From fb3e45082403981d2c276ae060e2c64b687e4e74 Mon Sep 17 00:00:00 2001
From: Danilo Patrucco <danilo.patrucco@gmail.com>
Date: Wed, 19 Feb 2025 11:03:50 -0500
Subject: [PATCH 01/11] fix docs
---
CHANGELOG.md | 7 +++++++
chart/Chart.yaml | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8c445c6..75e644b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,13 @@
> Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
---
+## [6.7.1-bb.3] - 2025-02-19
+
+### Changed
+
+- fix deployment using new images
+- fix cypress test setup
+
## [6.7.1-bb.2] - 2025-02-19
### Changed
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index dd47941..ac555e7 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v2
icon: https://kubernetes.io/icons/icon-128x128.png
version: 6.7.1-bb.2
appVersion: 6.7.1
--
GitLab
From 93b0309adee3e5c14292266062de3988edcadcfb Mon Sep 17 00:00:00 2001
From: Danilo Patrucco <danilo.patrucco@gmail.com>
Date: Wed, 19 Feb 2025 11:45:50 -0500
Subject: [PATCH 02/11] add istio enabled to enable the virtual service
---
tests/test-values.yml | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/tests/test-values.yml b/tests/test-values.yml
index 13a1ec1..4ebfeea 100644
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -1,2 +1,15 @@
+<<<<<<< HEAD
+=======
+serviceAccount:
+ enabled: true
+ imagePullSecrets:
+ - name: private-registry
+podAnnotations:
+ - sidecar.istio.io/inject: "false"
+
+istio:
+ enabled: true
+
+>>>>>>> 9c857c0 (add istio enabled to enable the virtual service)
bbtests:
enabled: true
--
GitLab
From b432aeeb2b8d6202e114607ce316eb955964a0db Mon Sep 17 00:00:00 2001
From: Danilo Patrucco <danilo.patrucco@gmail.com>
Date: Wed, 19 Feb 2025 11:46:13 -0500
Subject: [PATCH 03/11] fx
---
tests/test-values.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/test-values.yml b/tests/test-values.yml
index 4ebfeea..334801f 100644
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -5,7 +5,7 @@ serviceAccount:
imagePullSecrets:
- name: private-registry
podAnnotations:
- - sidecar.istio.io/inject: "false"
+ sidecar.istio.io/inject: "false"
istio:
enabled: true
--
GitLab
From 01bc199060fb81caa78277d821dd19c090de1740 Mon Sep 17 00:00:00 2001
From: Danilo Patrucco <danilo.patrucco@gmail.com>
Date: Wed, 19 Feb 2025 15:50:42 -0500
Subject: [PATCH 04/11] test
---
.gitignore | 1 +
.../bigbang/network_rbac_policies.yaml | 61 +++++++++++++++++++
2 files changed, 62 insertions(+)
create mode 100644 .gitignore
create mode 100644 chart/templates/bigbang/network_rbac_policies.yaml
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..2215b97
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+netpol.yaml
\ No newline at end of file
diff --git a/chart/templates/bigbang/network_rbac_policies.yaml b/chart/templates/bigbang/network_rbac_policies.yaml
new file mode 100644
index 0000000..5266299
--- /dev/null
+++ b/chart/templates/bigbang/network_rbac_policies.yaml
@@ -0,0 +1,61 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-all-podinfo
+ namespace: {{ .Release.Namespace }}
+spec:
+ podSelector: {} # Selects all pods in the namespace
+ ingress:
+ - {}
+ egress:
+ - {}
+ policyTypes:
+ - Ingress
+ - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: ingress-egress-default-deny
+ namespace: podinfo
+spec:
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - Egress
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: podinfo-permissive-role
+rules:
+ - apiGroups: ["*"]
+ resources: ["*"]
+ verbs: ["*"]
+ - nonResourceURLs: ["*"]
+ verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: podinfo-permissive-binding
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "podinfo.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: podinfo-permissive-role
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+ name: allow-all-in-namespace-override
+ namespace: {{ .Release.Namespace }}
+spec:
+ action: ALLOW
+ rules:
+ - from:
+ - source:
+ namespaces: ["*"]
--
GitLab
From e3511b4a22eb46b73f922c8fd25c198954f9209a Mon Sep 17 00:00:00 2001
From: Danilo Patrucco <danilo.patrucco@gmail.com>
Date: Wed, 19 Feb 2025 16:01:29 -0500
Subject: [PATCH 05/11] test
---
tests/test-values.yml | 93 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 93 insertions(+)
diff --git a/tests/test-values.yml b/tests/test-values.yml
index 334801f..3fdb46d 100644
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -1,4 +1,5 @@
<<<<<<< HEAD
+<<<<<<< HEAD
=======
serviceAccount:
enabled: true
@@ -7,9 +8,101 @@ serviceAccount:
podAnnotations:
sidecar.istio.io/inject: "false"
+=======
+>>>>>>> d8e5f57 (test)
istio:
enabled: true
>>>>>>> 9c857c0 (add istio enabled to enable the virtual service)
bbtests:
enabled: true
+
+monitoring:
+ enabled: true
+
+packages:
+ podinfo:
+ enabled: true
+ sourceType: "git"
+ git:
+ repo: https://repo1.dso.mil/big-bang/apps/sandbox/podinfo.git
+ path: chart
+ tag: null
+ branch: fix-testing-cypress
+ flux:
+ timeout: 5m
+ postRenderers: []
+ wrapper:
+ enabled: true
+ dependsOn:
+ - name: monitoring
+ namespace: bigbang
+ values:
+ replicaCount: 3
+ istio:
+ hardened:
+ enabled: true
+ serviceAccount:
+ enabled: true
+ imagePullSecrets:
+ - name: private-registry
+
+kyvernoPolicies:
+ values:
+ policies:
+ restrict-host-path-mount:
+ exclude:
+ any:
+ - resources:
+ namespaces:
+ - podinfo
+ names:
+ - podinfo*
+ restrict-host-path-write:
+ exclude:
+ any:
+ - resources:
+ namespaces:
+ - podinfo
+ names:
+ - podinfo*
+ restrict-volume-types:
+ exclude:
+ any:
+ - resources:
+ namespaces:
+ - podinfo
+ names:
+ - podinfo*
+ require-non-root-group:
+ exclude:
+ any:
+ - resources:
+ namespaces:
+ - podinfo
+ names:
+ - podinfo*
+ require-non-root-user:
+ exclude:
+ any:
+ - resources:
+ namespaces:
+ - podinfo
+ names:
+ - podinfo*
+ disallow-image-tags:
+ exclude:
+ any:
+ - resources:
+ namespaces:
+ - podinfo
+ names:
+ - podinfo*
+ require-drop-all-capabilities:
+ exclude:
+ any:
+ - resources:
+ namespaces:
+ - podinfo
+ names:
+ - podinfo*
\ No newline at end of file
--
GitLab
From a02f68b5c0f741dee5076a4fbe89b51ce57feb2e Mon Sep 17 00:00:00 2001
From: Danilo Patrucco <danilo.patrucco@gmail.com>
Date: Wed, 19 Feb 2025 16:09:52 -0500
Subject: [PATCH 06/11] test fix
---
chart/templates/bigbang/network_rbac_policies.yaml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/chart/templates/bigbang/network_rbac_policies.yaml b/chart/templates/bigbang/network_rbac_policies.yaml
index 5266299..555542c 100644
--- a/chart/templates/bigbang/network_rbac_policies.yaml
+++ b/chart/templates/bigbang/network_rbac_policies.yaml
@@ -1,3 +1,5 @@
+{{- $pkg := "podinfo" }}
+{{- if and .Values.istio.enabled (get .Values.istio $pkg).enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
@@ -59,3 +61,4 @@ spec:
- from:
- source:
namespaces: ["*"]
+{{- end }}
\ No newline at end of file
--
GitLab
From c197bd52d19b5b035431e41b6a8f21685a6a1b2c Mon Sep 17 00:00:00 2001
From: Danilo Patrucco <danilo.patrucco@gmail.com>
Date: Wed, 19 Feb 2025 17:07:53 -0500
Subject: [PATCH 07/11] add wait job
---
chart/templates/tests/test-wait-job.yaml | 19 ++++++++++++++++
chart/values-prod.yaml | 8 +++++++
chart/values.yaml | 8 +++++++
chart/wait/wait.sh | 28 ++++++++++++++++++++++++
tests/test-values.yml | 10 ++++++++-
5 files changed, 72 insertions(+), 1 deletion(-)
create mode 100644 chart/templates/tests/test-wait-job.yaml
create mode 100755 chart/wait/wait.sh
diff --git a/chart/templates/tests/test-wait-job.yaml b/chart/templates/tests/test-wait-job.yaml
new file mode 100644
index 0000000..2793064
--- /dev/null
+++ b/chart/templates/tests/test-wait-job.yaml
@@ -0,0 +1,19 @@
+{{- include "gluon.wait.wait-job-configmap.overrides" (list . "podinfo-wait.wait-configmap") }}
+{{- define "podinfo-wait.wait-configmap" }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job.overrides" (list . "podinfo-wait.wait-job") }}
+{{- define "podinfo-wait.wait-job" }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job-sa.overrides" (list . "podinfo-wait.wait-job-sa") }}
+{{- define "podinfo-wait.wait-job-sa" }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job-role.overrides" (list . "podinfo-wait.wait-job-role") }}
+{{- define "podinfo-wait.wait-job-role" }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job-rolebinding.overrides" (list . "podinfo-wait.wait-job-rolebinding") }}
+{{- define "podinfo-wait.wait-job-rolebinding" }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/values-prod.yaml b/chart/values-prod.yaml
index 68e74c0..d3e88f5 100644
--- a/chart/values-prod.yaml
+++ b/chart/values-prod.yaml
@@ -160,3 +160,11 @@ tolerations: []
affinity: {}
podAnnotations: {}
+
+waitJob:
+ enabled: true
+ scripts:
+ image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.7
+ permissions:
+ apiGroups: {}
+ resources: {}
diff --git a/chart/values.yaml b/chart/values.yaml
index 20dcd10..b25b4ee 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -229,3 +229,11 @@ bbtests:
scripts:
envs:
URL: 'http://{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.externalPort }}'
+
+waitJob:
+ enabled: true
+ scripts:
+ image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.7
+ permissions:
+ apiGroups: {}
+ resources: {}
diff --git a/chart/wait/wait.sh b/chart/wait/wait.sh
new file mode 100755
index 0000000..483b5a3
--- /dev/null
+++ b/chart/wait/wait.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+wait_project() {
+ # interval and timeout are in seconds
+ interval=5
+ timeout=600
+ crdname="authorizationpolicies.security.istio.io"
+ jobLabel="app.kubernetes.io/name=podinfo"
+ namespace=podinfo
+ counter=0
+ while true; do
+ sleep $interval
+ initJobStatus=$(kubectl get pods -l $jobLabel -n $namespace -o jsonpath='{.items[0].status.conditions[0].status}')
+ echo "podinfo pods status is $initJobStatus"
+ if [[ $initJobStatus == "True" ]]; then
+ authcrdstatus=$(kubectl get crd $crdname -o jsonpath='{.status.conditions[0].status}')
+ if [[ $authcrdstatus == "True" ]]; then
+ echo "crd $crdname status is $authcrdstatus"
+ break
+ fi
+ fi
+ (( counter++ )) || true
+ if [[ $((counter * interval)) -ge $timeout ]]; then
+ echo "$daemonset timeout waiting $timeout seconds for creation, running describe..." 1>&2
+ kubectl describe $daemonset --namespace=$namespace 1>&2
+ exit 1
+ fi
+ done
+}
diff --git a/tests/test-values.yml b/tests/test-values.yml
index 3fdb46d..d0aed4d 100644
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -105,4 +105,12 @@ kyvernoPolicies:
namespaces:
- podinfo
names:
- - podinfo*
\ No newline at end of file
+ - podinfo*
+
+waitJob:
+ enabled: true
+ scripts:
+ image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.7
+ permissions:
+ apiGroups: {}
+ resources: {}
\ No newline at end of file
--
GitLab
From 404e6e32fa093d8cd3f02f99e8e67a7138b269f7 Mon Sep 17 00:00:00 2001
From: Danilo Patrucco <danilo.patrucco@gmail.com>
Date: Wed, 19 Feb 2025 17:09:50 -0500
Subject: [PATCH 08/11] add wait and update readme
---
CHANGELOG.md | 4 ++--
README.md | 6 +++++-
chart/Chart.yaml | 2 +-
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 75e644b..6f850be 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,8 +7,8 @@
### Changed
-- fix deployment using new images
-- fix cypress test setup
+- Add istio components to allow the image to deploy and be reachable
+- Add wait job to avoid issues with the clean install pipeline
## [6.7.1-bb.2] - 2025-02-19
diff --git a/README.md b/README.md
index 6784f38..c471d1e 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
<!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
# podinfo
-  
+  
Podinfo Helm chart for Kubernetes
@@ -158,6 +158,10 @@ helm install podinfo chart/
| bbtests.cypress.artifacts | bool | `true` | |
| bbtests.cypress.envs.cypress_url | string | `"http://{{ template \"podinfo.fullname\" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.externalPort }}"` | |
| bbtests.scripts.envs.URL | string | `"http://{{ template \"podinfo.fullname\" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.externalPort }}"` | |
+| waitJob.enabled | bool | `true` | |
+| waitJob.scripts.image | string | `"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.7"` | |
+| waitJob.permissions.apiGroups | object | `{}` | |
+| waitJob.permissions.resources | object | `{}` | |
## Contributing
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index ac555e7..82c607f 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,6 +1,6 @@
apiVersion: v2
icon: https://kubernetes.io/icons/icon-128x128.png
-version: 6.7.1-bb.2
+version: 6.7.1-bb.3
appVersion: 6.7.1
name: podinfo
engine: gotpl
--
GitLab
From 9897a065c775af09afa8ff0f788d0fb519dced70 Mon Sep 17 00:00:00 2001
From: Danilo Patrucco <danilo.patrucco@gmail.com>
Date: Wed, 19 Feb 2025 17:17:49 -0500
Subject: [PATCH 09/11] remove wrapper and test
---
tests/test-values.yml | 34 ++++++++--------------------------
1 file changed, 8 insertions(+), 26 deletions(-)
diff --git a/tests/test-values.yml b/tests/test-values.yml
index d0aed4d..799c3cf 100644
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -12,6 +12,8 @@ podAnnotations:
>>>>>>> d8e5f57 (test)
istio:
enabled: true
+ hardened:
+ enabled: true
>>>>>>> 9c857c0 (add istio enabled to enable the virtual service)
bbtests:
@@ -20,32 +22,12 @@ bbtests:
monitoring:
enabled: true
-packages:
- podinfo:
- enabled: true
- sourceType: "git"
- git:
- repo: https://repo1.dso.mil/big-bang/apps/sandbox/podinfo.git
- path: chart
- tag: null
- branch: fix-testing-cypress
- flux:
- timeout: 5m
- postRenderers: []
- wrapper:
- enabled: true
- dependsOn:
- - name: monitoring
- namespace: bigbang
- values:
- replicaCount: 3
- istio:
- hardened:
- enabled: true
- serviceAccount:
- enabled: true
- imagePullSecrets:
- - name: private-registry
+replicaCount: 3
+
+serviceAccount:
+ enabled: true
+ imagePullSecrets:
+ - name: private-registry
kyvernoPolicies:
values:
--
GitLab
From 958f678c21ba209cfdca88f78419204110663694 Mon Sep 17 00:00:00 2001
From: Danilo Patrucco <danilo.patrucco@gmail.com>
Date: Wed, 19 Feb 2025 17:24:33 -0500
Subject: [PATCH 10/11] fix the namespace
---
chart/templates/bigbang/network_rbac_policies.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/chart/templates/bigbang/network_rbac_policies.yaml b/chart/templates/bigbang/network_rbac_policies.yaml
index 555542c..b5e6c12 100644
--- a/chart/templates/bigbang/network_rbac_policies.yaml
+++ b/chart/templates/bigbang/network_rbac_policies.yaml
@@ -19,7 +19,7 @@ apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-egress-default-deny
- namespace: podinfo
+ namespace: {{ .Release.Namespace }}
spec:
podSelector: {}
policyTypes:
--
GitLab
From d3329c955661aa2679fe0e0ca0197349183ee7a6 Mon Sep 17 00:00:00 2001
From: Danilo Patrucco <danilo.patrucco@gmail.com>
Date: Wed, 19 Feb 2025 17:49:48 -0500
Subject: [PATCH 11/11] fix test-values after rebase
---
tests/test-values.yml | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/tests/test-values.yml b/tests/test-values.yml
index 799c3cf..40c38ba 100644
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -1,21 +1,8 @@
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
-serviceAccount:
- enabled: true
- imagePullSecrets:
- - name: private-registry
-podAnnotations:
- sidecar.istio.io/inject: "false"
-
-=======
->>>>>>> d8e5f57 (test)
istio:
enabled: true
hardened:
enabled: true
->>>>>>> 9c857c0 (add istio enabled to enable the virtual service)
bbtests:
enabled: true
--
GitLab