[gitops-operator] move crds to tempates, change cluster wide naming and add tests (#87)

* move crds and change sa name

* change cluster wide names,split resources and add tests

Author: ilia-medvedev-codefresh

charts/gitops-runtime/templates/_components/gitops-operator/_all_resources.yaml

@@ -1,6 +1,6 @@
 {{- define "gitops-operator.resources" }}
 ---
-  {{ include "gitops-operator.resources.deployment" . }}
+  {{ include "gitops-operator.resources.deployment" . }} #
 ---
   {{ include "gitops-operator.resources.rbac" . }}
 ---
@@ -11,4 +11,6 @@
   {{ include "gitops-operator.resources.restricted_git_source_rbac" . }}
 ---
   {{ include "gitops-operator.resources.sa" .}}
+---
+  {{- include "gitops-operator.crds.restricted-gitsource" . }} #
 {{- end }}

charts/gitops-runtime/templates/_components/gitops-operator/_deployment.yaml

@@ -50,6 +50,7 @@ spec:
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        {{- include "codefresh-gitops-runtime.components.common_helpers.container-templates.env-vars" .Values.env | nindent 8 }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
           - /manager

charts/gitops-runtime/templates/_components/gitops-operator/_rbac.yaml

@@ -5,7 +5,7 @@ kind: ClusterRole
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
-  name: controller-manager
+  name: codefresh-gitops-operator
 rules:
 - apiGroups:
   - argoproj.io
@@ -51,11 +51,11 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
-  name: controller-manager
+  name: codefresh-gitops-operator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: controller-manager
+  name: codefresh-gitops-operator
 subjects:
 - kind: ServiceAccount
   name: {{ include "gitops-operator.serviceAccountName" . }}

charts/gitops-runtime/crds/gitops-operator/csdp.codefresh.io_restrictedgitsources.yaml renamed to charts/gitops-runtime/templates/_components/gitops-operator/crds/restrictedgitsources.yaml

@@ -1,8 +1,22 @@
----
+{{- define "gitops-operator.crds.restricted-gitsource" }}
+  {{- if .Values.crds.install }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: restrictedgitsources.csdp.codefresh.io
+  annotations:
+    {{- if .Values.crds.keep }}
+    "helm.sh/resource-policy": keep
+    {{- end }}
+    {{- with .Values.crds.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    app.kubernetes.io/name: restrictedgitsources.csdp.codefresh.io
+    app.kubernetes.io/part-of: gitops-operator
+    {{- with .Values.crds.additionalLabels }}
+      {{- toYaml . | nindent 4}}
+    {{- end }}
 spec:
   group: csdp.codefresh.io
   names:
@@ -507,3 +521,5 @@ spec:
     storage: true
     subresources:
       status: {}
+    {{- end }}
+{{- end }}

charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml

@@ -5,7 +5,7 @@ kind: ClusterRole
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
-  name: proxy
+  name: codefresh-gitops-operator-proxy
 rules:
 - apiGroups:
   - authentication.k8s.io
@@ -25,11 +25,11 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
-  name: proxy
+  name: codefresh-gitops-operator-proxy
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: proxy
+  name: codefresh-gitops-operator-proxy
 subjects:
 - kind: ServiceAccount
   name: {{ include "gitops-operator.serviceAccountName" . }}

charts/gitops-runtime/templates/gitops-operator/crds.yaml

@@ -0,0 +1,5 @@
+{{- $gitopsOperatorContext := deepCopy . }}
+{{- $_ := set $gitopsOperatorContext "Values" (get .Values "gitops-operator") }}
+{{- $_ := set $gitopsOperatorContext.Values "global" (get .Values "global") }}
+
+{{- include "gitops-operator.crds.restricted-gitsource" $gitopsOperatorContext }}

charts/gitops-runtime/templates/gitops-operator/deployment.yaml

@@ -0,0 +1,5 @@
+{{- $gitopsOperatorContext := deepCopy . }}
+{{- $_ := set $gitopsOperatorContext "Values" (get .Values "gitops-operator") }}
+{{- $_ := set $gitopsOperatorContext.Values "global" (get .Values "global") }}
+
+{{- include "gitops-operator.resources.deployment" $gitopsOperatorContext }}

charts/gitops-runtime/templates/gitops-operator/rbac.yaml

@@ -0,0 +1,10 @@
+{{- $gitopsOperatorContext := deepCopy . }}
+{{- $_ := set $gitopsOperatorContext "Values" (get .Values "gitops-operator") }}
+{{- $_ := set $gitopsOperatorContext.Values "global" (get .Values "global") }}
+{{- include "gitops-operator.resources.rbac" $gitopsOperatorContext }}
+---
+{{- include "gitops-operator.resources.auth_proxy_rbac" $gitopsOperatorContext }}
+---
+{{- include "gitops-operator.resources.leader_election_rbac" $gitopsOperatorContext }}
+---
+{{- include "gitops-operator.resources.restricted_git_source_rbac" $gitopsOperatorContext }}

charts/gitops-runtime/templates/gitops-operator/all_resources.yaml renamed to charts/gitops-runtime/templates/gitops-operator/sa.yaml

@@ -2,4 +2,4 @@
 {{- $_ := set $gitopsOperatorContext "Values" (get .Values "gitops-operator") }}
 {{- $_ := set $gitopsOperatorContext.Values "global" (get .Values "global") }}
 
-{{- include "gitops-operator.resources" $gitopsOperatorContext }}
+{{ include "gitops-operator.resources.sa" $gitopsOperatorContext }}

charts/gitops-runtime/tests/gitops-controller-misc_test.yaml

@@ -0,0 +1,238 @@
+suite: misc tests on gitops-operator templates generation
+templates:
+  - gitops-operator/deployment.yaml
+  - gitops-operator/sa.yaml
+  - gitops-operator/rbac.yaml
+tests:
+- it: override both images works
+  template: 'gitops-operator/deployment.yaml'
+  set:
+    gitops-operator:
+      image:
+        repository: example.com/repo
+        tag: 0.0.1
+      kube-rbac-proxy:
+        image:
+          repository: example.com/repo
+          tag: 0.0.1
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].image
+      value: example.com/repo:0.0.1
+  - equal:
+      path: spec.template.spec.containers[1].image
+      value: example.com/repo:0.0.1
+
+- it: override service account name - sa object
+  template: 'gitops-operator/sa.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    gitops-operator.serviceAccount.name: sa-name
+  asserts:
+  - equal:
+      path: metadata.name
+      value: sa-name
+
+- it: override service account name - deployment
+  template: 'gitops-operator/deployment.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    gitops-operator.serviceAccount.name: sa-name
+  asserts:
+  - equal:
+      path: spec.template.spec.serviceAccountName
+      value: sa-name
+
+- it: overriding of environment variables on main container
+  template: 'gitops-operator/deployment.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    gitops-operator.env.PORT: '8787'
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[1].env
+      content:
+        name: PORT
+        value: "8787"
+- it: adding environment variables on main container
+  template: 'gitops-operator/deployment.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    gitops-operator.env.SOME_ENV: 'test'
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[1].env
+      content:
+        name: SOME_ENV
+        value: test
+- it: setting security context on main container
+  template: 'gitops-operator/deployment.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    gitops-operator.securityContext.runAsUser: 1000
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[1].securityContext.runAsUser
+      value: 1000
+- it: override readiness and liveness probes values
+  template: 'gitops-operator/deployment.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    gitops-operator.readinessProbe.initialDelaySeconds: 1
+    gitops-operator.readinessProbe.periodSeconds: 1
+    gitops-operator.readinessProbe.timeoutSeconds: 1
+    gitops-operator.readinessProbe.successThreshold: 1
+    gitops-operator.readinessProbe.failureThreshold: 1
+    gitops-operator.livenessProbe.initialDelaySeconds: 1
+    gitops-operator.livenessProbe.periodSeconds: 1
+    gitops-operator.livenessProbe.timeoutSeconds: 1
+    gitops-operator.livenessProbe.successThreshold: 1
+    gitops-operator.livenessProbe.failureThreshold: 1
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[1].readinessProbe.initialDelaySeconds
+      value: 1
+  - equal:
+      path: spec.template.spec.containers[1].readinessProbe.periodSeconds
+      value: 1
+  - equal:
+      path: spec.template.spec.containers[1].readinessProbe.timeoutSeconds
+      value: 1
+  - equal:
+      path: spec.template.spec.containers[1].readinessProbe.successThreshold
+      value: 1
+  - equal:
+      path: spec.template.spec.containers[1].readinessProbe.failureThreshold
+      value: 1
+  - equal:
+      path: spec.template.spec.containers[1].livenessProbe.initialDelaySeconds
+      value: 1
+  - equal:
+      path: spec.template.spec.containers[1].livenessProbe.periodSeconds
+      value: 1
+  - equal:
+      path: spec.template.spec.containers[1].livenessProbe.timeoutSeconds
+      value: 1
+  - equal:
+      path: spec.template.spec.containers[1].livenessProbe.successThreshold
+      value: 1
+  - equal:
+      path: spec.template.spec.containers[1].livenessProbe.failureThreshold
+      value: 1
+- it: setting node selector
+  template: 'gitops-operator/deployment.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    gitops-operator.nodeSelector:
+      test.io/node: "test"
+  asserts:
+  - equal:
+      path: spec.template.spec.nodeSelector
+      value:
+        test.io/node: "test"
+
+- it: setting tolerations
+  template: 'gitops-operator/deployment.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    gitops-operator.tolerations:
+      - key: "arch"
+        operator: "Equal"
+        value: "arm64"
+        effect: "NoSchedule"
+  asserts:
+  - contains:
+      path: spec.template.spec.tolerations
+      content:
+        key: "arch"
+        operator: "Equal"
+        value: "arm64"
+        effect: "NoSchedule"
+
+- it: setting affinity
+  template: 'gitops-operator/deployment.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    gitops-operator.affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: topology.kubernetes.io/zone
+              operator: In
+              values:
+              - antarctica-east1
+              - antarctica-west1
+  asserts:
+  - equal:
+      path: spec.template.spec.affinity
+      value:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: topology.kubernetes.io/zone
+                operator: In
+                values:
+                - antarctica-east1
+                - antarctica-west1
+
+- it: contains all expected roles and role bindings
+  template: gitops-operator/rbac.yaml
+  values:
+  - ./values/mandatory-values.yaml
+  asserts:
+    - containsDocument:
+        kind: ClusterRole
+        apiVersion: rbac.authorization.k8s.io/v1
+        name: codefresh-gitops-operator-proxy
+    - containsDocument:
+        kind: ClusterRoleBinding
+        apiVersion: rbac.authorization.k8s.io/v1
+        name: codefresh-gitops-operator-proxy
+    - containsDocument:
+        kind: ClusterRoleBinding
+        apiVersion: rbac.authorization.k8s.io/v1
+        name: restrictedgitsource-editor
+    - containsDocument:
+        kind: ClusterRole
+        apiVersion: rbac.authorization.k8s.io/v1
+        name: restrictedgitsource-editor
+    - containsDocument:
+        kind: ClusterRole
+        apiVersion: rbac.authorization.k8s.io/v1
+        name: restrictedgitsource-viewer
+    - containsDocument:
+        kind: ClusterRole
+        apiVersion: rbac.authorization.k8s.io/v1
+        name: codefresh-gitops-operator
+    - containsDocument:
+        kind: ClusterRoleBinding
+        apiVersion: rbac.authorization.k8s.io/v1
+        name: codefresh-gitops-operator
+    - containsDocument:
+        kind: ClusterRoleBinding
+        apiVersion: rbac.authorization.k8s.io/v1
+        name: restrictedgitsource-viewer
+    - containsDocument:
+        kind: Role
+        apiVersion: rbac.authorization.k8s.io/v1
+        name: leader-election
+    - containsDocument:
+        kind: Role
+        apiVersion: rbac.authorization.k8s.io/v1
+        name: leader-election
+    - containsDocument:
+        kind: RoleBinding
+        apiVersion: rbac.authorization.k8s.io/v1
+        name: leader-election
+