updated to 0.23.0

Author: kmadel

charts/vcluster/Chart.yaml

@@ -23,4 +23,4 @@ sources:
   - https://github.com/loft-demos/vcluster-charts/charts/vcluster
 type: application
 
-version: 0.22.3 # version is auto-generated by release pipeline
+version: 0.23.0 # version is auto-generated by release pipeline

charts/vcluster/templates/_init-containers.tpl

@@ -8,7 +8,6 @@
 {{- end -}}
 {{- end -}}
 
-
 {{- define "vcluster.k8s.capabilities.version" -}}
 {{/* We need to workaround here for unit tests because Capabilities.KubeVersion.Version is not supported, so we use .Chart.Version */}}
 {{- if hasPrefix "test-" .Chart.Version -}}
@@ -20,7 +19,7 @@
 
 {{/* Bump $defaultTag value whenever k8s version is bumped */}}
 {{- define "vcluster.k8s.controllerManager.image.tag" -}}
-{{- $defaultTag := "v1.31.1" -}}
+{{- $defaultTag := "v1.32.1" -}}
 {{- if and (not (empty .Values.controlPlane.distro.k8s.version)) (eq .Values.controlPlane.distro.k8s.controllerManager.image.tag $defaultTag) -}}
 {{ .Values.controlPlane.distro.k8s.version }}
 {{- else -}}
@@ -36,7 +35,7 @@
 
 {{/* Bump $defaultTag value whenever k8s version is bumped */}}
 {{- define "vcluster.k8s.apiServer.image.tag" -}}
-{{- $defaultTag := "v1.31.1" -}}
+{{- $defaultTag := "v1.32.1" -}}
 {{- if and (not (empty .Values.controlPlane.distro.k8s.version)) (eq .Values.controlPlane.distro.k8s.apiServer.image.tag $defaultTag) -}}
 {{ .Values.controlPlane.distro.k8s.version}}
 {{- else -}}
@@ -53,7 +52,7 @@
 
 {{/* Bump $defaultTag value whenever k8s version is bumped */}}
 {{- define "vcluster.k8s.scheduler.image.tag" -}}
-{{- $defaultTag := "v1.31.1" -}}
+{{- $defaultTag := "v1.32.1" -}}
 {{- if and (not (empty .Values.controlPlane.distro.k8s.version)) (eq .Values.controlPlane.distro.k8s.scheduler.image.tag $defaultTag) -}}
 {{ .Values.controlPlane.distro.k8s.version}}
 {{- else -}}

charts/vcluster/templates/_rbac.tpl

@@ -41,7 +41,9 @@
     .Values.integrations.externalSecrets.enabled
     (and .Values.integrations.certManager.enabled .Values.integrations.certManager.sync.fromHost.clusterIssuers.enabled)
     (and .Values.integrations.metricsServer.enabled .Values.integrations.metricsServer.nodes)
-    .Values.experimental.multiNamespaceMode.enabled -}}
+    .Values.experimental.multiNamespaceMode.enabled
+	.Values.sync.fromHost.configMaps.enabled
+    .Values.sync.fromHost.secrets.enabled -}}
 {{- true -}}
 {{- end -}}
 {{- end -}}
@@ -213,3 +215,48 @@
 {{- define "vcluster.rbac.platformRoleBindingName" -}}
 {{- printf "vc-%s-v-%s-platform-role-binding" .Release.Name .Release.Namespace | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+  Cluster role rules needed for fromHost sync (containing namespaces + configmaps/secret/other core resources)
+*/}}
+{{- define "vcluster.rbac.rulesForFromHostSyncerForGivenCoreResource" -}}
+{{- $root := index . 0 -}}
+{{- $mappings := index . 1 -}}
+{{- $kind := index . 2 -}}
+{{- $enabled := index . 3 -}}
+{{- if and $enabled $mappings -}}
+{{- $namespaces := list -}}
+{{- $objNames := list -}}
+{{- $addResourceNames := true -}}
+{{- range $key, $val := $mappings -}}
+  {{- $sourceNs := splitList "/" $key | first -}}
+  {{- $sourceObjName := splitList "/" $key | last }}
+  {{- if eq $sourceNs "" -}}
+    {{- $namespaces = append $namespaces (quote $root.Release.Namespace) -}}
+  {{- else -}}
+    {{- $namespaces = append $namespaces (quote $sourceNs) -}}
+  {{- end -}}
+  {{- if eq $sourceObjName "*" -}}
+  	{{- $addResourceNames = false -}}
+  {{- else -}}
+  	{{- $objNames = append $objNames (quote $sourceObjName) -}}
+  {{- end -}}
+{{- end -}}
+{{- $objList := $objNames | uniq | sortAlpha -}}
+{{- $nsList := $namespaces | uniq | sortAlpha -}}
+- apiGroups: [""]
+  resources: [ "namespaces" ]
+  resourceNames: [ {{ join "," $nsList }} ]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: [ {{ $kind | quote }} ]
+  verbs: ["list", "watch"]
+- apiGroups: [""]
+  resources: [ {{ $kind | quote }} ]
+  verbs: ["get"]
+{{- if $addResourceNames }}
+  resourceNames: [ {{ join "," $objList }} ]
+{{- end }}
+{{- end }}
+{{- end }}
+

charts/vcluster/templates/clusterrole.yaml

@@ -134,6 +134,8 @@ rules:
     resources: ["clusterissuers"]
     verbs: ["get", "list", "watch"]
   {{- end }}
+  {{- include "vcluster.rbac.rulesForFromHostSyncerForGivenCoreResource" (list $ .Values.sync.fromHost.configMaps.mappings.byName "configmaps" .Values.sync.fromHost.configMaps.enabled ) | nindent 2 }}
+  {{- include "vcluster.rbac.rulesForFromHostSyncerForGivenCoreResource" (list $ .Values.sync.fromHost.secrets.mappings.byName "secrets" .Values.sync.fromHost.secrets.enabled ) | nindent 2 }}
   {{- include "vcluster.customResources.clusterRoleExtraRules" . | indent 2 }}
   {{- include "vcluster.plugin.clusterRoleExtraRules" . | indent 2 }}
   {{- include "vcluster.generic.clusterRoleExtraRules" . | indent 2 }}

charts/vcluster/templates/statefulset.yaml

@@ -159,6 +159,7 @@ spec:
               scheme: HTTPS
             failureThreshold: 60
             initialDelaySeconds: 60
+            timeoutSeconds: 3
             periodSeconds: 2
           {{- end }}
           {{- if .Values.controlPlane.statefulSet.probes.readinessProbe.enabled }}
@@ -168,6 +169,7 @@ spec:
               port: 8443
               scheme: HTTPS
             failureThreshold: 60
+            timeoutSeconds: 3
             periodSeconds: 2
           {{- end }}
           {{- if .Values.controlPlane.statefulSet.probes.startupProbe.enabled }}
@@ -177,6 +179,7 @@ spec:
               port: 8443
               scheme: HTTPS
             failureThreshold: 300
+            timeoutSeconds: 3
             periodSeconds: 6
           {{- end }}
           {{- if .Values.controlPlane.statefulSet.security.containerSecurityContext }}

charts/vcluster/tests/clusterrole_test.yaml

@@ -445,3 +445,241 @@ tests:
             apiGroups: [ "external-secrets.io" ]
             resources: [ "clustersecretstores" ]
             verbs: ["get", "list", "watch"]
+
+  - it: fromHost sync configmaps disabled
+    set:
+      sync:
+        fromHost:
+          configMaps:
+            enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: fromHost sync configmaps enabled with wildcard namespace
+    set:
+      sync:
+        fromHost:
+          configMaps:
+            enabled: true
+            mappings:
+              byName:
+                "": "my-ns/*"
+                my-ns/*: "my-ns-2/*"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - lengthEqual:
+          path: rules
+          count: 3
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resourceNames: ["NAMESPACE", "my-ns"]
+            resources: [ "namespaces" ]
+            verbs: [ "get", "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resources: [ "configmaps" ]
+            verbs: [ "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resources: [ "configmaps" ]
+            verbs: [ "get" ]
+
+  - it: fromHost sync configmaps enabled with wildcard name
+    set:
+      sync:
+        fromHost:
+          configMaps:
+            enabled: true
+            mappings:
+              byName:
+                "my-ns/*": "my-ns-4/*"
+                my-ns-2/*: "my-ns-3/*"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - lengthEqual:
+          path: rules
+          count: 3
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resourceNames: ["my-ns", "my-ns-2"]
+            resources: [ "namespaces" ]
+            verbs: [ "get", "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resources: [ "configmaps" ]
+            verbs: [ "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resources: [ "configmaps" ]
+            verbs: [ "get" ]
+
+  - it: fromHost sync configmaps enabled without wildcards
+    set:
+      sync:
+        fromHost:
+          configMaps:
+            enabled: true
+            mappings:
+              byName:
+                "my-ns/my-cm": "my-ns-2/my-cm-2"
+                my-ns-3/my-cm-2: "my-ns-4/my-cm4"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - lengthEqual:
+          path: rules
+          count: 3
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resourceNames: [ "my-ns", "my-ns-3" ]
+            resources: [ "namespaces" ]
+            verbs: [ "get", "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resources: [ "configmaps" ]
+            verbs: [ "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resourceNames: [ "my-cm", "my-cm-2" ]
+            resources: [ "configmaps" ]
+            verbs: [ "get"]
+
+  - it: fromHost sync secrets disabled
+    set:
+      sync:
+        fromHost:
+          secrets:
+            enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: fromHost sync secrets enabled with wildcard namespace
+    set:
+      sync:
+        fromHost:
+          secrets:
+            enabled: true
+            mappings:
+              byName:
+                "": "my-ns/*"
+                my-ns/*: "my-ns-2/*"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - lengthEqual:
+          path: rules
+          count: 3
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resourceNames: ["NAMESPACE", "my-ns"]
+            resources: [ "namespaces" ]
+            verbs: [ "get", "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resources: [ "secrets" ]
+            verbs: [ "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resources: [ "secrets" ]
+            verbs: [ "get"]
+
+  - it: fromHost sync secrets enabled with wildcard name
+    set:
+      sync:
+        fromHost:
+          secrets:
+            enabled: true
+            mappings:
+              byName:
+                "my-ns/*": "my-ns-4/*"
+                my-ns-2/*: "my-ns-3/*"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - lengthEqual:
+          path: rules
+          count: 3
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resourceNames: ["my-ns", "my-ns-2"]
+            resources: [ "namespaces" ]
+            verbs: [ "get", "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resources: [ "secrets" ]
+            verbs: [ "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resources: [ "secrets" ]
+            verbs: [ "get" ]
+
+  - it: fromHost sync secrets enabled without wildcards
+    set:
+      sync:
+        fromHost:
+          secrets:
+            enabled: true
+            mappings:
+              byName:
+                "my-ns/my-secret": "my-ns-2/my-secret-2"
+                my-ns-3/my-secret-2: "my-ns-4/my-secret-4"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - lengthEqual:
+          path: rules
+          count: 3
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resourceNames: [ "my-ns", "my-ns-3" ]
+            resources: [ "namespaces" ]
+            verbs: [ "get", "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resources: [ "secrets" ]
+            verbs: [ "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "" ]
+            resourceNames: [ "my-secret", "my-secret-2" ]
+            resources: [ "secrets" ]
+            verbs: [ "get" ]