Merge branch 'fix-testing-cypress' into 'main'

test cypress fix See merge request big-bang/apps/sandbox/podinfo!77

Merge branch 'fix-testing-cypress' into 'main'
eea90f2e · Danilo Patrucco · 47a94509 · 90c9703c · eea90f2e · eea90f2e
Commit eea90f2e authored 1 month ago by Danilo Patrucco
--- a/.gitignore
+++ b/.gitignore
+netpol.yaml
\ No newline at end of file
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,13 @@
 > Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)

 ---
+## [6.7.1-bb.3] - 2025-02-19
+
+### Changed
+
+- Add istio components to allow the image to deploy and be reachable
+- Add wait job to avoid issues with the clean install pipeline
+
 ## [6.7.1-bb.2] - 2025-02-19

 ### Changed

--- a/README.md
+++ b/README.md
 <!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
 # podinfo

-![Version: 6.7.1-bb.2](https://img.shields.io/badge/Version-6.7.1--bb.2-informational?style=flat-square) ![AppVersion: 6.7.1](https://img.shields.io/badge/AppVersion-6.7.1-informational?style=flat-square) ![Maintenance Track: bb_maintainted](https://img.shields.io/badge/Maintenance_Track-bb_maintainted-red?style=flat-square)
+![Version: 6.7.1-bb.3](https://img.shields.io/badge/Version-6.7.1--bb.3-informational?style=flat-square) ![AppVersion: 6.7.1](https://img.shields.io/badge/AppVersion-6.7.1-informational?style=flat-square) ![Maintenance Track: bb_maintainted](https://img.shields.io/badge/Maintenance_Track-bb_maintainted-red?style=flat-square)

 Podinfo Helm chart for Kubernetes

@@ -158,6 +158,10 @@ helm install podinfo chart/
 | bbtests.cypress.artifacts | bool | `true` |  |
 | bbtests.cypress.envs.cypress_url | string | `"http://{{ template \"podinfo.fullname\" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.externalPort }}"` |  |
 | bbtests.scripts.envs.URL | string | `"http://{{ template \"podinfo.fullname\" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.externalPort }}"` |  |
+| waitJob.enabled | bool | `true` |  |
+| waitJob.scripts.image | string | `"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.7"` |  |
+| waitJob.permissions.apiGroups | object | `{}` |  |
+| waitJob.permissions.resources | object | `{}` |  |

 ## Contributing


--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
-apiVersion: v1
+apiVersion: v2
 icon: https://kubernetes.io/icons/icon-128x128.png
-version: 6.7.1-bb.2
+version: 6.7.1-bb.3
 appVersion: 6.7.1
 name: podinfo
 engine: gotpl

--- a/chart/templates/bigbang/network_rbac_policies.yaml
+++ b/chart/templates/bigbang/network_rbac_policies.yaml
+{{- $pkg := "podinfo" }}
+{{- if and .Values.istio.enabled (get .Values.istio $pkg).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-podinfo
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}  # Selects all pods in the namespace
+  ingress:
+    - {}
+  egress:
+    - {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-egress-default-deny
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: podinfo-permissive-role
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
+  - nonResourceURLs: ["*"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: podinfo-permissive-binding
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "podinfo.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: podinfo-permissive-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+ name: allow-all-in-namespace-override
+ namespace: {{ .Release.Namespace }}
+spec:
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        namespaces: ["*"]
+{{- end }}
\ No newline at end of file
--- a/chart/templates/tests/test-wait-job.yaml
+++ b/chart/templates/tests/test-wait-job.yaml
+{{- include "gluon.wait.wait-job-configmap.overrides" (list . "podinfo-wait.wait-configmap") }}
+{{- define "podinfo-wait.wait-configmap" }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job.overrides" (list . "podinfo-wait.wait-job") }}
+{{- define "podinfo-wait.wait-job" }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job-sa.overrides" (list . "podinfo-wait.wait-job-sa") }}
+{{- define "podinfo-wait.wait-job-sa" }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job-role.overrides" (list . "podinfo-wait.wait-job-role") }}
+{{- define "podinfo-wait.wait-job-role" }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job-rolebinding.overrides" (list . "podinfo-wait.wait-job-rolebinding") }}
+{{- define "podinfo-wait.wait-job-rolebinding" }}
+{{- end }}
\ No newline at end of file
--- a/chart/values-prod.yaml
+++ b/chart/values-prod.yaml
@@ -160,3 +160,11 @@ tolerations: []
 affinity: {}

 podAnnotations: {}
+
+waitJob:
+  enabled: true
+  scripts:
+    image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.7
+  permissions:
+    apiGroups: {}
+    resources: {}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -229,3 +229,11 @@ bbtests:
  scripts:
    envs:
      URL: 'http://{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.externalPort }}'
+
+waitJob:
+  enabled: true
+  scripts:
+    image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.7
+  permissions:
+    apiGroups: {}
+    resources: {}
--- a/chart/wait/wait.sh
+++ b/chart/wait/wait.sh
+#!/bin/bash
+wait_project() {
+   # interval and timeout are in seconds
+   interval=5
+   timeout=600
+   crdname="authorizationpolicies.security.istio.io"
+   jobLabel="app.kubernetes.io/name=podinfo"
+   namespace=podinfo
+   counter=0
+   while true; do
+      sleep $interval
+      initJobStatus=$(kubectl get pods -l $jobLabel -n $namespace -o jsonpath='{.items[0].status.conditions[0].status}')
+      echo "podinfo pods status is $initJobStatus"
+      if [[ $initJobStatus == "True" ]]; then
+        authcrdstatus=$(kubectl get crd $crdname -o jsonpath='{.status.conditions[0].status}')
+        if [[ $authcrdstatus == "True" ]]; then
+            echo "crd $crdname status is $authcrdstatus"
+            break
+        fi
+      fi
+      (( counter++ )) || true
+      if [[ $((counter * interval)) -ge $timeout ]]; then
+         echo "$daemonset timeout waiting $timeout seconds for creation, running describe..." 1>&2
+         kubectl describe $daemonset --namespace=$namespace 1>&2
+         exit 1
+      fi
+   done
+}
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
+istio:
+  enabled: true
+  hardened:
+    enabled: true
+
 bbtests:
  enabled: true
+
+monitoring:
+  enabled: true
+
+replicaCount: 3
+
+serviceAccount:
+  enabled: true
+  imagePullSecrets:
+  - name: private-registry
+
+kyvernoPolicies:
+  values:
+    policies:
+      restrict-host-path-mount:
+        exclude:
+          any:
+            - resources:
+                namespaces:
+                  - podinfo
+                names:
+                  - podinfo*
+      restrict-host-path-write:
+        exclude:
+          any:
+            - resources:
+                namespaces:
+                  - podinfo
+                names:
+                  - podinfo*
+      restrict-volume-types:
+        exclude:
+          any:
+            - resources:
+                namespaces:
+                  - podinfo
+                names:
+                  - podinfo*
+      require-non-root-group:
+        exclude:
+          any:
+            - resources:
+                namespaces:
+                  - podinfo
+                names:
+                  - podinfo*
+      require-non-root-user:
+        exclude:
+          any:
+            - resources:
+                namespaces:
+                  - podinfo
+                names:
+                  - podinfo*
+      disallow-image-tags:
+        exclude:
+          any:
+            - resources:
+                namespaces:
+                  - podinfo
+                names:
+                  - podinfo*
+      require-drop-all-capabilities:
+        exclude:
+          any:
+            - resources:
+                namespaces:
+                  - podinfo
+                names:
+                  - podinfo*
+
+waitJob:
+  enabled: true
+  scripts:
+    image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.7
+  permissions:
+    apiGroups: {}
+    resources: {}
\ No newline at end of file