identifier for the policy
type: string
required:
- action
- effect
- resource
- sid
type: object
type: array
required:
- statement
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
Loading

0 comments on commit d5b07cd

Please sign in to comment.