From f20ff96dce208b45215fd2636fe30b7427615f41 Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Tue, 16 May 2023 11:09:15 +0200 Subject: [PATCH 01/16] chore(ci): add support for k8s 1.26, remove 1.22, trigger on develop --- .drone.yml | 94 ++++++++++++++++++++++++------------------------------ 1 file changed, 41 insertions(+), 53 deletions(-) diff --git a/.drone.yml b/.drone.yml index aacbe6b..75a0a25 100644 --- a/.drone.yml +++ b/.drone.yml @@ -8,10 +8,10 @@ type: docker steps: - name: check - image: docker.io/library/golang:1.16 + image: docker.io/library/golang:1.20 pull: always commands: - - go get -u github.com/google/addlicense + - go install github.com/google/addlicense@v1.1.1 - addlicense -c "SIGHUP s.r.l" -v -l bsd -y "2017-present" --check . --- @@ -44,7 +44,7 @@ steps: - clone - name: render - image: quay.io/sighup/e2e-testing:1.1.0_0.2.2_2.16.1_1.9.4_1.20.7_3.8.7_2.4.1 + image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.1.1_1.9.4_1.26.3_3.5.3_4.33.3 pull: always depends_on: - clone @@ -61,7 +61,7 @@ steps: - /pluto detect gatekeeper.yml --target-versions=k8s=v1.25.0 --ignore-deprecations --- -name: e2e-kubernetes-1.22 +name: e2e-kubernetes-1.23 kind: pipeline type: docker @@ -80,6 +80,7 @@ trigger: include: - refs/heads/master - refs/heads/main + - refs/heads/develop - refs/tags/** steps: @@ -91,10 +92,10 @@ steps: path: /shared depends_on: [clone] settings: - action: custom-cluster-122 - pipeline_id: cluster-122 + action: custom-cluster-123 + pipeline_id: cluster-123 local_kind_config_path: katalog/tests/kind/config.yml - cluster_version: "1.22.0" + cluster_version: "1.23.0" instance_path: /shared aws_default_region: from_secret: aws_region @@ -116,14 +117,14 @@ steps: from_secret: dockerhub_password - name: e2e - image: quay.io/sighup/e2e-testing:1.1.0_0.2.2_2.16.1_1.9.4_1.22.0_3.8.7_2.4.1 + image: quay.io/sighup/e2e-testing:1.1.0_0.2.2_2.16.1_1.9.4_1.23.0_3.8.7_2.4.1 pull: always volumes: - name: shared path: /shared depends_on: [init] commands: - - export KUBECONFIG=/shared/kube/kubeconfig-122 + - export KUBECONFIG=/shared/kube/kubeconfig-123 - bats -t katalog/tests/gatekeeper.sh - name: destroy @@ -132,7 +133,7 @@ steps: depends_on: [e2e] settings: action: destroy - pipeline_id: cluster-122 + pipeline_id: cluster-123 aws_default_region: from_secret: aws_region aws_access_key_id: @@ -161,7 +162,7 @@ volumes: temp: {} --- -name: e2e-kubernetes-1.23 +name: e2e-kubernetes-1.24 kind: pipeline type: docker @@ -180,6 +181,7 @@ trigger: include: - refs/heads/master - refs/heads/main + - refs/heads/develop - refs/tags/** steps: @@ -191,10 +193,10 @@ steps: path: /shared depends_on: [clone] settings: - action: custom-cluster-123 - pipeline_id: cluster-123 + action: custom-cluster-124 + pipeline_id: cluster-124 local_kind_config_path: katalog/tests/kind/config.yml - cluster_version: "1.23.0" + cluster_version: "1.24.0" instance_path: /shared aws_default_region: from_secret: aws_region @@ -216,14 +218,14 @@ steps: from_secret: dockerhub_password - name: e2e - image: quay.io/sighup/e2e-testing:1.1.0_0.2.2_2.16.1_1.9.4_1.23.0_3.8.7_2.4.1 + image: quay.io/sighup/e2e-testing:1.1.0_0.7.0_3.1.1_1.9.4_1.24.1_3.8.7_4.21.1 pull: always volumes: - name: shared path: /shared depends_on: [init] commands: - - export KUBECONFIG=/shared/kube/kubeconfig-123 + - export KUBECONFIG=/shared/kube/kubeconfig-124 - bats -t katalog/tests/gatekeeper.sh - name: destroy @@ -232,7 +234,7 @@ steps: depends_on: [e2e] settings: action: destroy - pipeline_id: cluster-123 + pipeline_id: cluster-124 aws_default_region: from_secret: aws_region aws_access_key_id: @@ -259,9 +261,8 @@ steps: volumes: - name: shared temp: {} - --- -name: e2e-kubernetes-1.24 +name: e2e-kubernetes-1.25 kind: pipeline type: docker @@ -280,21 +281,22 @@ trigger: include: - refs/heads/master - refs/heads/main + - refs/heads/develop - refs/tags/** steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 pull: always volumes: - name: shared path: /shared depends_on: [clone] settings: - action: custom-cluster-124 - pipeline_id: cluster-124 + action: custom-cluster-125 + pipeline_id: cluster-125 local_kind_config_path: katalog/tests/kind/config.yml - cluster_version: "1.24.0" + cluster_version: "1.25.3" instance_path: /shared aws_default_region: from_secret: aws_region @@ -316,23 +318,24 @@ steps: from_secret: dockerhub_password - name: e2e - image: quay.io/sighup/e2e-testing:1.1.0_0.7.0_3.1.1_1.9.4_1.24.1_3.8.7_4.21.1 + # KUBECTL 1.25.3 - KUSTOMIZE 3.5.3 - HELM 3.1.1 - YQ 4.21.1 - ISTIOCTL 1.9.4 - FURYCTL 0.9.0 - BATS 1.1.0 + image: quay.io/sighup/e2e-testing:1.1.0_0.9.0_3.1.1_1.9.4_1.25.3_3.5.3_4.21.1 pull: always volumes: - name: shared path: /shared depends_on: [init] commands: - - export KUBECONFIG=/shared/kube/kubeconfig-124 + - export KUBECONFIG=/shared/kube/kubeconfig-125 - bats -t katalog/tests/gatekeeper.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 pull: always depends_on: [e2e] settings: action: destroy - pipeline_id: cluster-124 + pipeline_id: cluster-125 aws_default_region: from_secret: aws_region aws_access_key_id: @@ -360,7 +363,7 @@ volumes: - name: shared temp: {} --- -name: e2e-kubernetes-1.25 +name: e2e-kubernetes-1.26 kind: pipeline type: docker @@ -379,21 +382,22 @@ trigger: include: - refs/heads/master - refs/heads/main + - refs/heads/develop - refs/tags/** steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3 pull: always volumes: - name: shared path: /shared depends_on: [clone] settings: - action: custom-cluster-125 - pipeline_id: cluster-125 + action: custom-cluster-126 + pipeline_id: cluster-126 local_kind_config_path: katalog/tests/kind/config.yml - cluster_version: "1.25.3" + cluster_version: "1.26.3" instance_path: /shared aws_default_region: from_secret: aws_region @@ -415,24 +419,23 @@ steps: from_secret: dockerhub_password - name: e2e - # KUBECTL 1.25.3 - KUSTOMIZE 3.5.3 - HELM 3.1.1 - YQ 4.21.1 - ISTIOCTL 1.9.4 - FURYCTL 0.9.0 - BATS 1.1.0 - image: quay.io/sighup/e2e-testing:1.1.0_0.9.0_3.1.1_1.9.4_1.25.3_3.5.3_4.21.1 + image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.1.1_1.9.4_1.26.3_3.5.3_4.33.3 pull: always volumes: - name: shared path: /shared depends_on: [init] commands: - - export KUBECONFIG=/shared/kube/kubeconfig-125 + - export KUBECONFIG=/shared/kube/kubeconfig-126 - bats -t katalog/tests/gatekeeper.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3 pull: always depends_on: [e2e] settings: action: destroy - pipeline_id: cluster-125 + pipeline_id: cluster-126 aws_default_region: from_secret: aws_region aws_access_key_id: @@ -466,10 +469,10 @@ kind: pipeline type: docker depends_on: - - e2e-kubernetes-1.22 - e2e-kubernetes-1.23 - e2e-kubernetes-1.24 - e2e-kubernetes-1.25 + - e2e-kubernetes-1.26 platform: os: linux @@ -481,17 +484,6 @@ trigger: - refs/tags/** steps: - - name: prepare-canonical-json - image: registry.sighup.io/poc/fury-repo-automations:v0.0.3 - pull: always - depends_on: [clone] - commands: - - spock module-json -m=fury-kubernetes-opa -r=False -v=${DRONE_TAG} - when: - ref: - include: - - refs/tags/** - - name: prepare-tar-gz image: alpine:latest pull: always @@ -518,7 +510,6 @@ steps: image: plugins/github-release pull: always depends_on: - - prepare-canonical-json - prepare-tar-gz - prepare-release-notes settings: @@ -527,7 +518,6 @@ steps: file_exists: overwrite files: - fury-kubernetes-opa-${DRONE_TAG}.tar.gz - - fury-kubernetes-opa-canonical-definition-${DRONE_TAG}.json prerelease: true overwrite: true title: "Preview ${DRONE_TAG}" @@ -544,7 +534,6 @@ steps: image: plugins/github-release pull: always depends_on: - - prepare-canonical-json - prepare-tar-gz - prepare-release-notes settings: @@ -553,7 +542,6 @@ steps: file_exists: overwrite files: - fury-kubernetes-opa-${DRONE_TAG}.tar.gz - - fury-kubernetes-opa-canonical-definition-${DRONE_TAG}.json prerelease: false overwrite: true title: "Release ${DRONE_TAG}" From ea3bb186de6e807872186b3f3ff8171eafd09c99 Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Tue, 16 May 2023 11:09:59 +0200 Subject: [PATCH 02/16] feat(gatekeeper): update to v3.12 --- katalog/gatekeeper/core/MAINTENANCE.md | 8 +- katalog/gatekeeper/core/crd.yml | 310 ++++++++++++++++++++- katalog/gatekeeper/core/kustomization.yaml | 2 +- katalog/gatekeeper/core/rbac.yml | 7 + 4 files changed, 313 insertions(+), 14 deletions(-) diff --git a/katalog/gatekeeper/core/MAINTENANCE.md b/katalog/gatekeeper/core/MAINTENANCE.md index fcd47de..ba40bca 100644 --- a/katalog/gatekeeper/core/MAINTENANCE.md +++ b/katalog/gatekeeper/core/MAINTENANCE.md @@ -1,10 +1,10 @@ -# Gatekepeer Package Maintenance +# Gatekeeper Package Maintenance 1. Check the differences with upstream manifests: ```bash # Assuming ${PWD} == the root of the project -export GATEKEEPER_VERSION=3.11 +export GATEKEEPER_VERSION=3.12 curl https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-${GATEKEEPER_VERSION}/deploy/gatekeeper.yaml -o upstream.yaml cat katalog/gatekeeper/core/ns.yml \ katalog/gatekeeper/core/crd.yml \ @@ -16,7 +16,7 @@ cat katalog/gatekeeper/core/ns.yml \ katalog/gatekeeper/core/pdb.yml \ katalog/gatekeeper/core/mwh.yml \ katalog/gatekeeper/core/vwh.yml \ - > local.yml + > local.yml ``` > You could generate the output with `kustomize build .` also, but `kustomize` changes all the indentation and word wrapping of the original files, so you won't be able to do the diff against its output. @@ -37,4 +37,4 @@ Please notice that it is expected that some objects don't have the namespace set ## Customizations - We enable monitoring of metrics by default, so we added some parameters to scrape them. -- We delete the namesapce from resources definitions, the namespace is set by Kustomize. +- We delete the namespace from resources definitions, the namespace is set by Kustomize. diff --git a/katalog/gatekeeper/core/crd.yml b/katalog/gatekeeper/core/crd.yml index 61f924c..6f5ec28 100644 --- a/katalog/gatekeeper/core/crd.yml +++ b/katalog/gatekeeper/core/crd.yml @@ -763,6 +763,244 @@ spec: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignimage.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignImage + listKind: AssignImageList + plural: assignimage + singular: assignimage + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignImage is the Schema for the assignimage API. + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignImageSpec defines the desired state of AssignImage. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: "Location describes the path to be mutated, for example: `spec.containers[name: main].image`." + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: "ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`." + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: "LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector." + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: "Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`." + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: "Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`." + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assignDomain: + description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. + type: string + assignPath: + description: AssignPath sets the domain component on an image string. + type: string + assignTag: + description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. + type: string + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignImageStatus defines the observed state of AssignImage. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 @@ -802,7 +1040,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: "ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`." @@ -1013,7 +1251,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: "ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`." @@ -1224,7 +1462,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: "ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`." @@ -1662,7 +1900,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 labels: gatekeeper.sh/system: "yes" name: constrainttemplates.templates.gatekeeper.sh @@ -1721,6 +1959,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -1816,6 +2072,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -1911,6 +2185,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -2783,7 +3075,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 labels: gatekeeper.sh/system: "yes" name: providers.externaldata.gatekeeper.sh @@ -2822,12 +3114,12 @@ spec: description: Timeout is the timeout when querying the provider. type: integer url: - description: URL is the url for the provider. URL is prefixed with http:// or https://. + description: URL is the url for the provider. URL is prefixed with https://. type: string type: object type: object served: true - storage: true + storage: false - name: v1beta1 schema: openAPIV3Schema: @@ -2851,9 +3143,9 @@ spec: description: Timeout is the timeout when querying the provider. type: integer url: - description: URL is the url for the provider. URL is prefixed with http:// or https://. + description: URL is the url for the provider. URL is prefixed with https://. type: string type: object type: object served: true - storage: false + storage: true diff --git a/katalog/gatekeeper/core/kustomization.yaml b/katalog/gatekeeper/core/kustomization.yaml index 719b575..da30b31 100644 --- a/katalog/gatekeeper/core/kustomization.yaml +++ b/katalog/gatekeeper/core/kustomization.yaml @@ -23,4 +23,4 @@ resources: images: - name: openpolicyagent/gatekeeper newName: registry.sighup.io/fury/openpolicyagent/gatekeeper - newTag: v3.11.0 + newTag: v3.12.0 diff --git a/katalog/gatekeeper/core/rbac.yml b/katalog/gatekeeper/core/rbac.yml index 0e2f024..f6b4a6e 100644 --- a/katalog/gatekeeper/core/rbac.yml +++ b/katalog/gatekeeper/core/rbac.yml @@ -37,6 +37,13 @@ metadata: gatekeeper.sh/system: "yes" name: gatekeeper-manager-role rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch - apiGroups: - "*" resources: From 01014dac8373ef1195a0840b84799b6720801463 Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Tue, 16 May 2023 11:15:22 +0200 Subject: [PATCH 03/16] feat(gpm): bump to v1.0.4 --- katalog/gatekeeper/gpm/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/katalog/gatekeeper/gpm/kustomization.yaml b/katalog/gatekeeper/gpm/kustomization.yaml index 0282f85..304a302 100644 --- a/katalog/gatekeeper/gpm/kustomization.yaml +++ b/katalog/gatekeeper/gpm/kustomization.yaml @@ -16,4 +16,4 @@ resources: images: - name: quay.io/sighup/gatekeeper-policy-manager newName: registry.sighup.io/fury/gatekeeper-policy-manager - newTag: v1.0.3 + newTag: v1.0.4 From fea9f562b3fa8262b9516a25be8f02fbd77dc960 Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Tue, 16 May 2023 14:25:39 +0200 Subject: [PATCH 04/16] chore(ci): add e2e for mutations --- .../tests/gatekeeper-manifests/mutation.yaml | 20 +++++++++ katalog/tests/gatekeeper.sh | 42 +++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 katalog/tests/gatekeeper-manifests/mutation.yaml diff --git a/katalog/tests/gatekeeper-manifests/mutation.yaml b/katalog/tests/gatekeeper-manifests/mutation.yaml new file mode 100644 index 0000000..1df8d1e --- /dev/null +++ b/katalog/tests/gatekeeper-manifests/mutation.yaml @@ -0,0 +1,20 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +#Sample Mutation that adds an annotation +apiVersion: mutations.gatekeeper.sh/v1 +kind: AssignMetadata +metadata: + name: demo-annotation-owner +spec: + match: + scope: Namespaced + name: deployment-* + kinds: + - apiGroups: ["*"] + kinds: ["Deployment"] + location: "metadata.annotations.owner" + parameters: + assign: + value: "sighup" diff --git a/katalog/tests/gatekeeper.sh b/katalog/tests/gatekeeper.sh index ea5d783..ac94ade 100755 --- a/katalog/tests/gatekeeper.sh +++ b/katalog/tests/gatekeeper.sh @@ -106,6 +106,16 @@ set -o pipefail [[ "$status" -eq 0 ]] } +@test "Deploy Gatekeeper Mutator" { + info + deploy() { + kubectl apply -f katalog/tests/gatekeeper-manifests/mutation.yaml + } + loop_it deploy 30 10 + status=${loop_it_result} + [[ "$status" -eq 0 ]] +} + @test "Deploy Gatekeeper Policy Manager" { info deploy() { @@ -152,6 +162,28 @@ set -o pipefail [[ "$status" -eq 0 ]] } +@test "[CHECK] Check deployment has been mutated" { + info + deploy() { + kubectl get deployment -n default deployment-allowed -ojsonpath={.metadata.annotations.owner} + } + run deploy + echo "${output}" + [ "$status" -eq 0 ] + [ "$output" = "sighup" ] +} + +@test "[CHECK] Check deployment has NOT been mutated" { + info + deploy() { + kubectl get deployment -n kube-system deployment-allowed-ns -ojsonpath={.metadata.annotations.owner} + } + run deploy + echo "${output}" + [ "$status" -eq 0 ] + [ "$output" = "" ] +} + @test "[ALLOW] Create not existing Ingress" { info deploy() { @@ -247,6 +279,16 @@ set -o pipefail [[ "$status" -eq 0 ]] } +@test "Teardown - Delete Mutator" { + info + skip + mutator_teardown() { + kubectl delete -f katalog/tests/gatekeeper-manifests/mutation.yaml + } + run mutator_teardown + [[ "$status" -eq 0 ]] +} + @test "Teardown - Delete Gatekeeper Rules" { info skip From c9bd2849b98750a453a61cc689dde755cfff56ba Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Tue, 16 May 2023 14:29:20 +0200 Subject: [PATCH 05/16] docs: update readme with bumped versions --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3438cd4..547d250 100644 --- a/README.md +++ b/README.md @@ -29,10 +29,10 @@ Fury Kubernetes OPA provides the following packages: | Package | Version | Description | | ------------------------------------------------------ | --------- | ----------------------------------------------------------------- | -| [Gatekeeper Core](katalog/gatekeeper/core) | `v3.11.0` | Gatekeeper deployment, ready to enforce rules. | +| [Gatekeeper Core](katalog/gatekeeper/core) | `v3.12.0` | Gatekeeper deployment, ready to enforce rules. | | [Gatekeeper Rules](katalog/gatekeeper/rules) | `N.A.` | A set of custom rules to get started with policy enforcement. | | [Gatekeeper Monitoring](katalog/gatekeeper/monitoring) | `N.A.` | Metrics, alerts and dashboard for monitoring Gatekeeper. | -| [Gatekeeper Policy Manager](katalog/gatekeeper/gpm) | `v1.0.3` | Gatekeeper Policy Manager, a simple to use web-ui for Gatekeeper. | +| [Gatekeeper Policy Manager](katalog/gatekeeper/gpm) | `v1.0.4` | Gatekeeper Policy Manager, a simple to use web-ui for Gatekeeper. | Click on each package name to see its full documentation. @@ -40,10 +40,10 @@ Click on each package name to see its full documentation. | Kubernetes Version | Compatibility | Notes | | ------------------ | :----------------: | ---------------- | -| `1.22.x` | :white_check_mark: | No known issues | | `1.23.x` | :white_check_mark: | No known issues. | | `1.24.x` | :white_check_mark: | No known issues. | | `1.25.x` | :white_check_mark: | No known issues. | +| `1.26.x` | :white_check_mark: | No known issues | Check the [compatibility matrix][compatibility-matrix] for additional information on previous releases of the module. @@ -54,7 +54,7 @@ Check the [compatibility matrix][compatibility-matrix] for additional informatio | Tool | Version | Description | | --------------------------------------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [furyctl][furyctl-repo] | `>=0.6.0` | The recommended tool to download and manage KFD modules and their packages. To learn more about `furyctl` read the [official documentation][furyctl-repo]. | -| [kustomize][kustomize-repo] | `>=3.5.0` | Packages are customized using `kustomize`. To learn how to create your customization layer with `kustomize`, please refer to the [repository][kustomize-repo]. | +| [kustomize][kustomize-repo] | `>=3.5.3` | Packages are customized using `kustomize`. To learn how to create your customization layer with `kustomize`, please refer to the [repository][kustomize-repo]. | | [KFD Monitoring Module][kfd-monitoring] | `>v1.10.0` | Expose metrics to Prometheus *(optional)* and use Grafana Dashboards. | > You can comment out the service monitor in the [kustomization.yaml][core-kustomization] file if you don't want to install the monitoring module. From fe029cf99300f680badef7c5b65316e27b47c2e5 Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Tue, 16 May 2023 14:34:01 +0200 Subject: [PATCH 06/16] chore(ci): fix bash linting issues --- katalog/tests/gatekeeper.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/katalog/tests/gatekeeper.sh b/katalog/tests/gatekeeper.sh index ac94ade..09f8123 100755 --- a/katalog/tests/gatekeeper.sh +++ b/katalog/tests/gatekeeper.sh @@ -165,7 +165,7 @@ set -o pipefail @test "[CHECK] Check deployment has been mutated" { info deploy() { - kubectl get deployment -n default deployment-allowed -ojsonpath={.metadata.annotations.owner} + kubectl get deployment -n default deployment-allowed -ojsonpath="{.metadata.annotations.owner}" } run deploy echo "${output}" @@ -176,7 +176,7 @@ set -o pipefail @test "[CHECK] Check deployment has NOT been mutated" { info deploy() { - kubectl get deployment -n kube-system deployment-allowed-ns -ojsonpath={.metadata.annotations.owner} + kubectl get deployment -n kube-system deployment-allowed-ns -ojsonpath="{.metadata.annotations.owner}" } run deploy echo "${output}" From 7c9ae55872c6925bf6d9685ccc836b5f2e0bf5dd Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Tue, 16 May 2023 18:38:48 +0200 Subject: [PATCH 07/16] chore(ci): fix cluster version 1.26 in e2e --- .drone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index 75a0a25..2f494db 100644 --- a/.drone.yml +++ b/.drone.yml @@ -397,7 +397,7 @@ steps: action: custom-cluster-126 pipeline_id: cluster-126 local_kind_config_path: katalog/tests/kind/config.yml - cluster_version: "1.26.3" + cluster_version: "1.26.0" instance_path: /shared aws_default_region: from_secret: aws_region From 97d36e8ed0e3586ef4d5b4cb7565c66f5a3269f4 Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Wed, 17 May 2023 10:44:19 +0200 Subject: [PATCH 08/16] chore(ci): revert cluster version change --- .drone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index 2f494db..75a0a25 100644 --- a/.drone.yml +++ b/.drone.yml @@ -397,7 +397,7 @@ steps: action: custom-cluster-126 pipeline_id: cluster-126 local_kind_config_path: katalog/tests/kind/config.yml - cluster_version: "1.26.0" + cluster_version: "1.26.3" instance_path: /shared aws_default_region: from_secret: aws_region From 3939cf16a35d9119b195e283cd2dcd257a73d22c Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Wed, 17 May 2023 17:41:40 +0200 Subject: [PATCH 09/16] chore(ci): test with previous e2e-plugin version --- .drone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index 75a0a25..4e7de76 100644 --- a/.drone.yml +++ b/.drone.yml @@ -419,7 +419,7 @@ steps: from_secret: dockerhub_password - name: e2e - image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.1.1_1.9.4_1.26.3_3.5.3_4.33.3 + image: quay.io/sighup/e2e-testing:1.1.0_0.9.0_3.1.1_1.9.4_1.25.3_3.5.3_4.21.1 pull: always volumes: - name: shared From 89fc2e243606699473bbed4d5eb05b0dece1307a Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Thu, 18 May 2023 09:35:58 +0200 Subject: [PATCH 10/16] chore(ci): debugging --- .drone.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.drone.yml b/.drone.yml index 4e7de76..a57a5da 100644 --- a/.drone.yml +++ b/.drone.yml @@ -286,7 +286,7 @@ trigger: steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3 pull: always volumes: - name: shared @@ -296,7 +296,7 @@ steps: action: custom-cluster-125 pipeline_id: cluster-125 local_kind_config_path: katalog/tests/kind/config.yml - cluster_version: "1.25.3" + cluster_version: "1.25.8" instance_path: /shared aws_default_region: from_secret: aws_region @@ -330,7 +330,7 @@ steps: - bats -t katalog/tests/gatekeeper.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3 pull: always depends_on: [e2e] settings: @@ -394,7 +394,7 @@ steps: path: /shared depends_on: [clone] settings: - action: custom-cluster-126 + action: cluster-126 pipeline_id: cluster-126 local_kind_config_path: katalog/tests/kind/config.yml cluster_version: "1.26.3" @@ -419,7 +419,7 @@ steps: from_secret: dockerhub_password - name: e2e - image: quay.io/sighup/e2e-testing:1.1.0_0.9.0_3.1.1_1.9.4_1.25.3_3.5.3_4.21.1 + image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.1.1_1.9.4_1.26.3_3.5.3_4.33.3 pull: always volumes: - name: shared From 683f469855c8df188811d419182bd956d3759416 Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Thu, 18 May 2023 10:02:26 +0200 Subject: [PATCH 11/16] chore(ci): debug 1.26 e2e --- .drone.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.drone.yml b/.drone.yml index a57a5da..79257de 100644 --- a/.drone.yml +++ b/.drone.yml @@ -286,7 +286,7 @@ trigger: steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 pull: always volumes: - name: shared @@ -296,7 +296,7 @@ steps: action: custom-cluster-125 pipeline_id: cluster-125 local_kind_config_path: katalog/tests/kind/config.yml - cluster_version: "1.25.8" + cluster_version: "1.25.3" instance_path: /shared aws_default_region: from_secret: aws_region @@ -330,7 +330,7 @@ steps: - bats -t katalog/tests/gatekeeper.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 pull: always depends_on: [e2e] settings: @@ -387,14 +387,14 @@ trigger: steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3-debug pull: always volumes: - name: shared path: /shared depends_on: [clone] settings: - action: cluster-126 + action: custom-cluster-126 pipeline_id: cluster-126 local_kind_config_path: katalog/tests/kind/config.yml cluster_version: "1.26.3" @@ -430,7 +430,7 @@ steps: - bats -t katalog/tests/gatekeeper.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3-debug pull: always depends_on: [e2e] settings: From 22451d77d5cf0dea9309909154e3a635261dc9d3 Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Thu, 18 May 2023 10:51:12 +0200 Subject: [PATCH 12/16] chore(ci): temporary disable working versions for debug --- .drone.yml | 610 ++++++++++++++++++++++++++--------------------------- 1 file changed, 305 insertions(+), 305 deletions(-) diff --git a/.drone.yml b/.drone.yml index 79257de..e6133e9 100644 --- a/.drone.yml +++ b/.drone.yml @@ -61,308 +61,308 @@ steps: - /pluto detect gatekeeper.yml --target-versions=k8s=v1.25.0 --ignore-deprecations --- -name: e2e-kubernetes-1.23 -kind: pipeline -type: docker - -depends_on: - - policeman - -node: - runner: internal - -platform: - os: linux - arch: amd64 - -trigger: - ref: - include: - - refs/heads/master - - refs/heads/main - - refs/heads/develop - - refs/tags/** - -steps: - - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 - pull: always - volumes: - - name: shared - path: /shared - depends_on: [clone] - settings: - action: custom-cluster-123 - pipeline_id: cluster-123 - local_kind_config_path: katalog/tests/kind/config.yml - cluster_version: "1.23.0" - instance_path: /shared - aws_default_region: - from_secret: aws_region - aws_access_key_id: - from_secret: aws_access_key_id - aws_secret_access_key: - from_secret: aws_secret_access_key - terraform_tf_states_bucket_name: - from_secret: terraform_tf_states_bucket_name - vsphere_server: - from_secret: vsphere_server - vsphere_password: - from_secret: vsphere_password - vsphere_user: - from_secret: vsphere_user - dockerhub_username: - from_secret: dockerhub_username - dockerhub_password: - from_secret: dockerhub_password - - - name: e2e - image: quay.io/sighup/e2e-testing:1.1.0_0.2.2_2.16.1_1.9.4_1.23.0_3.8.7_2.4.1 - pull: always - volumes: - - name: shared - path: /shared - depends_on: [init] - commands: - - export KUBECONFIG=/shared/kube/kubeconfig-123 - - bats -t katalog/tests/gatekeeper.sh - - - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 - pull: always - depends_on: [e2e] - settings: - action: destroy - pipeline_id: cluster-123 - aws_default_region: - from_secret: aws_region - aws_access_key_id: - from_secret: aws_access_key_id - aws_secret_access_key: - from_secret: aws_secret_access_key - terraform_tf_states_bucket_name: - from_secret: terraform_tf_states_bucket_name - vsphere_server: - from_secret: vsphere_server - vsphere_password: - from_secret: vsphere_password - vsphere_user: - from_secret: vsphere_user - dockerhub_username: - from_secret: dockerhub_username - dockerhub_password: - from_secret: dockerhub_password - when: - status: - - success - - failure - -volumes: - - name: shared - temp: {} - ---- -name: e2e-kubernetes-1.24 -kind: pipeline -type: docker - -depends_on: - - policeman - -node: - runner: internal - -platform: - os: linux - arch: amd64 - -trigger: - ref: - include: - - refs/heads/master - - refs/heads/main - - refs/heads/develop - - refs/tags/** - -steps: - - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 - pull: always - volumes: - - name: shared - path: /shared - depends_on: [clone] - settings: - action: custom-cluster-124 - pipeline_id: cluster-124 - local_kind_config_path: katalog/tests/kind/config.yml - cluster_version: "1.24.0" - instance_path: /shared - aws_default_region: - from_secret: aws_region - aws_access_key_id: - from_secret: aws_access_key_id - aws_secret_access_key: - from_secret: aws_secret_access_key - terraform_tf_states_bucket_name: - from_secret: terraform_tf_states_bucket_name - vsphere_server: - from_secret: vsphere_server - vsphere_password: - from_secret: vsphere_password - vsphere_user: - from_secret: vsphere_user - dockerhub_username: - from_secret: dockerhub_username - dockerhub_password: - from_secret: dockerhub_password - - - name: e2e - image: quay.io/sighup/e2e-testing:1.1.0_0.7.0_3.1.1_1.9.4_1.24.1_3.8.7_4.21.1 - pull: always - volumes: - - name: shared - path: /shared - depends_on: [init] - commands: - - export KUBECONFIG=/shared/kube/kubeconfig-124 - - bats -t katalog/tests/gatekeeper.sh - - - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 - pull: always - depends_on: [e2e] - settings: - action: destroy - pipeline_id: cluster-124 - aws_default_region: - from_secret: aws_region - aws_access_key_id: - from_secret: aws_access_key_id - aws_secret_access_key: - from_secret: aws_secret_access_key - terraform_tf_states_bucket_name: - from_secret: terraform_tf_states_bucket_name - vsphere_server: - from_secret: vsphere_server - vsphere_password: - from_secret: vsphere_password - vsphere_user: - from_secret: vsphere_user - dockerhub_username: - from_secret: dockerhub_username - dockerhub_password: - from_secret: dockerhub_password - when: - status: - - success - - failure - -volumes: - - name: shared - temp: {} ---- -name: e2e-kubernetes-1.25 -kind: pipeline -type: docker - -depends_on: - - policeman - -node: - runner: internal - -platform: - os: linux - arch: amd64 - -trigger: - ref: - include: - - refs/heads/master - - refs/heads/main - - refs/heads/develop - - refs/tags/** - -steps: - - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 - pull: always - volumes: - - name: shared - path: /shared - depends_on: [clone] - settings: - action: custom-cluster-125 - pipeline_id: cluster-125 - local_kind_config_path: katalog/tests/kind/config.yml - cluster_version: "1.25.3" - instance_path: /shared - aws_default_region: - from_secret: aws_region - aws_access_key_id: - from_secret: aws_access_key_id - aws_secret_access_key: - from_secret: aws_secret_access_key - terraform_tf_states_bucket_name: - from_secret: terraform_tf_states_bucket_name - vsphere_server: - from_secret: vsphere_server - vsphere_password: - from_secret: vsphere_password - vsphere_user: - from_secret: vsphere_user - dockerhub_username: - from_secret: dockerhub_username - dockerhub_password: - from_secret: dockerhub_password - - - name: e2e - # KUBECTL 1.25.3 - KUSTOMIZE 3.5.3 - HELM 3.1.1 - YQ 4.21.1 - ISTIOCTL 1.9.4 - FURYCTL 0.9.0 - BATS 1.1.0 - image: quay.io/sighup/e2e-testing:1.1.0_0.9.0_3.1.1_1.9.4_1.25.3_3.5.3_4.21.1 - pull: always - volumes: - - name: shared - path: /shared - depends_on: [init] - commands: - - export KUBECONFIG=/shared/kube/kubeconfig-125 - - bats -t katalog/tests/gatekeeper.sh - - - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 - pull: always - depends_on: [e2e] - settings: - action: destroy - pipeline_id: cluster-125 - aws_default_region: - from_secret: aws_region - aws_access_key_id: - from_secret: aws_access_key_id - aws_secret_access_key: - from_secret: aws_secret_access_key - terraform_tf_states_bucket_name: - from_secret: terraform_tf_states_bucket_name - vsphere_server: - from_secret: vsphere_server - vsphere_password: - from_secret: vsphere_password - vsphere_user: - from_secret: vsphere_user - dockerhub_username: - from_secret: dockerhub_username - dockerhub_password: - from_secret: dockerhub_password - when: - status: - - success - - failure - -volumes: - - name: shared - temp: {} ---- +# name: e2e-kubernetes-1.23 +# kind: pipeline +# type: docker + +# depends_on: +# - policeman + +# node: +# runner: internal + +# platform: +# os: linux +# arch: amd64 + +# trigger: +# ref: +# include: +# - refs/heads/master +# - refs/heads/main +# - refs/heads/develop +# - refs/tags/** + +# steps: +# - name: init +# image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 +# pull: always +# volumes: +# - name: shared +# path: /shared +# depends_on: [clone] +# settings: +# action: custom-cluster-123 +# pipeline_id: cluster-123 +# local_kind_config_path: katalog/tests/kind/config.yml +# cluster_version: "1.23.0" +# instance_path: /shared +# aws_default_region: +# from_secret: aws_region +# aws_access_key_id: +# from_secret: aws_access_key_id +# aws_secret_access_key: +# from_secret: aws_secret_access_key +# terraform_tf_states_bucket_name: +# from_secret: terraform_tf_states_bucket_name +# vsphere_server: +# from_secret: vsphere_server +# vsphere_password: +# from_secret: vsphere_password +# vsphere_user: +# from_secret: vsphere_user +# dockerhub_username: +# from_secret: dockerhub_username +# dockerhub_password: +# from_secret: dockerhub_password + +# - name: e2e +# image: quay.io/sighup/e2e-testing:1.1.0_0.2.2_2.16.1_1.9.4_1.23.0_3.8.7_2.4.1 +# pull: always +# volumes: +# - name: shared +# path: /shared +# depends_on: [init] +# commands: +# - export KUBECONFIG=/shared/kube/kubeconfig-123 +# - bats -t katalog/tests/gatekeeper.sh + +# - name: destroy +# image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 +# pull: always +# depends_on: [e2e] +# settings: +# action: destroy +# pipeline_id: cluster-123 +# aws_default_region: +# from_secret: aws_region +# aws_access_key_id: +# from_secret: aws_access_key_id +# aws_secret_access_key: +# from_secret: aws_secret_access_key +# terraform_tf_states_bucket_name: +# from_secret: terraform_tf_states_bucket_name +# vsphere_server: +# from_secret: vsphere_server +# vsphere_password: +# from_secret: vsphere_password +# vsphere_user: +# from_secret: vsphere_user +# dockerhub_username: +# from_secret: dockerhub_username +# dockerhub_password: +# from_secret: dockerhub_password +# when: +# status: +# - success +# - failure + +# volumes: +# - name: shared +# temp: {} + +# --- +# name: e2e-kubernetes-1.24 +# kind: pipeline +# type: docker + +# depends_on: +# - policeman + +# node: +# runner: internal + +# platform: +# os: linux +# arch: amd64 + +# trigger: +# ref: +# include: +# - refs/heads/master +# - refs/heads/main +# - refs/heads/develop +# - refs/tags/** + +# steps: +# - name: init +# image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 +# pull: always +# volumes: +# - name: shared +# path: /shared +# depends_on: [clone] +# settings: +# action: custom-cluster-124 +# pipeline_id: cluster-124 +# local_kind_config_path: katalog/tests/kind/config.yml +# cluster_version: "1.24.0" +# instance_path: /shared +# aws_default_region: +# from_secret: aws_region +# aws_access_key_id: +# from_secret: aws_access_key_id +# aws_secret_access_key: +# from_secret: aws_secret_access_key +# terraform_tf_states_bucket_name: +# from_secret: terraform_tf_states_bucket_name +# vsphere_server: +# from_secret: vsphere_server +# vsphere_password: +# from_secret: vsphere_password +# vsphere_user: +# from_secret: vsphere_user +# dockerhub_username: +# from_secret: dockerhub_username +# dockerhub_password: +# from_secret: dockerhub_password + +# - name: e2e +# image: quay.io/sighup/e2e-testing:1.1.0_0.7.0_3.1.1_1.9.4_1.24.1_3.8.7_4.21.1 +# pull: always +# volumes: +# - name: shared +# path: /shared +# depends_on: [init] +# commands: +# - export KUBECONFIG=/shared/kube/kubeconfig-124 +# - bats -t katalog/tests/gatekeeper.sh + +# - name: destroy +# image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 +# pull: always +# depends_on: [e2e] +# settings: +# action: destroy +# pipeline_id: cluster-124 +# aws_default_region: +# from_secret: aws_region +# aws_access_key_id: +# from_secret: aws_access_key_id +# aws_secret_access_key: +# from_secret: aws_secret_access_key +# terraform_tf_states_bucket_name: +# from_secret: terraform_tf_states_bucket_name +# vsphere_server: +# from_secret: vsphere_server +# vsphere_password: +# from_secret: vsphere_password +# vsphere_user: +# from_secret: vsphere_user +# dockerhub_username: +# from_secret: dockerhub_username +# dockerhub_password: +# from_secret: dockerhub_password +# when: +# status: +# - success +# - failure + +# volumes: +# - name: shared +# temp: {} +# --- +# name: e2e-kubernetes-1.25 +# kind: pipeline +# type: docker + +# depends_on: +# - policeman + +# node: +# runner: internal + +# platform: +# os: linux +# arch: amd64 + +# trigger: +# ref: +# include: +# - refs/heads/master +# - refs/heads/main +# - refs/heads/develop +# - refs/tags/** + +# steps: +# - name: init +# image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 +# pull: always +# volumes: +# - name: shared +# path: /shared +# depends_on: [clone] +# settings: +# action: custom-cluster-125 +# pipeline_id: cluster-125 +# local_kind_config_path: katalog/tests/kind/config.yml +# cluster_version: "1.25.3" +# instance_path: /shared +# aws_default_region: +# from_secret: aws_region +# aws_access_key_id: +# from_secret: aws_access_key_id +# aws_secret_access_key: +# from_secret: aws_secret_access_key +# terraform_tf_states_bucket_name: +# from_secret: terraform_tf_states_bucket_name +# vsphere_server: +# from_secret: vsphere_server +# vsphere_password: +# from_secret: vsphere_password +# vsphere_user: +# from_secret: vsphere_user +# dockerhub_username: +# from_secret: dockerhub_username +# dockerhub_password: +# from_secret: dockerhub_password + +# - name: e2e +# # KUBECTL 1.25.3 - KUSTOMIZE 3.5.3 - HELM 3.1.1 - YQ 4.21.1 - ISTIOCTL 1.9.4 - FURYCTL 0.9.0 - BATS 1.1.0 +# image: quay.io/sighup/e2e-testing:1.1.0_0.9.0_3.1.1_1.9.4_1.25.3_3.5.3_4.21.1 +# pull: always +# volumes: +# - name: shared +# path: /shared +# depends_on: [init] +# commands: +# - export KUBECONFIG=/shared/kube/kubeconfig-125 +# - bats -t katalog/tests/gatekeeper.sh + +# - name: destroy +# image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 +# pull: always +# depends_on: [e2e] +# settings: +# action: destroy +# pipeline_id: cluster-125 +# aws_default_region: +# from_secret: aws_region +# aws_access_key_id: +# from_secret: aws_access_key_id +# aws_secret_access_key: +# from_secret: aws_secret_access_key +# terraform_tf_states_bucket_name: +# from_secret: terraform_tf_states_bucket_name +# vsphere_server: +# from_secret: vsphere_server +# vsphere_password: +# from_secret: vsphere_password +# vsphere_user: +# from_secret: vsphere_user +# dockerhub_username: +# from_secret: dockerhub_username +# dockerhub_password: +# from_secret: dockerhub_password +# when: +# status: +# - success +# - failure + +# volumes: +# - name: shared +# temp: {} +# --- name: e2e-kubernetes-1.26 kind: pipeline type: docker @@ -469,9 +469,9 @@ kind: pipeline type: docker depends_on: - - e2e-kubernetes-1.23 - - e2e-kubernetes-1.24 - - e2e-kubernetes-1.25 + # - e2e-kubernetes-1.23 + # - e2e-kubernetes-1.24 + # - e2e-kubernetes-1.25 - e2e-kubernetes-1.26 platform: From e291aa45529d761b89e76b13e1fc0c3c6743c969 Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Thu, 18 May 2023 12:14:22 +0200 Subject: [PATCH 13/16] chore(ci): restore all steps --- .drone.yml | 614 ++++++++++++++++++++++++++--------------------------- 1 file changed, 307 insertions(+), 307 deletions(-) diff --git a/.drone.yml b/.drone.yml index e6133e9..75a0a25 100644 --- a/.drone.yml +++ b/.drone.yml @@ -61,308 +61,308 @@ steps: - /pluto detect gatekeeper.yml --target-versions=k8s=v1.25.0 --ignore-deprecations --- -# name: e2e-kubernetes-1.23 -# kind: pipeline -# type: docker - -# depends_on: -# - policeman - -# node: -# runner: internal - -# platform: -# os: linux -# arch: amd64 - -# trigger: -# ref: -# include: -# - refs/heads/master -# - refs/heads/main -# - refs/heads/develop -# - refs/tags/** - -# steps: -# - name: init -# image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 -# pull: always -# volumes: -# - name: shared -# path: /shared -# depends_on: [clone] -# settings: -# action: custom-cluster-123 -# pipeline_id: cluster-123 -# local_kind_config_path: katalog/tests/kind/config.yml -# cluster_version: "1.23.0" -# instance_path: /shared -# aws_default_region: -# from_secret: aws_region -# aws_access_key_id: -# from_secret: aws_access_key_id -# aws_secret_access_key: -# from_secret: aws_secret_access_key -# terraform_tf_states_bucket_name: -# from_secret: terraform_tf_states_bucket_name -# vsphere_server: -# from_secret: vsphere_server -# vsphere_password: -# from_secret: vsphere_password -# vsphere_user: -# from_secret: vsphere_user -# dockerhub_username: -# from_secret: dockerhub_username -# dockerhub_password: -# from_secret: dockerhub_password - -# - name: e2e -# image: quay.io/sighup/e2e-testing:1.1.0_0.2.2_2.16.1_1.9.4_1.23.0_3.8.7_2.4.1 -# pull: always -# volumes: -# - name: shared -# path: /shared -# depends_on: [init] -# commands: -# - export KUBECONFIG=/shared/kube/kubeconfig-123 -# - bats -t katalog/tests/gatekeeper.sh - -# - name: destroy -# image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 -# pull: always -# depends_on: [e2e] -# settings: -# action: destroy -# pipeline_id: cluster-123 -# aws_default_region: -# from_secret: aws_region -# aws_access_key_id: -# from_secret: aws_access_key_id -# aws_secret_access_key: -# from_secret: aws_secret_access_key -# terraform_tf_states_bucket_name: -# from_secret: terraform_tf_states_bucket_name -# vsphere_server: -# from_secret: vsphere_server -# vsphere_password: -# from_secret: vsphere_password -# vsphere_user: -# from_secret: vsphere_user -# dockerhub_username: -# from_secret: dockerhub_username -# dockerhub_password: -# from_secret: dockerhub_password -# when: -# status: -# - success -# - failure - -# volumes: -# - name: shared -# temp: {} - -# --- -# name: e2e-kubernetes-1.24 -# kind: pipeline -# type: docker - -# depends_on: -# - policeman - -# node: -# runner: internal - -# platform: -# os: linux -# arch: amd64 - -# trigger: -# ref: -# include: -# - refs/heads/master -# - refs/heads/main -# - refs/heads/develop -# - refs/tags/** - -# steps: -# - name: init -# image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 -# pull: always -# volumes: -# - name: shared -# path: /shared -# depends_on: [clone] -# settings: -# action: custom-cluster-124 -# pipeline_id: cluster-124 -# local_kind_config_path: katalog/tests/kind/config.yml -# cluster_version: "1.24.0" -# instance_path: /shared -# aws_default_region: -# from_secret: aws_region -# aws_access_key_id: -# from_secret: aws_access_key_id -# aws_secret_access_key: -# from_secret: aws_secret_access_key -# terraform_tf_states_bucket_name: -# from_secret: terraform_tf_states_bucket_name -# vsphere_server: -# from_secret: vsphere_server -# vsphere_password: -# from_secret: vsphere_password -# vsphere_user: -# from_secret: vsphere_user -# dockerhub_username: -# from_secret: dockerhub_username -# dockerhub_password: -# from_secret: dockerhub_password - -# - name: e2e -# image: quay.io/sighup/e2e-testing:1.1.0_0.7.0_3.1.1_1.9.4_1.24.1_3.8.7_4.21.1 -# pull: always -# volumes: -# - name: shared -# path: /shared -# depends_on: [init] -# commands: -# - export KUBECONFIG=/shared/kube/kubeconfig-124 -# - bats -t katalog/tests/gatekeeper.sh - -# - name: destroy -# image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 -# pull: always -# depends_on: [e2e] -# settings: -# action: destroy -# pipeline_id: cluster-124 -# aws_default_region: -# from_secret: aws_region -# aws_access_key_id: -# from_secret: aws_access_key_id -# aws_secret_access_key: -# from_secret: aws_secret_access_key -# terraform_tf_states_bucket_name: -# from_secret: terraform_tf_states_bucket_name -# vsphere_server: -# from_secret: vsphere_server -# vsphere_password: -# from_secret: vsphere_password -# vsphere_user: -# from_secret: vsphere_user -# dockerhub_username: -# from_secret: dockerhub_username -# dockerhub_password: -# from_secret: dockerhub_password -# when: -# status: -# - success -# - failure - -# volumes: -# - name: shared -# temp: {} -# --- -# name: e2e-kubernetes-1.25 -# kind: pipeline -# type: docker - -# depends_on: -# - policeman - -# node: -# runner: internal - -# platform: -# os: linux -# arch: amd64 - -# trigger: -# ref: -# include: -# - refs/heads/master -# - refs/heads/main -# - refs/heads/develop -# - refs/tags/** - -# steps: -# - name: init -# image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 -# pull: always -# volumes: -# - name: shared -# path: /shared -# depends_on: [clone] -# settings: -# action: custom-cluster-125 -# pipeline_id: cluster-125 -# local_kind_config_path: katalog/tests/kind/config.yml -# cluster_version: "1.25.3" -# instance_path: /shared -# aws_default_region: -# from_secret: aws_region -# aws_access_key_id: -# from_secret: aws_access_key_id -# aws_secret_access_key: -# from_secret: aws_secret_access_key -# terraform_tf_states_bucket_name: -# from_secret: terraform_tf_states_bucket_name -# vsphere_server: -# from_secret: vsphere_server -# vsphere_password: -# from_secret: vsphere_password -# vsphere_user: -# from_secret: vsphere_user -# dockerhub_username: -# from_secret: dockerhub_username -# dockerhub_password: -# from_secret: dockerhub_password - -# - name: e2e -# # KUBECTL 1.25.3 - KUSTOMIZE 3.5.3 - HELM 3.1.1 - YQ 4.21.1 - ISTIOCTL 1.9.4 - FURYCTL 0.9.0 - BATS 1.1.0 -# image: quay.io/sighup/e2e-testing:1.1.0_0.9.0_3.1.1_1.9.4_1.25.3_3.5.3_4.21.1 -# pull: always -# volumes: -# - name: shared -# path: /shared -# depends_on: [init] -# commands: -# - export KUBECONFIG=/shared/kube/kubeconfig-125 -# - bats -t katalog/tests/gatekeeper.sh - -# - name: destroy -# image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 -# pull: always -# depends_on: [e2e] -# settings: -# action: destroy -# pipeline_id: cluster-125 -# aws_default_region: -# from_secret: aws_region -# aws_access_key_id: -# from_secret: aws_access_key_id -# aws_secret_access_key: -# from_secret: aws_secret_access_key -# terraform_tf_states_bucket_name: -# from_secret: terraform_tf_states_bucket_name -# vsphere_server: -# from_secret: vsphere_server -# vsphere_password: -# from_secret: vsphere_password -# vsphere_user: -# from_secret: vsphere_user -# dockerhub_username: -# from_secret: dockerhub_username -# dockerhub_password: -# from_secret: dockerhub_password -# when: -# status: -# - success -# - failure - -# volumes: -# - name: shared -# temp: {} -# --- +name: e2e-kubernetes-1.23 +kind: pipeline +type: docker + +depends_on: + - policeman + +node: + runner: internal + +platform: + os: linux + arch: amd64 + +trigger: + ref: + include: + - refs/heads/master + - refs/heads/main + - refs/heads/develop + - refs/tags/** + +steps: + - name: init + image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 + pull: always + volumes: + - name: shared + path: /shared + depends_on: [clone] + settings: + action: custom-cluster-123 + pipeline_id: cluster-123 + local_kind_config_path: katalog/tests/kind/config.yml + cluster_version: "1.23.0" + instance_path: /shared + aws_default_region: + from_secret: aws_region + aws_access_key_id: + from_secret: aws_access_key_id + aws_secret_access_key: + from_secret: aws_secret_access_key + terraform_tf_states_bucket_name: + from_secret: terraform_tf_states_bucket_name + vsphere_server: + from_secret: vsphere_server + vsphere_password: + from_secret: vsphere_password + vsphere_user: + from_secret: vsphere_user + dockerhub_username: + from_secret: dockerhub_username + dockerhub_password: + from_secret: dockerhub_password + + - name: e2e + image: quay.io/sighup/e2e-testing:1.1.0_0.2.2_2.16.1_1.9.4_1.23.0_3.8.7_2.4.1 + pull: always + volumes: + - name: shared + path: /shared + depends_on: [init] + commands: + - export KUBECONFIG=/shared/kube/kubeconfig-123 + - bats -t katalog/tests/gatekeeper.sh + + - name: destroy + image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 + pull: always + depends_on: [e2e] + settings: + action: destroy + pipeline_id: cluster-123 + aws_default_region: + from_secret: aws_region + aws_access_key_id: + from_secret: aws_access_key_id + aws_secret_access_key: + from_secret: aws_secret_access_key + terraform_tf_states_bucket_name: + from_secret: terraform_tf_states_bucket_name + vsphere_server: + from_secret: vsphere_server + vsphere_password: + from_secret: vsphere_password + vsphere_user: + from_secret: vsphere_user + dockerhub_username: + from_secret: dockerhub_username + dockerhub_password: + from_secret: dockerhub_password + when: + status: + - success + - failure + +volumes: + - name: shared + temp: {} + +--- +name: e2e-kubernetes-1.24 +kind: pipeline +type: docker + +depends_on: + - policeman + +node: + runner: internal + +platform: + os: linux + arch: amd64 + +trigger: + ref: + include: + - refs/heads/master + - refs/heads/main + - refs/heads/develop + - refs/tags/** + +steps: + - name: init + image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 + pull: always + volumes: + - name: shared + path: /shared + depends_on: [clone] + settings: + action: custom-cluster-124 + pipeline_id: cluster-124 + local_kind_config_path: katalog/tests/kind/config.yml + cluster_version: "1.24.0" + instance_path: /shared + aws_default_region: + from_secret: aws_region + aws_access_key_id: + from_secret: aws_access_key_id + aws_secret_access_key: + from_secret: aws_secret_access_key + terraform_tf_states_bucket_name: + from_secret: terraform_tf_states_bucket_name + vsphere_server: + from_secret: vsphere_server + vsphere_password: + from_secret: vsphere_password + vsphere_user: + from_secret: vsphere_user + dockerhub_username: + from_secret: dockerhub_username + dockerhub_password: + from_secret: dockerhub_password + + - name: e2e + image: quay.io/sighup/e2e-testing:1.1.0_0.7.0_3.1.1_1.9.4_1.24.1_3.8.7_4.21.1 + pull: always + volumes: + - name: shared + path: /shared + depends_on: [init] + commands: + - export KUBECONFIG=/shared/kube/kubeconfig-124 + - bats -t katalog/tests/gatekeeper.sh + + - name: destroy + image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 + pull: always + depends_on: [e2e] + settings: + action: destroy + pipeline_id: cluster-124 + aws_default_region: + from_secret: aws_region + aws_access_key_id: + from_secret: aws_access_key_id + aws_secret_access_key: + from_secret: aws_secret_access_key + terraform_tf_states_bucket_name: + from_secret: terraform_tf_states_bucket_name + vsphere_server: + from_secret: vsphere_server + vsphere_password: + from_secret: vsphere_password + vsphere_user: + from_secret: vsphere_user + dockerhub_username: + from_secret: dockerhub_username + dockerhub_password: + from_secret: dockerhub_password + when: + status: + - success + - failure + +volumes: + - name: shared + temp: {} +--- +name: e2e-kubernetes-1.25 +kind: pipeline +type: docker + +depends_on: + - policeman + +node: + runner: internal + +platform: + os: linux + arch: amd64 + +trigger: + ref: + include: + - refs/heads/master + - refs/heads/main + - refs/heads/develop + - refs/tags/** + +steps: + - name: init + image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 + pull: always + volumes: + - name: shared + path: /shared + depends_on: [clone] + settings: + action: custom-cluster-125 + pipeline_id: cluster-125 + local_kind_config_path: katalog/tests/kind/config.yml + cluster_version: "1.25.3" + instance_path: /shared + aws_default_region: + from_secret: aws_region + aws_access_key_id: + from_secret: aws_access_key_id + aws_secret_access_key: + from_secret: aws_secret_access_key + terraform_tf_states_bucket_name: + from_secret: terraform_tf_states_bucket_name + vsphere_server: + from_secret: vsphere_server + vsphere_password: + from_secret: vsphere_password + vsphere_user: + from_secret: vsphere_user + dockerhub_username: + from_secret: dockerhub_username + dockerhub_password: + from_secret: dockerhub_password + + - name: e2e + # KUBECTL 1.25.3 - KUSTOMIZE 3.5.3 - HELM 3.1.1 - YQ 4.21.1 - ISTIOCTL 1.9.4 - FURYCTL 0.9.0 - BATS 1.1.0 + image: quay.io/sighup/e2e-testing:1.1.0_0.9.0_3.1.1_1.9.4_1.25.3_3.5.3_4.21.1 + pull: always + volumes: + - name: shared + path: /shared + depends_on: [init] + commands: + - export KUBECONFIG=/shared/kube/kubeconfig-125 + - bats -t katalog/tests/gatekeeper.sh + + - name: destroy + image: quay.io/sighup/e2e-testing-drone-plugin:v1.25.3 + pull: always + depends_on: [e2e] + settings: + action: destroy + pipeline_id: cluster-125 + aws_default_region: + from_secret: aws_region + aws_access_key_id: + from_secret: aws_access_key_id + aws_secret_access_key: + from_secret: aws_secret_access_key + terraform_tf_states_bucket_name: + from_secret: terraform_tf_states_bucket_name + vsphere_server: + from_secret: vsphere_server + vsphere_password: + from_secret: vsphere_password + vsphere_user: + from_secret: vsphere_user + dockerhub_username: + from_secret: dockerhub_username + dockerhub_password: + from_secret: dockerhub_password + when: + status: + - success + - failure + +volumes: + - name: shared + temp: {} +--- name: e2e-kubernetes-1.26 kind: pipeline type: docker @@ -387,7 +387,7 @@ trigger: steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3-debug + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3 pull: always volumes: - name: shared @@ -430,7 +430,7 @@ steps: - bats -t katalog/tests/gatekeeper.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3-debug + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3 pull: always depends_on: [e2e] settings: @@ -469,9 +469,9 @@ kind: pipeline type: docker depends_on: - # - e2e-kubernetes-1.23 - # - e2e-kubernetes-1.24 - # - e2e-kubernetes-1.25 + - e2e-kubernetes-1.23 + - e2e-kubernetes-1.24 + - e2e-kubernetes-1.25 - e2e-kubernetes-1.26 platform: From f906472394ac9c2530510e8d67a322cc963f5646 Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Fri, 19 May 2023 11:56:01 +0200 Subject: [PATCH 14/16] chore(ci): bump pluto check to 1.26 --- .drone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index 75a0a25..09e18a4 100644 --- a/.drone.yml +++ b/.drone.yml @@ -58,7 +58,7 @@ steps: - render commands: # we use --ignore-deprecations because we don't want the CI to fail when the API has not been removed yet. - - /pluto detect gatekeeper.yml --target-versions=k8s=v1.25.0 --ignore-deprecations + - /pluto detect gatekeeper.yml --target-versions=k8s=v1.26.0 --ignore-deprecations --- name: e2e-kubernetes-1.23 From 6cdadb126a6683898ac771f92b862c448496a0ba Mon Sep 17 00:00:00 2001 From: Samuele Chiocca Date: Mon, 28 Aug 2023 14:31:20 +0200 Subject: [PATCH 15/16] feat: prepare for 1.9.0-rc.0 --- .drone.yml | 6 ++--- README.md | 4 ++-- docs/COMPATIBILITY_MATRIX.md | 46 ++++++++++++++++++++---------------- docs/releases/v1.9.0.md | 26 ++++++++++++++++++++ 4 files changed, 57 insertions(+), 25 deletions(-) create mode 100644 docs/releases/v1.9.0.md diff --git a/.drone.yml b/.drone.yml index 09e18a4..9254fbe 100644 --- a/.drone.yml +++ b/.drone.yml @@ -387,7 +387,7 @@ trigger: steps: - name: init - image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.4 pull: always volumes: - name: shared @@ -397,7 +397,7 @@ steps: action: custom-cluster-126 pipeline_id: cluster-126 local_kind_config_path: katalog/tests/kind/config.yml - cluster_version: "1.26.3" + cluster_version: "1.26.4" instance_path: /shared aws_default_region: from_secret: aws_region @@ -430,7 +430,7 @@ steps: - bats -t katalog/tests/gatekeeper.sh - name: destroy - image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.3 + image: quay.io/sighup/e2e-testing-drone-plugin:v1.26.4 pull: always depends_on: [e2e] settings: diff --git a/README.md b/README.md index 547d250..d8f655e 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ -![Release](https://img.shields.io/badge/Latest%20Release-v1.8.0-blue) +![Release](https://img.shields.io/badge/Latest%20Release-v1.9.0-blue) ![License](https://img.shields.io/github/license/sighupio/fury-kubernetes-opa?label=License) ![Slack](https://img.shields.io/badge/slack-@kubernetes/fury-yellow.svg?logo=slack&label=Slack) @@ -66,7 +66,7 @@ Check the [compatibility matrix][compatibility-matrix] for additional informatio ```yaml bases: - name: opa/gatekeeper - version: "1.8.0" + version: "1.9.0" ``` > See `furyctl` [documentation][furyctl-repo] for additional details about `Furyfile.yml` format. diff --git a/docs/COMPATIBILITY_MATRIX.md b/docs/COMPATIBILITY_MATRIX.md index 6115794..224a4e2 100644 --- a/docs/COMPATIBILITY_MATRIX.md +++ b/docs/COMPATIBILITY_MATRIX.md @@ -1,26 +1,15 @@ # Compatibility Matrix -| Module Version / Kubernetes Version | 1.14.X | 1.15.X | 1.16.X | 1.17.X | 1.18.X | 1.19.X | 1.20.X | 1.21.X | 1.22.X | 1.23.X | 1.24.X | 1.25.X | -| ----------------------------------- | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | ------------------ | ------------------ | ------------------ | -| v1.0.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | | -| v1.0.1 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | | -| v1.0.2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | | | -| v1.1.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | | | | | | -| v1.2.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | | | | | | -| v1.2.1 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | | | -| v1.3.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | | -| v1.3.1 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | | -| v1.4.0 | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | -| v1.5.0 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | -| v1.6.0 | | | | | | :x: | :x: | :x: | :x: | :x: | | | -| v1.6.1 | | | | | | :x: | :x: | :x: | :x: | :x: | | | -| v1.6.2 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | -| v1.7.0 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | -| v1.7.1 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | -| v1.7.2 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | -| v1.7.3 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | -| v1.8.0 | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| Module Version / Kubernetes Version | 1.19.X | 1.20.X | 1.21.X | 1.22.X | 1.23.X | 1.24.X | 1.25.X | 1.26.X | +| ----------------------------------- | :----------------: | :----------------: | :----------------: | :----------------: | ------------------ | ------------------ | ------------------ | ------------------ | +| v1.6.2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | +| v1.7.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | +| v1.7.1 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | +| v1.7.2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | +| v1.7.3 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | +| v1.8.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | +| v1.9.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: Compatible @@ -36,3 +25,20 @@ - :warning: module version `v1.5.0` along with Kubernetes Version `1.22.x` works as expected,Marked as a warning because it is not officially supported. - :x: module version `v1.6.0` has a known bug breaking upgrades. Please do not use. - :x: module version `v1.6.1` has a known bug breaking upgrades. Please do not use. + +## Legacy versions + +| Module Version / Kubernetes Version | 1.14.X | 1.15.X | 1.16.X | 1.17.X | 1.18.X | 1.19.X | 1.20.X | 1.21.X | 1.22.X | 1.23.X | +| ----------------------------------- | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :----------------: | :-------: | ------ | +| v1.0.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | +| v1.0.1 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | +| v1.0.2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | +| v1.1.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | | | | +| v1.2.0 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | | | | +| v1.2.1 | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | +| v1.3.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | +| v1.3.1 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | +| v1.4.0 | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | +| v1.5.0 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | +| v1.6.0 | | | | | | :x: | :x: | :x: | :x: | :x: | +| v1.6.1 | | | | | | :x: | :x: | :x: | :x: | :x: | \ No newline at end of file diff --git a/docs/releases/v1.9.0.md b/docs/releases/v1.9.0.md new file mode 100644 index 0000000..c720cce --- /dev/null +++ b/docs/releases/v1.9.0.md @@ -0,0 +1,26 @@ +# OPA Core Module Release 1.9.0 + +Welcome to the latest release of `OPA` module of [Kubernetes Fury Distribution](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP. + +This is a minor release including the following changes: + +- Added support for Kubernetes 1.26 + +## Component Images 🚢 + +| Component | Supported Version | Previous Version | +| --------------------------- | ------------------------------------------------------------------------------------- | ---------------- | +| `gatekeeper` | [`v3.12.0`](https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.12.0) | `v3.11.0` | +| `gatekeeper-policy-manager` | [`v1.0.4`](https://github.com/sighupio/gatekeeper-policy-manager/releases/tag/v1.0.4) | `vv1.0.3` | + +> Please refer the individual release notes to get a detailed information on each release. + +## Update Guide 🦮 + +### Process + +To upgrade this core module from `v1.8.0` to `v1.9.0`, you need to download this new version, then apply the `kustomize` project. No further action is required. + +```bash +kustomize build katalog/gatekeeper | kubectl apply -f - +``` From 269dd443532444af4e3557f718074fe4d9f40a7d Mon Sep 17 00:00:00 2001 From: Samuele Chiocca Date: Mon, 18 Sep 2023 15:43:03 +0200 Subject: [PATCH 16/16] docs: finalize docs for 1.9.0 --- README.md | 4 ++-- docs/releases/v1.9.0.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d8f655e..166989e 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ Check the [compatibility matrix][compatibility-matrix] for additional informatio | Tool | Version | Description | | --------------------------------------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [furyctl][furyctl-repo] | `>=0.6.0` | The recommended tool to download and manage KFD modules and their packages. To learn more about `furyctl` read the [official documentation][furyctl-repo]. | +| [furyctl][furyctl-repo] | `>=0.25.0` | The recommended tool to download and manage KFD modules and their packages. To learn more about `furyctl` read the [official documentation][furyctl-repo]. | | [kustomize][kustomize-repo] | `>=3.5.3` | Packages are customized using `kustomize`. To learn how to create your customization layer with `kustomize`, please refer to the [repository][kustomize-repo]. | | [KFD Monitoring Module][kfd-monitoring] | `>v1.10.0` | Expose metrics to Prometheus *(optional)* and use Grafana Dashboards. | @@ -71,7 +71,7 @@ bases: > See `furyctl` [documentation][furyctl-repo] for additional details about `Furyfile.yml` format. -2. Execute `furyctl vendor -H` to download the packages +2. Execute `furyctl legacy vendor -H` to download the packages 3. Inspect the download packages under `./vendor/katalog/opa/gatekeeper`. diff --git a/docs/releases/v1.9.0.md b/docs/releases/v1.9.0.md index c720cce..ade162f 100644 --- a/docs/releases/v1.9.0.md +++ b/docs/releases/v1.9.0.md @@ -10,8 +10,8 @@ This is a minor release including the following changes: | Component | Supported Version | Previous Version | | --------------------------- | ------------------------------------------------------------------------------------- | ---------------- | -| `gatekeeper` | [`v3.12.0`](https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.12.0) | `v3.11.0` | -| `gatekeeper-policy-manager` | [`v1.0.4`](https://github.com/sighupio/gatekeeper-policy-manager/releases/tag/v1.0.4) | `vv1.0.3` | +| `gatekeeper` | [`v3.12.0`](https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.12.0) | `v3.11.0` | +| `gatekeeper-policy-manager` | [`v1.0.4`](https://github.com/sighupio/gatekeeper-policy-manager/releases/tag/v1.0.4) | `vv1.0.3` | > Please refer the individual release notes to get a detailed information on each release.