├── .gitignore
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── anthos-config-management
├── README.md
├── acm-crd-examples
│ └── config-management-root
│ │ └── namespaces
│ │ └── use-cases
│ │ ├── devtest-istio
│ │ ├── namespace.yaml
│ │ ├── testdriver-istio.yaml
│ │ └── testdriver-svc-gateway.yaml
│ │ ├── devtest
│ │ ├── namespace.yaml
│ │ └── testdriver-noistio.yaml
│ │ ├── uc-allowed-jwt-istio
│ │ ├── appconfig.yaml
│ │ ├── crd_roles_separation_of_duties.yaml
│ │ ├── default-deny-all.yaml
│ │ └── namespace.yaml
│ │ ├── uc-allowed-services-istio
│ │ ├── appconfig.yaml
│ │ ├── crd_roles_separation_of_duties.yaml
│ │ ├── default-deny-all.yaml
│ │ └── namespace.yaml
│ │ ├── uc-allowed-services-k8s
│ │ ├── appconfig.yaml
│ │ ├── crd_roles_separation_of_duties.yaml
│ │ ├── default-deny-all.yaml
│ │ └── namespace.yaml
│ │ ├── uc-firebase
│ │ ├── README.md
│ │ ├── appconfig.yaml
│ │ ├── namespace.yaml
│ │ └── public.yaml
│ │ ├── uc-ingress-k8s-https
│ │ ├── allow-all.yaml
│ │ ├── appconfig.yaml
│ │ └── namespace.yaml
│ │ ├── uc-ingress-k8s
│ │ ├── allow-all.yaml
│ │ ├── appconfig.yaml
│ │ └── namespace.yaml
│ │ ├── uc-opa
│ │ ├── README.md
│ │ └── namespace.yaml
│ │ ├── uc-secrets-istio
│ │ ├── appconfig.yaml
│ │ ├── crd_roles_separation_of_duties.yaml
│ │ ├── default-deny-all.yaml
│ │ └── namespace.yaml
│ │ ├── uc-secrets-k8s
│ │ ├── appconfig.yaml
│ │ ├── crd_roles_separation_of_duties.yaml
│ │ ├── default-deny-all.yaml
│ │ └── namespace.yaml
│ │ ├── uc-secrets-vault-k8s
│ │ ├── app-rbac.yaml
│ │ ├── appconfig.yaml
│ │ ├── crd_roles_separation_of_duties.yaml
│ │ ├── default-deny-all.yaml
│ │ ├── namespace.yaml
│ │ └── sa.yaml
│ │ └── uc-workload-identity
│ │ ├── appconfig.yaml
│ │ ├── default-deny-all.yaml
│ │ └── namespace.yaml
├── acm-crd
│ └── config-management-root
│ │ ├── cluster
│ │ ├── all-cluster.yaml
│ │ ├── controller-setup-helper-rbac.yaml
│ │ └── vault-setup.yaml
│ │ └── namespaces
│ │ └── appconfigmgrv2-system
│ │ ├── all-other.yaml
│ │ ├── controller-setup-helper.yaml
│ │ ├── crd_roles_separation_of_duties.yaml
│ │ ├── namespace.yaml
│ │ └── vault-setup.yaml
├── acm
│ ├── config-management-config-example.yaml
│ └── config-management-root
│ │ ├── clusterregistry
│ │ └── cluster-registry-cluster-info.yaml
│ │ └── system
│ │ ├── README.md
│ │ └── repo.yaml
├── config-management-config-example.yaml
└── gatekeeper-config
│ ├── config.yaml
│ ├── constraint-templates.yaml
│ └── constraints.yaml
├── appconfigmgrv2
├── .gitignore
├── Dockerfile
├── Makefile
├── PROJECT
├── README.md
├── api
│ ├── v1alpha1
│ │ ├── appenvconfigtemplatev2_types.go
│ │ ├── appenvconfigtemplatev2_types_test.go
│ │ ├── groupversion_info.go
│ │ ├── suite_test.go
│ │ └── zz_generated.deepcopy.go
│ └── webhooks
│ │ ├── builtins
│ │ ├── common.go
│ │ └── pod_webhook.go
│ │ └── webhook.go
├── config
│ ├── certmanager
│ │ ├── certificate.yaml
│ │ ├── kustomization.yaml
│ │ └── kustomizeconfig.yaml
│ ├── crd
│ │ ├── appconfigmgr.cft.dev_appenvconfigtemplatev2s.yaml
│ │ ├── bases
│ │ │ └── appconfigmgr.cft.dev_appenvconfigtemplatev2s.yaml
│ │ ├── kustomization.yaml
│ │ ├── kustomizeconfig.yaml
│ │ └── patches
│ │ │ ├── cainjection_in_appenvconfigtemplatev2s.yaml
│ │ │ └── webhook_in_appenvconfigtemplatev2s.yaml
│ ├── default
│ │ ├── kustomization.yaml
│ │ ├── manager_auth_proxy_patch.yaml
│ │ ├── manager_image_patch.yaml
│ │ ├── manager_image_patch.yaml-e
│ │ ├── manager_prometheus_metrics_patch.yaml
│ │ ├── manager_webhook_patch.yaml
│ │ ├── webhookcainjection_patch.yaml
│ │ └── webhookinfo_patch.yaml
│ ├── manager
│ │ ├── kustomization.yaml
│ │ └── manager.yaml
│ ├── opa
│ │ ├── constraint-templates.yaml
│ │ └── constraints.yaml
│ ├── rbac
│ │ ├── auth_proxy_role.yaml
│ │ ├── auth_proxy_role_binding.yaml
│ │ ├── auth_proxy_service.yaml
│ │ ├── kustomization.yaml
│ │ ├── leader_election_role.yaml
│ │ ├── leader_election_role_binding.yaml
│ │ ├── role.yaml
│ │ └── role_binding.yaml
│ ├── samples
│ │ ├── appconfigmgr_v1alpha1_appenvconfigtemplate-test-v2.yaml
│ │ └── appconfigmgr_v1alpha1_appenvconfigtemplatev2.yaml
│ └── webhook
│ │ ├── kustomization.yaml
│ │ ├── kustomizeconfig.yaml
│ │ ├── manifests.yaml
│ │ └── service.yaml
├── controllers
│ ├── appenvconfigtemplatev2_controller.go
│ ├── config.go
│ ├── ingress.go
│ ├── ingress_test.go
│ ├── istio.go
│ ├── istio_handlers.go
│ ├── istio_handlers_test.go
│ ├── istio_instances.go
│ ├── istio_instances_test.go
│ ├── istio_policies.go
│ ├── istio_policies_test.go
│ ├── istio_rules.go
│ ├── istio_rules_test.go
│ ├── istio_service_entries.go
│ ├── istio_service_entries_test.go
│ ├── istio_test.go
│ ├── istio_virtual_services.go
│ ├── istio_virtual_services_test.go
│ ├── main_test.go
│ ├── network_policies.go
│ ├── network_policies_test.go
│ ├── opa_constraints.go
│ ├── opa_constraints_test.go
│ ├── secrets.go
│ ├── services.go
│ ├── services_test.go
│ ├── utils.go
│ ├── utils_test.go
│ ├── vault.go
│ └── vault_test.go
├── go.mod
├── go.sum
├── hack
│ ├── boilerplate.go.txt
│ └── install
│ │ ├── controller-setup-helper-rbac.yaml
│ │ └── controller-setup-helper.yaml
├── main.go
└── third_party
│ ├── README.md
│ └── istio
│ └── v1.1.7
│ ├── crds
│ ├── handler.yaml
│ ├── instance.yaml
│ ├── policy.yaml
│ ├── rule.yaml
│ ├── service-entry.yaml
│ └── virtual-service.yaml
│ └── original-crds
│ ├── crd-10.yaml
│ ├── crd-11.yaml
│ ├── crd-certmanager-10.yaml
│ └── crd-certmanager-11.yaml
├── builder
├── README.md
├── appconfig-crd
│ ├── build-ssh-config-git-hub
│ ├── cloudbuild.yaml
│ └── placeholder.txt
└── kubebuilder-build
│ ├── Dockerfile
│ ├── cloudbuild.yaml
│ └── utils
│ └── acmsplit
│ ├── Dockerfile
│ ├── go.mod
│ ├── go.sum
│ └── main.go
├── examples
└── use-cases
│ ├── uc-allowed-jwt-istio
│ └── deploy-apps.yaml
│ ├── uc-allowed-services-istio
│ └── deploy-apps.yaml
│ ├── uc-allowed-services-k8s
│ └── deploy-apps.yaml
│ ├── uc-firebase
│ └── deploy-apps.yaml
│ ├── uc-ingress-k8s-https
│ └── deploy-apps.yaml
│ ├── uc-ingress-k8s
│ └── deploy-apps.yaml
│ ├── uc-opa
│ └── deploy-apps.yaml
│ ├── uc-secrets-istio
│ └── deploy-apps.yaml
│ ├── uc-secrets-k8s
│ └── deploy-apps.yaml
│ ├── uc-secrets-vault-k8s
│ ├── README.md
│ ├── deploy-apps.yaml
│ └── vault-roles-policy.sh
│ └── uc-workload-identity
│ └── deploy-apps.yaml
├── infra
├── build
│ ├── backend.tf
│ ├── gh-mirror.json
│ ├── gh-trigger.json
│ ├── main.tf
│ ├── runtf.sh
│ └── trigger.sh
└── prj
│ ├── README.md
│ ├── backend.tf
│ ├── main.tf
│ ├── outputs.tf
│ ├── runtf.sh
│ ├── terraform.tfvars
│ └── vars.tf
├── scripts
├── README.md
└── crd-setup-helper.sh
├── tests
├── artifacts
│ ├── drivers
│ │ └── simple_hello
│ │ │ ├── __init__.py
│ │ │ ├── all_tests.py
│ │ │ ├── auth_helper.py
│ │ │ ├── hello_app_drv_py.py
│ │ │ ├── hello_app_ext_client_py.py
│ │ │ ├── hello_app_sm_py.py
│ │ │ ├── http_rest_helper.py
│ │ │ ├── requirements.txt
│ │ │ └── test
│ │ │ ├── __init__.py
│ │ │ ├── config
│ │ │ ├── opa-appconfig-1.yaml
│ │ │ └── opa-appconfig-2.yaml
│ │ │ ├── test_ingress.py
│ │ │ ├── test_opa.py
│ │ │ └── test_simple_hello.py
│ ├── pytest-sel
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ └── requirements.txt
│ └── vault-api-helper
│ │ ├── run-test.sh
│ │ └── simple.yaml
├── setup
│ ├── README.md
│ ├── build-ssh-config-git-hub
│ ├── cloudbuild.yaml
│ ├── jobtemp
│ │ └── placeholder.txt
│ ├── scripts
│ │ └── vault-setup-helper-vault-gcp-sa.sh
│ └── setup_mapping_execution.sh
└── use-cases-basic
│ └── demos.bats
├── third_party
└── README.md
└── vault-api-helper
├── Dockerfile
└── main.go
/.gitignore:
--------------------------------------------------------------------------------
1 | **/.DS_Store
2 | **/*.iml
3 | **/idea
4 | **/venv
5 | **/__pycache__/
6 | **/temp*
7 | **/.private
8 | **/.terraform
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # How to Contribute
2 |
3 | We'd love to accept your patches and contributions to this project. There are
4 | just a few small guidelines you need to follow.
5 |
6 | ## Contributor License Agreement
7 |
8 | Contributions to this project must be accompanied by a Contributor License
9 | Agreement. You (or your employer) retain the copyright to your contribution;
10 | this simply gives us permission to use and redistribute your contributions as
11 | part of the project. Head over to to see
12 | your current agreements on file or to sign a new one.
13 |
14 | You generally only need to submit a CLA once, so if you've already submitted one
15 | (even if it was for a different project), you probably don't need to do it
16 | again.
17 |
18 | ## Code reviews
19 |
20 | All submissions, including submissions by project members, require review. We
21 | use GitHub pull requests for this purpose. Consult
22 | [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more
23 | information on using pull requests.
24 |
25 | ## Community Guidelines
26 |
27 | This project follows [Google's Open Source Community
28 | Guidelines](https://opensource.google.com/conduct/).
29 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Anthos Application Configuration - Custom Resource Definition/Controller
2 |
3 | ## Overview
4 |
5 | This project is about application configuration for deployment.
6 | It focuses on two different user personas:
7 |
8 | * the developer team
9 | * the platform team
10 |
11 | The Platform team approves an Application Configuration CRD and accompanying
12 | webhooks (mutation/validation) admission controllers which all together
13 | set up the application operation environment.
14 |
15 | The CRD builds the guardrails and allows integration with other pods and services.
16 | In our proposed environments, the guardrails include “least privileged”
17 | for namespace both Network ACL and RBAC. CRD and webhooks are built
18 | using kubebuilder v2 [v2.0.0-alpha 4] (https://github.com/kubernetes-sigs/kubebuilder)
19 | which leverages the k8s controller framework.
20 |
21 | ## High Level Diagram
22 |
23 | 
24 |
25 |
26 | ## Documentation / Information (wiki)
27 |
28 | [AppConfig CRD Wiki](https://github.com/GoogleCloudPlatform/anthos-appconfig/wiki)
29 |
30 | [Releases](https://github.com/GoogleCloudPlatform/anthos-appconfig/releases)
31 |
32 |
33 | Copyright 2019 Google LLC. This software is provided as-is, without warranty or representation for any use or purpose.
34 |
35 |
--------------------------------------------------------------------------------
/anthos-config-management/README.md:
--------------------------------------------------------------------------------
1 | Copyright 2019 Google LLC
2 |
3 | Licensed under the Apache License, Version 2.0 (the "License");
4 | you may not use this file except in compliance with the License.
5 | You may obtain a copy of the License at
6 |
7 | http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | Unless required by applicable law or agreed to in writing, software
10 | distributed under the License is distributed on an "AS IS" BASIS,
11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | See the License for the specific language governing permissions and
13 | limitations under the License.
14 |
15 | env:
16 | - name: "HTTPS_PROXY"
17 | value: ""
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/devtest-istio/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: Namespace
23 | metadata:
24 | name: devtest-istio
25 | labels:
26 | devtest: "true"
27 | istio-injection: "enabled"
28 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/devtest-istio/testdriver-istio.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: apps/v1beta1
22 | kind: Deployment
23 | metadata:
24 | name: hello-app-drv-py-1
25 | namespace: devtest-istio
26 | labels:
27 | app: hello-app-drv-py-1
28 | version: v3.0.6
29 | spec:
30 | replicas: 1
31 | template:
32 | metadata:
33 | labels:
34 | app: hello-app-drv-py-1
35 | version: v3.0.6
36 | spec:
37 | containers:
38 | - name: hello-app-drv-py
39 | image: gcr.io/anthos-appconfig/hello-app-sm-py:v3.0.20
40 | imagePullPolicy: Always
41 | command: ["python"]
42 | args: [
43 | "hello_app_sm_py.py",
44 | "hello_app_no_istio_drv.py",
45 | ]
46 | env:
47 | - name: "PORT"
48 | value: "8080"
49 | ports:
50 | - name: "http-access"
51 | containerPort: 8080
52 |
53 |
54 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/devtest-istio/testdriver-svc-gateway.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: Service
23 | metadata:
24 | name: hello-app-drv-py-1
25 | namespace: devtest-istio
26 | labels:
27 | app: hello-app-drv-py-1
28 | version: v3.0.6
29 | spec:
30 | type: ClusterIP
31 | selector:
32 | app: hello-app-drv-py-1
33 | version: v3.0.6
34 | ports:
35 | - name: http-access
36 | port: 8080
37 | targetPort: 8080
38 | protocol: TCP
39 | ---
40 | apiVersion: networking.istio.io/v1alpha3
41 | kind: Gateway
42 | metadata:
43 | name: mygateway-http
44 | namespace: devtest-istio
45 | spec:
46 | selector:
47 | istio: ingressgateway
48 | servers:
49 | - port:
50 | number: 80
51 | name: http-access
52 | protocol: HTTP
53 | hosts:
54 | - "*"
55 | ---
56 | apiVersion: networking.istio.io/v1alpha3
57 | kind: VirtualService
58 | metadata:
59 | name: test-service-external-vs
60 | namespace: devtest-istio
61 | spec:
62 | hosts:
63 | - "*"
64 | gateways:
65 | - mygateway-http
66 | http:
67 | - match:
68 | - uri:
69 | prefix: /testcallseq
70 | route:
71 | - destination:
72 | port:
73 | number: 8080
74 | host: "hello-app-drv-py-1.devtest-istio.svc.cluster.local"
75 | ---
76 | apiVersion: networking.istio.io/v1alpha3
77 | kind: DestinationRule
78 | metadata:
79 | name: "hello-app-drv-py-1"
80 | namespace: "devtest-istio"
81 | spec:
82 | host: "hello-app-drv-py-1.devtest-istio.svc.cluster.local"
83 | trafficPolicy:
84 | tls:
85 | mode: ISTIO_MUTUAL
86 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/devtest/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: Namespace
23 | metadata:
24 | name: devtest
25 | labels:
26 | devtest: "true"
27 |
28 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/devtest/testdriver-noistio.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: apps/v1beta1
22 | kind: Deployment
23 | metadata:
24 | name: hello-app-drv-py-1
25 | namespace: devtest
26 | labels:
27 | app: hello-app-drv-py-1
28 | version: v3.0.6
29 | spec:
30 | replicas: 1
31 | template:
32 | metadata:
33 | labels:
34 | app: hello-app-drv-py-1
35 | version: v3.0.6
36 | spec:
37 | containers:
38 | - name: hello-app-drv-py
39 | image: gcr.io/anthos-appconfig/hello-app-sm-py:v3.0.20
40 | imagePullPolicy: Always
41 | command: ["python"]
42 | args: [
43 | "hello_app_sm_py.py",
44 | "hello_app_istio_drv.py",
45 | ]
46 | env:
47 | - name: "PORT"
48 | value: "8080"
49 | ---
50 | apiVersion: v1
51 | kind: Service
52 | metadata:
53 | name: test-service-external
54 | namespace: devtest
55 | labels:
56 | app: hello-app-drv-py-1
57 | version: v3.0.6
58 | spec:
59 | type: LoadBalancer
60 | selector:
61 | app: hello-app-drv-py-1
62 | version: v3.0.6
63 | ports:
64 | - port: 80
65 | targetPort: 8080
66 | protocol: TCP
67 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-allowed-jwt-istio/crd_roles_separation_of_duties.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: Role
23 | metadata:
24 | name: appconfigmgrv2-system-update-webhook-auth
25 | rules:
26 | - apiGroups:
27 | - ""
28 | resources:
29 | - secrets
30 | verbs:
31 | - get
32 | - list
33 | - watch
34 | - create
35 | - update
36 | - patch
37 | - delete
38 | - apiGroups:
39 | - ""
40 | resources:
41 | - secrets/status
42 | verbs:
43 | - get
44 | - update
45 | - patch
46 | ---
47 | apiVersion: rbac.authorization.k8s.io/v1
48 | kind: Role
49 | metadata:
50 | name: appconfigmgrv2-system-validate-webhook-auth
51 | rules:
52 | - apiGroups:
53 | - ""
54 | resources:
55 | - secrets
56 | verbs:
57 | - get
58 | - list
59 | - watch
60 | - apiGroups:
61 | - ""
62 | resources:
63 | - secrets/status
64 | verbs:
65 | - get
66 | ---
67 | apiVersion: rbac.authorization.k8s.io/v1
68 | kind: RoleBinding
69 | metadata:
70 | name: appconfigmgrv2-system-validate-webhook-auth-rb
71 | roleRef:
72 | apiGroup: rbac.authorization.k8s.io
73 | kind: Role
74 | name: appconfigmgrv2-system-validate-webhook-auth
75 | subjects:
76 | - kind: ServiceAccount
77 | name: default
78 | namespace: appconfigmgrv2-system
79 | ---
80 | apiVersion: rbac.authorization.k8s.io/v1
81 | kind: RoleBinding
82 | metadata:
83 | name: appconfigmgrv2-system-update-webhook-auth-rb
84 | roleRef:
85 | apiGroup: rbac.authorization.k8s.io
86 | kind: Role
87 | name: appconfigmgrv2-system-update-webhook-auth
88 | subjects:
89 | - kind: ServiceAccount
90 | name: default
91 | namespace: appconfigmgrv2-system
92 |
93 |
94 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-allowed-jwt-istio/default-deny-all.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | kind: NetworkPolicy
22 | apiVersion: networking.k8s.io/v1
23 | metadata:
24 | name: default-deny-all
25 | spec:
26 | podSelector: {}
27 | ingress:
28 | - from:
29 | - namespaceSelector:
30 | matchLabels:
31 | devtest: "true"
32 | - from:
33 | - namespaceSelector:
34 | matchLabels:
35 | appconfigmgr.cft.dev/trusted: "true"
36 | - from:
37 | - namespaceSelector:
38 | matchLabels:
39 | appconfigmgr.cft.dev/sandbox: "uc-allowed-jwt-istio"
40 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-allowed-jwt-istio/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: Namespace
23 | metadata:
24 | name: uc-allowed-jwt-istio
25 | labels:
26 | istio-injection: "enabled"
27 | mutating-create-update-pod-appconfig-cft-dev: "enabled"
28 | appconfigmgr.cft.dev/sandbox: "uc-allowed-jwt-istio"
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-allowed-services-istio/crd_roles_separation_of_duties.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: Role
23 | metadata:
24 | name: appconfigmgrv2-system-update-webhook-auth
25 | rules:
26 | - apiGroups:
27 | - ""
28 | resources:
29 | - secrets
30 | verbs:
31 | - get
32 | - list
33 | - watch
34 | - create
35 | - update
36 | - patch
37 | - delete
38 | - apiGroups:
39 | - ""
40 | resources:
41 | - secrets/status
42 | verbs:
43 | - get
44 | - update
45 | - patch
46 | ---
47 | apiVersion: rbac.authorization.k8s.io/v1
48 | kind: Role
49 | metadata:
50 | name: appconfigmgrv2-system-validate-webhook-auth
51 | rules:
52 | - apiGroups:
53 | - ""
54 | resources:
55 | - secrets
56 | verbs:
57 | - get
58 | - list
59 | - watch
60 | - apiGroups:
61 | - ""
62 | resources:
63 | - secrets/status
64 | verbs:
65 | - get
66 | ---
67 | apiVersion: rbac.authorization.k8s.io/v1
68 | kind: RoleBinding
69 | metadata:
70 | name: appconfigmgrv2-system-validate-webhook-auth-rb
71 | roleRef:
72 | apiGroup: rbac.authorization.k8s.io
73 | kind: Role
74 | name: appconfigmgrv2-system-validate-webhook-auth
75 | subjects:
76 | - kind: ServiceAccount
77 | name: default
78 | namespace: appconfigmgrv2-system
79 | ---
80 | apiVersion: rbac.authorization.k8s.io/v1
81 | kind: RoleBinding
82 | metadata:
83 | name: appconfigmgrv2-system-update-webhook-auth-rb
84 | roleRef:
85 | apiGroup: rbac.authorization.k8s.io
86 | kind: Role
87 | name: appconfigmgrv2-system-update-webhook-auth
88 | subjects:
89 | - kind: ServiceAccount
90 | name: default
91 | namespace: appconfigmgrv2-system
92 |
93 |
94 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-allowed-services-istio/default-deny-all.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | kind: NetworkPolicy
22 | apiVersion: networking.k8s.io/v1
23 | metadata:
24 | name: default-deny-all
25 | spec:
26 | podSelector: {}
27 | ingress:
28 | - from:
29 | - namespaceSelector:
30 | matchLabels:
31 | devtest: "true"
32 | - from:
33 | - namespaceSelector:
34 | matchLabels:
35 | appconfigmgr.cft.dev/trusted: "true"
36 | - from:
37 | - namespaceSelector:
38 | matchLabels:
39 | appconfigmgr.cft.dev/sandbox: "uc-allowed-services-istio"
40 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-allowed-services-istio/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: Namespace
23 | metadata:
24 | name: uc-allowed-services-istio
25 | labels:
26 | istio-injection: "enabled"
27 | mutating-create-update-pod-appconfig-cft-dev: "enabled"
28 | appconfigmgr.cft.dev/sandbox: "uc-allowed-services-istio"
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-allowed-services-k8s/appconfig.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: appconfigmgr.cft.dev/v1alpha1
22 | kind: AppEnvConfigTemplateV2
23 | metadata:
24 | name: "app-allowed-k8s"
25 | spec:
26 | services:
27 | - name: "appconfigv2-service-sm-1"
28 | deploymentApp: "hello-app-sm-py-1"
29 | deploymentPort: 8080
30 | servicePort: 80
31 | deploymentPortProtocol: "TCP"
32 | allowedClients:
33 | - name: "hello-app-sm-py-2"
34 | - name: "appconfigv2-service-sm-2"
35 | deploymentApp: "hello-app-sm-py-2"
36 | deploymentPort: 8080
37 | servicePort: 80
38 | deploymentPortProtocol: "TCP"
39 | allowedClients:
40 | - name: "hello-app-sm-py-4"
41 | - name: "appconfigv2-service-sm-3"
42 | deploymentApp: "hello-app-sm-py-3"
43 | deploymentPort: 8080
44 | servicePort: 80
45 | deploymentPortProtocol: "TCP"
46 | allowedClients:
47 | - name: "hello-app-sm-py-4"
48 | - name: "appconfigv2-service-sm-4"
49 | deploymentApp: "hello-app-sm-py-4"
50 | deploymentPort: 8080
51 | servicePort: 80
52 | deploymentPortProtocol: "TCP"
53 | allowedClients:
54 | - name: "hello-app-sm-py-1"
55 | - name: "hello-app-sm-py-2"
56 | - name: "appconfigv2-service-pubsub"
57 | deploymentApp: "hello-app-pubsub"
58 | deploymentPort: 8000
59 | servicePort: 80
60 | deploymentPortProtocol: "TCP"
61 | allowedClients:
62 | - name: "hello-app-sm-py-1"
63 |
64 |
65 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-allowed-services-k8s/crd_roles_separation_of_duties.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: Role
23 | metadata:
24 | name: appconfigmgrv2-system-update-webhook-auth
25 | rules:
26 | - apiGroups:
27 | - ""
28 | resources:
29 | - secrets
30 | verbs:
31 | - get
32 | - list
33 | - watch
34 | - create
35 | - update
36 | - patch
37 | - delete
38 | - apiGroups:
39 | - ""
40 | resources:
41 | - secrets/status
42 | verbs:
43 | - get
44 | - update
45 | - patch
46 | ---
47 | apiVersion: rbac.authorization.k8s.io/v1
48 | kind: Role
49 | metadata:
50 | name: appconfigmgrv2-system-validate-webhook-auth
51 | rules:
52 | - apiGroups:
53 | - ""
54 | resources:
55 | - secrets
56 | verbs:
57 | - get
58 | - list
59 | - watch
60 | - apiGroups:
61 | - ""
62 | resources:
63 | - secrets/status
64 | verbs:
65 | - get
66 | ---
67 | apiVersion: rbac.authorization.k8s.io/v1
68 | kind: RoleBinding
69 | metadata:
70 | name: appconfigmgrv2-system-validate-webhook-auth-rb
71 | roleRef:
72 | apiGroup: rbac.authorization.k8s.io
73 | kind: Role
74 | name: appconfigmgrv2-system-validate-webhook-auth
75 | subjects:
76 | - kind: ServiceAccount
77 | name: default
78 | namespace: appconfigmgrv2-system
79 | ---
80 | apiVersion: rbac.authorization.k8s.io/v1
81 | kind: RoleBinding
82 | metadata:
83 | name: appconfigmgrv2-system-update-webhook-auth-rb
84 | roleRef:
85 | apiGroup: rbac.authorization.k8s.io
86 | kind: Role
87 | name: appconfigmgrv2-system-update-webhook-auth
88 | subjects:
89 | - kind: ServiceAccount
90 | name: default
91 | namespace: appconfigmgrv2-system
92 |
93 |
94 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-allowed-services-k8s/default-deny-all.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | kind: NetworkPolicy
22 | apiVersion: networking.k8s.io/v1
23 | metadata:
24 | name: default-deny-all
25 | spec:
26 | podSelector: {}
27 | ingress:
28 | - from:
29 | - namespaceSelector:
30 | matchLabels:
31 | devtest: "true"
32 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-allowed-services-k8s/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: Namespace
23 | metadata:
24 | name: uc-allowed-services-k8s
25 | labels:
26 | mutating-create-update-pod-appconfig-cft-dev: "enabled"
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-firebase/README.md:
--------------------------------------------------------------------------------
1 | Copyright 2019 Google LLC
2 |
3 | Licensed under the Apache License, Version 2.0 (the "License");
4 | you may not use this file except in compliance with the License.
5 | You may obtain a copy of the License at
6 |
7 | http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | Unless required by applicable law or agreed to in writing, software
10 | distributed under the License is distributed on an "AS IS" BASIS,
11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | See the License for the specific language governing permissions and
13 | limitations under the License.
14 | # Firebase Use Case
15 |
16 | This use case exposes a firebase web app that calls a "tasks" API. The API calls are authenticated by JWT tokens passed from the browser.
17 |
18 | The webapp is exposed at `http://$INGRESS_HOST/app/`.
19 |
20 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-firebase/appconfig.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: appconfigmgr.cft.dev/v1alpha1
22 | kind: AppEnvConfigTemplateV2
23 | metadata:
24 | name: firebase
25 | namespace: uc-firebase
26 | spec:
27 | auth:
28 | jwt:
29 | type: firebase
30 | params:
31 | project: anthos-crd-v1-dev-t2
32 | services:
33 | - name: tasks
34 | deploymentApp: tasks
35 | deploymentPort: 8000
36 | servicePort: 8000
37 | deploymentPortProtocol: TCP
38 | allowedClients:
39 | - name: istio-system/istio-ingressgateway
40 | - name: curl
41 | - name: webapp
42 | deploymentApp: webapp
43 | deploymentPort: 80
44 | servicePort: 80
45 | deploymentPortProtocol: TCP
46 | allowedClients:
47 | - name: istio-system/istio-ingressgateway
48 | - name: curl
49 | disableAuth: true
50 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-firebase/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: Namespace
23 | metadata:
24 | name: uc-firebase
25 | labels:
26 | istio-injection: enabled
27 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-firebase/public.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: networking.istio.io/v1alpha3
22 | kind: VirtualService
23 | metadata:
24 | name: firebase-app-svc
25 | namespace: uc-firebase
26 | spec:
27 | hosts:
28 | - "*"
29 | gateways:
30 | - devtest-istio/mygateway-http
31 | http:
32 | - match:
33 | - uri:
34 | prefix: /api
35 | route:
36 | - destination:
37 | host: firebase-tasks
38 |
39 | ---
40 | apiVersion: networking.istio.io/v1alpha3
41 | kind: VirtualService
42 | metadata:
43 | name: firebase-api-svc
44 | namespace: uc-firebase
45 | spec:
46 | hosts:
47 | - "*"
48 | gateways:
49 | - devtest-istio/mygateway-http
50 | http:
51 | - match:
52 | - uri:
53 | prefix: /app/
54 | rewrite:
55 | uri: /
56 | route:
57 | - destination:
58 | host: firebase-webapp
59 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-ingress-k8s-https/allow-all.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | apiVersion: networking.k8s.io/v1
20 | kind: NetworkPolicy
21 | metadata:
22 | namespace: uc-ingress-k8s-https
23 | name: allow-all
24 | spec:
25 | podSelector: {}
26 | ingress:
27 | - {}
28 | policyTypes:
29 | - Ingress
30 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-ingress-k8s-https/appconfig.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | apiVersion: appconfigmgr.cft.dev/v1alpha1
20 | kind: AppEnvConfigTemplateV2
21 | metadata:
22 | name: ingress-k8s
23 | namespace: uc-ingress-k8s-https
24 | spec:
25 | ingress:
26 | tls:
27 | certSecrets:
28 | - my-secret
29 | services:
30 | - name: my-server
31 | deploymentApp: my-server
32 | deploymentPort: 80
33 | servicePort: 80
34 | deploymentPortProtocol: TCP
35 | ingress:
36 | host: example.com
37 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-ingress-k8s-https/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | apiVersion: v1
20 | kind: Namespace
21 | metadata:
22 | name: uc-ingress-k8s-https
23 | labels:
24 | mutating-create-update-pod-appconfig-cft-dev: "enabled"
25 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-ingress-k8s/allow-all.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | apiVersion: networking.k8s.io/v1
20 | kind: NetworkPolicy
21 | metadata:
22 | namespace: uc-ingress-k8s
23 | name: allow-all
24 | spec:
25 | podSelector: {}
26 | ingress:
27 | - {}
28 | policyTypes:
29 | - Ingress
30 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-ingress-k8s/appconfig.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | apiVersion: appconfigmgr.cft.dev/v1alpha1
20 | kind: AppEnvConfigTemplateV2
21 | metadata:
22 | name: ingress-k8s
23 | namespace: uc-ingress-k8s
24 | spec:
25 | services:
26 | - name: my-server
27 | deploymentApp: my-server
28 | deploymentPort: 80
29 | servicePort: 80
30 | deploymentPortProtocol: TCP
31 | ingress: {}
32 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-ingress-k8s/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | apiVersion: v1
20 | kind: Namespace
21 | metadata:
22 | name: uc-ingress-k8s
23 | labels:
24 | mutating-create-update-pod-appconfig-cft-dev: "enabled"
25 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-opa/README.md:
--------------------------------------------------------------------------------
1 | Copyright 2019 Google LLC
2 |
3 | Licensed under the Apache License, Version 2.0 (the "License");
4 | you may not use this file except in compliance with the License.
5 | You may obtain a copy of the License at
6 |
7 | http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | Unless required by applicable law or agreed to in writing, software
10 | distributed under the License is distributed on an "AS IS" BASIS,
11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | See the License for the specific language governing permissions and
13 | limitations under the License.
14 |
15 | # Firebase Use Case
16 |
17 | This use case exposes a firebase web app that calls a "tasks" API. The API calls are authenticated by JWT tokens passed from the browser.
18 |
19 | The webapp is exposed at `http://$INGRESS_HOST/app/`.
20 |
21 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-opa/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | apiVersion: v1
20 | kind: Namespace
21 | metadata:
22 | name: uc-opa
23 | labels:
24 | mutating-create-update-pod-appconfig-cft-dev: enabled
25 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-secrets-istio/crd_roles_separation_of_duties.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: Role
23 | metadata:
24 | name: appconfigmgrv2-system-update-webhook-auth
25 | rules:
26 | - apiGroups:
27 | - ""
28 | resources:
29 | - secrets
30 | verbs:
31 | - get
32 | - list
33 | - watch
34 | - create
35 | - update
36 | - patch
37 | - delete
38 | - apiGroups:
39 | - ""
40 | resources:
41 | - secrets/status
42 | verbs:
43 | - get
44 | - update
45 | - patch
46 | ---
47 | apiVersion: rbac.authorization.k8s.io/v1
48 | kind: Role
49 | metadata:
50 | name: appconfigmgrv2-system-validate-webhook-auth
51 | rules:
52 | - apiGroups:
53 | - ""
54 | resources:
55 | - secrets
56 | verbs:
57 | - get
58 | - list
59 | - watch
60 | - apiGroups:
61 | - ""
62 | resources:
63 | - secrets/status
64 | verbs:
65 | - get
66 | ---
67 | apiVersion: rbac.authorization.k8s.io/v1
68 | kind: RoleBinding
69 | metadata:
70 | name: appconfigmgrv2-system-validate-webhook-auth-rb
71 | roleRef:
72 | apiGroup: rbac.authorization.k8s.io
73 | kind: Role
74 | name: appconfigmgrv2-system-validate-webhook-auth
75 | subjects:
76 | - kind: ServiceAccount
77 | name: default
78 | namespace: appconfigmgrv2-system
79 | ---
80 | apiVersion: rbac.authorization.k8s.io/v1
81 | kind: RoleBinding
82 | metadata:
83 | name: appconfigmgrv2-system-update-webhook-auth-rb
84 | roleRef:
85 | apiGroup: rbac.authorization.k8s.io
86 | kind: Role
87 | name: appconfigmgrv2-system-update-webhook-auth
88 | subjects:
89 | - kind: ServiceAccount
90 | name: default
91 | namespace: appconfigmgrv2-system
92 |
93 |
94 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-secrets-istio/default-deny-all.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | kind: NetworkPolicy
22 | apiVersion: networking.k8s.io/v1
23 | metadata:
24 | name: default-deny-all
25 | spec:
26 | podSelector: {}
27 | ingress:
28 | - from:
29 | - namespaceSelector:
30 | matchLabels:
31 | devtest: "true"
32 | - from:
33 | - namespaceSelector:
34 | matchLabels:
35 | appconfigmgr.cft.dev/trusted: "true"
36 | - from:
37 | - namespaceSelector:
38 | matchLabels:
39 | appconfigmgr.cft.dev/sandbox: "uc-secrets-istio"
40 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-secrets-istio/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: Namespace
23 | metadata:
24 | name: uc-secrets-istio
25 | labels:
26 | istio-injection: "enabled"
27 | mutating-create-update-pod-appconfig-cft-dev: "enabled"
28 | appconfigmgr.cft.dev/sandbox: "uc-secrets-istio"
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-secrets-k8s/appconfig.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: appconfigmgr.cft.dev/v1alpha1
22 | kind: AppEnvConfigTemplateV2
23 | metadata:
24 | name: "app-secrets-k8s"
25 | spec:
26 | auth:
27 | gcpAccess:
28 | accessType: "secret"
29 | secretInfo:
30 | name: "appconfigcrd-demo-sa1-secret"
31 | services:
32 | - name: "appconfigv2-service-sm-1"
33 | deploymentApp: "hello-app-sm-py-1"
34 | deploymentPort: 8080
35 | servicePort: 80
36 | deploymentPortProtocol: "TCP"
37 | allowedClients:
38 | - name: "hello-app-sm-py-2"
39 | - name: "appconfigv2-service-sm-2"
40 | deploymentApp: "hello-app-sm-py-2"
41 | deploymentPort: 8080
42 | servicePort: 80
43 | deploymentPortProtocol: "TCP"
44 | allowedClients:
45 | - name: "hello-app-sm-py-4"
46 | - name: "appconfigv2-service-sm-3"
47 | deploymentApp: "hello-app-sm-py-3"
48 | deploymentPort: 8080
49 | servicePort: 80
50 | deploymentPortProtocol: "TCP"
51 | allowedClients:
52 | - name: "hello-app-sm-py-4"
53 | - name: "appconfigv2-service-sm-4"
54 | deploymentApp: "hello-app-sm-py-4"
55 | deploymentPort: 8080
56 | servicePort: 80
57 | deploymentPortProtocol: "TCP"
58 | allowedClients:
59 | - name: "hello-app-sm-py-1"
60 | - name: "hello-app-sm-py-2"
61 | - name: "appconfigv2-service-pubsub"
62 | deploymentApp: "hello-app-pubsub"
63 | deploymentPort: 8000
64 | servicePort: 80
65 | deploymentPortProtocol: "TCP"
66 | allowedClients:
67 | - name: "hello-app-sm-py-1"
68 |
69 |
70 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-secrets-k8s/crd_roles_separation_of_duties.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: Role
23 | metadata:
24 | name: appconfigmgrv2-system-update-webhook-auth
25 | rules:
26 | - apiGroups:
27 | - ""
28 | resources:
29 | - secrets
30 | verbs:
31 | - get
32 | - list
33 | - watch
34 | - create
35 | - update
36 | - patch
37 | - delete
38 | - apiGroups:
39 | - ""
40 | resources:
41 | - secrets/status
42 | verbs:
43 | - get
44 | - update
45 | - patch
46 | ---
47 | apiVersion: rbac.authorization.k8s.io/v1
48 | kind: Role
49 | metadata:
50 | name: appconfigmgrv2-system-validate-webhook-auth
51 | rules:
52 | - apiGroups:
53 | - ""
54 | resources:
55 | - secrets
56 | verbs:
57 | - get
58 | - list
59 | - watch
60 | - apiGroups:
61 | - ""
62 | resources:
63 | - secrets/status
64 | verbs:
65 | - get
66 | ---
67 | apiVersion: rbac.authorization.k8s.io/v1
68 | kind: RoleBinding
69 | metadata:
70 | name: appconfigmgrv2-system-validate-webhook-auth-rb
71 | roleRef:
72 | apiGroup: rbac.authorization.k8s.io
73 | kind: Role
74 | name: appconfigmgrv2-system-validate-webhook-auth
75 | subjects:
76 | - kind: ServiceAccount
77 | name: default
78 | namespace: appconfigmgrv2-system
79 | ---
80 | apiVersion: rbac.authorization.k8s.io/v1
81 | kind: RoleBinding
82 | metadata:
83 | name: appconfigmgrv2-system-update-webhook-auth-rb
84 | roleRef:
85 | apiGroup: rbac.authorization.k8s.io
86 | kind: Role
87 | name: appconfigmgrv2-system-update-webhook-auth
88 | subjects:
89 | - kind: ServiceAccount
90 | name: default
91 | namespace: appconfigmgrv2-system
92 |
93 |
94 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-secrets-k8s/default-deny-all.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | kind: NetworkPolicy
22 | apiVersion: networking.k8s.io/v1
23 | metadata:
24 | name: default-deny-all
25 | spec:
26 | podSelector: {}
27 | ingress:
28 | - from:
29 | - namespaceSelector:
30 | matchLabels:
31 | devtest: "true"
32 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-secrets-k8s/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: Namespace
23 | metadata:
24 | name: uc-secrets-k8s
25 | labels:
26 | mutating-create-update-pod-appconfig-cft-dev: "enabled"
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-secrets-vault-k8s/app-rbac.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 | apiVersion: rbac.authorization.k8s.io/v1
19 | kind: Role
20 | metadata:
21 | name: app-rbac-deploy
22 | namespace: uc-secrets-vault-k8s
23 | rules:
24 | - apiGroups:
25 | - ""
26 | resources:
27 | - secrets
28 | - configmaps
29 | - serviceaccounts
30 | verbs:
31 | - get
32 | - list
33 | - apiGroups:
34 | - ""
35 | resources:
36 | - pods
37 | - deployments
38 | verbs:
39 | - get
40 | - list
41 | - create
42 | - update
43 | ---
44 | apiVersion: rbac.authorization.k8s.io/v1
45 | kind: RoleBinding
46 | metadata:
47 | name: app-rbac-deploy-rb
48 | namespace: uc-secrets-vault-k8s
49 | roleRef:
50 | apiGroup: rbac.authorization.k8s.io
51 | kind: Role
52 | name: app-rbac-deploy
53 | subjects:
54 | - kind: ServiceAccount
55 | name: uc-secrets-vault-k8s
56 | namespace: uc-secrets-vault-k8s
57 | - kind: User
58 | name: deployer-uc-secrets-vault-k8s@anthos-crd-v1-dev-t2.google.com.iam.gserviceaccount.com
59 |
60 |
61 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-secrets-vault-k8s/appconfig.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 | apiVersion: appconfigmgr.cft.dev/v1alpha1
19 | kind: AppEnvConfigTemplateV2
20 | metadata:
21 | name: "app-secrets-vault-k8s"
22 | namespace: "uc-secrets-vault-k8s"
23 | spec:
24 | auth:
25 | gcpAccess:
26 | accessType: "vault"
27 | vaultInfo:
28 | serviceAccount: "uc-secrets-vault-k8s-ksa"
29 | path: "gcp-app-crd-vault"
30 | roleset: "uc-secrets-vault-k8s"
31 | services:
32 | - name: "appconfigv2-service-sm-1"
33 | deploymentApp: "hello-app-sm-py-1"
34 | deploymentPort: 8080
35 | servicePort: 80
36 | deploymentPortProtocol: "TCP"
37 | allowedClients:
38 | - name: "hello-app-sm-py-2"
39 | - name: "appconfigv2-service-sm-2"
40 | deploymentApp: "hello-app-sm-py-2"
41 | deploymentPort: 8080
42 | servicePort: 80
43 | deploymentPortProtocol: "TCP"
44 | allowedClients:
45 | - name: "hello-app-sm-py-4"
46 | - name: "appconfigv2-service-sm-3"
47 | deploymentApp: "hello-app-sm-py-3"
48 | deploymentPort: 8080
49 | servicePort: 80
50 | deploymentPortProtocol: "TCP"
51 | allowedClients:
52 | - name: "hello-app-sm-py-4"
53 | - name: "appconfigv2-service-sm-4"
54 | deploymentApp: "hello-app-sm-py-4"
55 | deploymentPort: 8080
56 | servicePort: 80
57 | deploymentPortProtocol: "TCP"
58 | allowedClients:
59 | - name: "hello-app-sm-py-1"
60 | - name: "hello-app-sm-py-2"
61 | - name: "appconfigv2-service-pubsub"
62 | deploymentApp: "hello-app-pubsub"
63 | deploymentPort: 8000
64 | servicePort: 80
65 | deploymentPortProtocol: "TCP"
66 | allowedClients:
67 | - name: "hello-app-sm-py-1"
68 |
69 |
70 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-secrets-vault-k8s/default-deny-all.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | kind: NetworkPolicy
22 | apiVersion: networking.k8s.io/v1
23 | metadata:
24 | name: default-deny-all
25 | spec:
26 | podSelector: {}
27 | ingress:
28 | - from:
29 | - namespaceSelector:
30 | matchLabels:
31 | devtest: "true"
32 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-secrets-vault-k8s/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | apiVersion: v1
20 | kind: Namespace
21 | metadata:
22 | name: uc-secrets-vault-k8s
23 | labels:
24 | mutating-create-update-pod-appconfig-cft-dev: "enabled"
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-secrets-vault-k8s/sa.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | apiVersion: v1
20 | kind: ServiceAccount
21 | metadata:
22 | name: uc-secrets-vault-k8s-ksa
23 | namespace: uc-secrets-vault-k8s
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-workload-identity/appconfig.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | apiVersion: appconfigmgr.cft.dev/v1alpha1
20 | kind: AppEnvConfigTemplateV2
21 | metadata:
22 | name: workload-identity
23 | namespace: uc-workload-identity
24 | spec:
25 | services:
26 | - name: pubsub-app
27 | deploymentApp: pubsub-app
28 | deploymentPort: 8000
29 | servicePort: 8000
30 | deploymentPortProtocol: TCP
31 | allowedClients:
32 | - name: istio-system/istio-ingressgateway
33 | serviceAccount: k8s-pubsuber
34 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-workload-identity/default-deny-all.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | kind: NetworkPolicy
22 | apiVersion: networking.k8s.io/v1
23 | metadata:
24 | name: default-deny-all
25 | spec:
26 | podSelector: {}
27 | ingress:
28 | - from:
29 | - namespaceSelector:
30 | matchLabels:
31 | devtest: "true"
32 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd-examples/config-management-root/namespaces/use-cases/uc-workload-identity/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | apiVersion: v1
20 | kind: Namespace
21 | metadata:
22 | name: uc-workload-identity
23 | labels:
24 | mutating-create-update-pod-appconfig-cft-dev: "enabled"
25 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd/config-management-root/cluster/controller-setup-helper-rbac.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: ClusterRole
23 | metadata:
24 | name: controller-setup-helper-cluster-role
25 | rules:
26 | - apiGroups: ["admissionregistration.k8s.io"]
27 | resources: ["mutatingwebhookconfigurations"]
28 | verbs: ["get", "create", "patch"]
29 | - apiGroups: ["admissionregistration.k8s.io"]
30 | resources: ["validatingwebhookconfigurations"]
31 | verbs: ["get", "create", "patch"]
32 | - apiGroups: ["certificates.k8s.io"]
33 | resources: ["certificatesigningrequests"]
34 | verbs: ["create", "get", "delete"]
35 | - apiGroups: ["certificates.k8s.io"]
36 | resources: ["certificatesigningrequests/approval"]
37 | verbs: ["update"]
38 | - apiGroups: [""]
39 | resources: ["secrets"]
40 | verbs: ["create", "get", "patch"]
41 | - apiGroups: [""]
42 | resources: ["configmaps"]
43 | verbs: ["get"]
44 | ---
45 | apiVersion: rbac.authorization.k8s.io/v1
46 | kind: ClusterRoleBinding
47 | metadata:
48 | name: controller-setup-helper-cluster-role-binding
49 | roleRef:
50 | apiGroup: rbac.authorization.k8s.io
51 | kind: ClusterRole
52 | name: controller-setup-helper-cluster-role
53 | subjects:
54 | - kind: ServiceAccount
55 | name: controller-setup-helper-service-account
56 | namespace: appconfigmgrv2-system
57 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd/config-management-root/cluster/vault-setup.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 | apiVersion: rbac.authorization.k8s.io/v1beta1
19 | kind: ClusterRoleBinding
20 | metadata:
21 | name: role-tokenreview-binding
22 | namespace: default
23 | roleRef:
24 | apiGroup: rbac.authorization.k8s.io
25 | kind: ClusterRole
26 | name: system:auth-delegator
27 | subjects:
28 | - kind: ServiceAccount
29 | name: vault-auth
30 | namespace: appconfigmgrv2-system
31 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd/config-management-root/namespaces/appconfigmgrv2-system/controller-setup-helper.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: ServiceAccount
23 | metadata:
24 | name: controller-setup-helper-service-account
25 | ---
26 | apiVersion: apps/v1beta1
27 | kind: Deployment
28 | metadata:
29 | name: controller-setup-helper
30 | labels:
31 | app: controller-setup-helper
32 | spec:
33 | replicas: 1
34 | template:
35 | metadata:
36 | labels:
37 | app: controller-setup-helper
38 | version: v1.0.11
39 | spec:
40 | serviceAccountName: controller-setup-helper-service-account
41 | containers:
42 | - name: controller-setup-helper
43 | image: gcr.io/anthos-appconfig/appconfigmonitor-init:v1.1.4
44 | command: ["sh", "generate-keys-webhook.sh"]
45 | tty: true
46 |
47 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd/config-management-root/namespaces/appconfigmgrv2-system/crd_roles_separation_of_duties.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: Role
23 | metadata:
24 | name: appconfigmgrv2-system-update
25 | rules:
26 | - apiGroups:
27 | - ""
28 | resources:
29 | - secrets
30 | verbs:
31 | - get
32 | - list
33 | - watch
34 | - create
35 | - update
36 | - patch
37 | - delete
38 | - apiGroups:
39 | - ""
40 | resources:
41 | - secrets/status
42 | verbs:
43 | - get
44 | - update
45 | - patch
46 | ---
47 | apiVersion: rbac.authorization.k8s.io/v1
48 | kind: RoleBinding
49 | metadata:
50 | name: appconfigmgrv2-system-update-rb
51 | roleRef:
52 | apiGroup: rbac.authorization.k8s.io
53 | kind: Role
54 | name: appconfigmgrv2-system-update
55 | subjects:
56 | - kind: ServiceAccount
57 | name: default
58 | namespace: appconfigmgrv2-system
59 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd/config-management-root/namespaces/appconfigmgrv2-system/namespace.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: Namespace
23 | metadata:
24 | name: appconfigmgrv2-system
25 | labels:
26 | appconfigmgr-system-crd: "true"
27 |
28 |
--------------------------------------------------------------------------------
/anthos-config-management/acm-crd/config-management-root/namespaces/appconfigmgrv2-system/vault-setup.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 | apiVersion: v1
19 | kind: ServiceAccount
20 | metadata:
21 | name: vault-auth
22 | namespace: appconfigmgrv2-system
--------------------------------------------------------------------------------
/anthos-config-management/acm/config-management-config-example.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # config-management.yaml
22 |
23 | apiVersion: configmanagement.gke.io/v1
24 | kind: ConfigManagement
25 | metadata:
26 | name: config-management
27 | namespace: config-management-system
28 | spec:
29 | # clusterName is required and must be unique among all managed clusters
30 | clusterName: ""
31 | git:
32 | syncRepo:
33 | syncBranch:
34 | secretType: ssh
35 | policyDir: "env//config-management-root"
--------------------------------------------------------------------------------
/anthos-config-management/acm/config-management-root/clusterregistry/cluster-registry-cluster-info.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | kind: Cluster
22 | apiVersion: clusterregistry.k8s.io/v1alpha1
23 | metadata:
24 | name:
25 |
--------------------------------------------------------------------------------
/anthos-config-management/acm/config-management-root/system/README.md:
--------------------------------------------------------------------------------
1 | Copyright 2019 Google LLC
2 |
3 | Licensed under the Apache License, Version 2.0 (the "License");
4 | you may not use this file except in compliance with the License.
5 | You may obtain a copy of the License at
6 |
7 | http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | Unless required by applicable law or agreed to in writing, software
10 | distributed under the License is distributed on an "AS IS" BASIS,
11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | See the License for the specific language governing permissions and
13 | limitations under the License.
14 | # System
15 |
16 | This directory contains system configs such as the repo version and how resources are synced.
17 |
--------------------------------------------------------------------------------
/anthos-config-management/acm/config-management-root/system/repo.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: configmanagement.gke.io/v1
22 | kind: Repo
23 | metadata:
24 | creationTimestamp: null
25 | name: repo
26 | spec:
27 | version: 0.1.0
28 | status:
29 | import:
30 | lastUpdate: null
31 | source: {}
32 | sync:
33 | lastUpdate: null
34 |
--------------------------------------------------------------------------------
/anthos-config-management/config-management-config-example.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # config-management.yaml
22 |
23 | apiVersion: configmanagement.gke.io/v1
24 | kind: ConfigManagement
25 | metadata:
26 | name: config-management
27 | namespace: config-management-system
28 | spec:
29 | # clusterName is required and must be unique among all managed clusters
30 | clusterName: "${ACM_CLUSTER_REGISTRY_NAME}"
31 | git:
32 | syncRepo:
33 | syncBranch: stage
34 | secretType: ssh
35 | policyDir: "${ACM_CONFIG_ROOT}/config-management-root"
--------------------------------------------------------------------------------
/anthos-config-management/gatekeeper-config/config.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 | apiVersion: config.gatekeeper.sh/v1alpha1
19 | kind: Config
20 | metadata:
21 | name: config
22 | namespace: "gatekeeper-system"
23 | spec:
24 | sync:
25 | syncOnly:
26 | - group: ""
27 | version: "v1"
28 | kind: "Namespace"
29 | - group: "appconfigmgr.cft.dev"
30 | version: "v1alpha1"
31 | kind: "AppEnvConfigTemplateV2"
32 |
--------------------------------------------------------------------------------
/anthos-config-management/gatekeeper-config/constraints.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 | apiVersion: constraints.gatekeeper.sh/v1beta1
19 | kind: AppConfigNamespaceLimit
20 | metadata:
21 | name: max-one-appconfig
22 | spec:
23 | match:
24 | kinds:
25 | - apiGroups: ["appconfigmgr.cft.dev"]
26 | kinds: ["AppEnvConfigTemplateV2"]
27 |
--------------------------------------------------------------------------------
/appconfigmgrv2/.gitignore:
--------------------------------------------------------------------------------
1 |
2 | # Binaries for programs and plugins
3 | *.exe
4 | *.exe~
5 | *.dll
6 | *.so
7 | *.dylib
8 | bin
9 |
10 | # Test binary, build with `go test -c`
11 | *.test
12 |
13 | # Output of the go coverage tool, specifically when used with LiteIDE
14 | *.out
15 |
16 | # Kubernetes Generated files - skip generated files, except for vendored files
17 |
18 | !vendor/**/zz_generated.*
19 |
20 | # editor and IDE paraphernalia
21 | .idea
22 | *.swp
23 | *.swo
24 | *~
25 |
26 | **/.private
27 | **/*.iml
28 |
29 | **/.DS_Store
30 |
31 | config/generated/
32 |
--------------------------------------------------------------------------------
/appconfigmgrv2/Dockerfile:
--------------------------------------------------------------------------------
1 | # Build the manager binary
2 | FROM golang:1.12.5 as builder
3 |
4 | WORKDIR /workspace
5 | # Copy the Go Modules manifests
6 | COPY go.mod go.mod
7 | COPY go.sum go.sum
8 | # cache deps before building and copying source so that we don't need to re-download as much
9 | # and so that source changes don't invalidate our downloaded layer
10 | RUN go mod download
11 |
12 | # Copy the go source
13 | COPY main.go main.go
14 | COPY api/ api/
15 | COPY controllers/ controllers/
16 |
17 | # Build
18 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go
19 |
20 | # Use distroless as minimal base image to package the manager binary
21 | # Refer to https://github.com/GoogleContainerTools/distroless for more details
22 | FROM gcr.io/distroless/static:latest
23 | WORKDIR /
24 | COPY --from=builder /workspace/manager .
25 | ENTRYPOINT ["/manager"]
26 |
--------------------------------------------------------------------------------
/appconfigmgrv2/Makefile:
--------------------------------------------------------------------------------
1 |
2 | # Image URL to use all building/pushing image targets
3 | IMG ?= controller:latest
4 | # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
5 | CRD_OPTIONS ?= "crd:trivialVersions=true"
6 |
7 |
8 | all: manager
9 |
10 | # Run tests
11 | test: generate fmt vet manifests
12 | go test ./api/... ./controllers/... -cover -coverprofile cover.out
13 |
14 | # Build manager binary
15 | manager: generate fmt vet
16 | go build -o bin/manager main.go
17 |
18 | # Run against the configured Kubernetes cluster in ~/.kube/config
19 | run: generate fmt vet
20 | go run ./main.go
21 |
22 | # Install CRDs into a cluster
23 | install: manifests
24 | kubectl apply -f config/crd/bases
25 | kubectl apply -f config/opa
26 |
27 | # Deploy controller in the configured Kubernetes cluster in ~/.kube/config
28 | deploy: manifests
29 | kubectl apply -f config/crd/bases
30 | kubectl apply -f config/opa
31 | kustomize build config/default | kubectl apply -f -
32 |
33 |
34 | kustomize:
35 | mkdir -p config/generated
36 | kustomize build config/default > config/generated/all.yaml
37 |
38 | # Generate manifests e.g. CRD, RBAC etc.
39 | manifests: controller-gen
40 | $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
41 |
42 | # Run go fmt against code
43 | fmt:
44 | go fmt ./...
45 |
46 | # Run go vet against code
47 | vet:
48 | go vet ./...
49 |
50 | # Generate code
51 | generate: controller-gen
52 | $(CONTROLLER_GEN) rbac:roleName=manager-role object:headerFile=./hack/boilerplate.go.txt paths=./api/...
53 |
54 | # Build the docker image
55 | docker-build: test
56 | docker build . -t ${IMG}
57 | @echo "updating kustomize image patch file for manager resource"
58 | sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/default/manager_image_patch.yaml
59 |
60 | # Push the docker image
61 | docker-push:
62 | docker push ${IMG}
63 |
64 | # find or download controller-gen
65 | # download controller-gen if necessary
66 | controller-gen:
67 | ifeq (, $(shell which controller-gen))
68 | go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.0-beta.2
69 | CONTROLLER_GEN=$(shell go env GOPATH)/bin/controller-gen
70 | else
71 | CONTROLLER_GEN=$(shell which controller-gen)
72 | endif
73 |
--------------------------------------------------------------------------------
/appconfigmgrv2/PROJECT:
--------------------------------------------------------------------------------
1 | version: "2"
2 | domain: cft.dev
3 | repo: appconfigv2-cft-dev
4 | resources:
5 | - group: appconfigmgr
6 | version: v1alpha1
7 | kind: AppEnvConfigTemplateV2
8 |
--------------------------------------------------------------------------------
/appconfigmgrv2/README.md:
--------------------------------------------------------------------------------
1 | # Anthos AppConfig CRD
2 |
3 | ## Testing
4 |
5 | ### Integration & Unit
6 |
7 | Running unit and integration tests:
8 |
9 | ```
10 | make test
11 | ```
12 |
13 | The output of will show test coverage.
14 |
15 | Integration tests are ran by spinning up the kubernetes control plane and asserting that expected resources are created. Test isolation is accomplished by spinning up a reconciler and creating an instance of the CRD at the beginning of each test case:
16 |
17 | ```go
18 | func TestSomething(t *testing.T) {
19 | r, stop := startTestReconciler(t)
20 | defer stop()
21 | in, cleanup := createTestInstance(t, true)
22 | defer cleanup()
23 |
24 | # Assert that expected resources are created.
25 | }
26 | ```
27 |
28 | ### End-to-End
29 |
30 | End-to-end tests are defined at `$REPO_ROOT/tests`. They are written in python and executed on GCP via a cloudbuild job.
31 |
32 | ## Environment (go 1.12)
33 |
34 | ```bash
35 | cd ./appconfigmgrv2
36 | export KUBECONFIG= # for make commands that do deployment during testing locally
37 | export GO111MODULE=on
38 | export GOPATH= # - e.g. /Users/joseret/go112
39 | export PATH=$PATH:/usr/local/kubebuilder2/bin # add kubebuilder
40 | ```
41 |
42 | 1. rm go.mod and go.sum
43 | 2. go mod init
44 | 3. go get sigs.k8s.io/controller-runtime@v0.2.0-beta.2
--------------------------------------------------------------------------------
/appconfigmgrv2/api/v1alpha1/groupversion_info.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | // Package v1alpha1 contains API Schema definitions for the appconfigmgr v1alpha1 API group
20 | // +kubebuilder:object:generate=true
21 | // +groupName=appconfigmgr.cft.dev
22 | package v1alpha1
23 |
24 | import (
25 | "k8s.io/apimachinery/pkg/runtime/schema"
26 | "sigs.k8s.io/controller-runtime/pkg/scheme"
27 | )
28 |
29 | var (
30 | // GroupVersion is group version used to register these objects
31 | GroupVersion = schema.GroupVersion{Group: "appconfigmgr.cft.dev", Version: "v1alpha1"}
32 |
33 | // SchemeBuilder is used to add go types to the GroupVersionKind scheme
34 | SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
35 |
36 | // AddToScheme adds the types in this group-version to the given scheme.
37 | AddToScheme = SchemeBuilder.AddToScheme
38 | )
39 |
--------------------------------------------------------------------------------
/appconfigmgrv2/api/v1alpha1/suite_test.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package v1alpha1
20 |
21 | import (
22 | "path/filepath"
23 | "testing"
24 |
25 | . "github.com/onsi/ginkgo"
26 | . "github.com/onsi/gomega"
27 |
28 | "k8s.io/client-go/kubernetes/scheme"
29 | "k8s.io/client-go/rest"
30 | "sigs.k8s.io/controller-runtime/pkg/client"
31 | "sigs.k8s.io/controller-runtime/pkg/envtest"
32 | logf "sigs.k8s.io/controller-runtime/pkg/log"
33 | "sigs.k8s.io/controller-runtime/pkg/log/zap"
34 | )
35 |
36 | // These tests use Ginkgo (BDD-style Go testing framework). Refer to
37 | // http://onsi.github.io/ginkgo/ to learn more about Ginkgo.
38 |
39 | var cfg *rest.Config
40 | var k8sClient client.Client
41 | var testEnv *envtest.Environment
42 |
43 | func TestAPIs(t *testing.T) {
44 | RegisterFailHandler(Fail)
45 |
46 | RunSpecsWithDefaultAndCustomReporters(t,
47 | "v1alpha1 Suite",
48 | []Reporter{envtest.NewlineReporter{}})
49 | }
50 |
51 | var _ = BeforeSuite(func(done Done) {
52 | logf.SetLogger(zap.LoggerTo(GinkgoWriter, true))
53 |
54 | By("bootstrapping test environment")
55 | testEnv = &envtest.Environment{
56 | CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")},
57 | }
58 |
59 | err := SchemeBuilder.AddToScheme(scheme.Scheme)
60 | Expect(err).NotTo(HaveOccurred())
61 |
62 | cfg, err = testEnv.Start()
63 | Expect(err).ToNot(HaveOccurred())
64 | Expect(cfg).ToNot(BeNil())
65 |
66 | k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})
67 | Expect(err).ToNot(HaveOccurred())
68 | Expect(k8sClient).ToNot(BeNil())
69 |
70 | close(done)
71 | }, 60)
72 |
73 | var _ = AfterSuite(func() {
74 | By("tearing down the test environment")
75 | err := testEnv.Stop()
76 | Expect(err).ToNot(HaveOccurred())
77 | })
78 |
--------------------------------------------------------------------------------
/appconfigmgrv2/api/webhooks/webhook.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package webhooks
20 |
21 | import (
22 | "github.com/GoogleCloudPlatform/anthos-appconfig/appconfigmgrv2/api/webhooks/builtins"
23 | ctrl "sigs.k8s.io/controller-runtime"
24 | )
25 |
26 | func SetupWebHooks(mgr ctrl.Manager) {
27 | builtins.SetupWebHook(mgr)
28 | }
29 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/certmanager/certificate.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # The following manifests contain a self-signed issuer CR and a certificate CR.
22 | # More document can be found at https://docs.cert-manager.io
23 | apiVersion: certmanager.k8s.io/v1alpha1
24 | kind: Issuer
25 | metadata:
26 | name: selfsigned-issuer
27 | namespace: system
28 | spec:
29 | selfSigned: {}
30 | ---
31 | apiVersion: certmanager.k8s.io/v1alpha1
32 | kind: Certificate
33 | metadata:
34 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
35 | namespace: system
36 | spec:
37 | # $(SERVICENAME) and $(NAMESPACE) will be substituted by kustomize
38 | commonName: $(SERVICENAME).$(NAMESPACE).svc
39 | dnsNames:
40 | - $(SERVICENAME).$(NAMESPACE).svc.cluster.local
41 | issuerRef:
42 | kind: Issuer
43 | name: selfsigned-issuer
44 | secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize
45 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/certmanager/kustomization.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | resources:
22 | - certificate.yaml
23 |
24 | # the following config is for teaching kustomize how to do var substitution
25 | vars:
26 | - name: NAMESPACE # namespace of the service and the certificate CR
27 | objref:
28 | kind: Service
29 | version: v1
30 | name: webhook-service
31 | fieldref:
32 | fieldpath: metadata.namespace
33 | - name: CERTIFICATENAME
34 | objref:
35 | kind: Certificate
36 | group: certmanager.k8s.io
37 | version: v1alpha1
38 | name: serving-cert # this name should match the one in certificate.yaml
39 | - name: SERVICENAME
40 | objref:
41 | kind: Service
42 | version: v1
43 | name: webhook-service
44 |
45 | configurations:
46 | - kustomizeconfig.yaml
47 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/certmanager/kustomizeconfig.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # This configuration is for teaching kustomize how to update name ref and var substitution
22 | nameReference:
23 | - kind: Issuer
24 | group: certmanager.k8s.io
25 | fieldSpecs:
26 | - kind: Certificate
27 | group: certmanager.k8s.io
28 | path: spec/issuerRef/name
29 |
30 | varReference:
31 | - kind: Certificate
32 | group: certmanager.k8s.io
33 | path: spec/commonName
34 | - kind: Certificate
35 | group: certmanager.k8s.io
36 | path: spec/dnsNames
37 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/crd/kustomization.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # This kustomization.yaml is not intended to be run by itself,
22 | # since it depends on service name and namespace that are out of this kustomize package.
23 | # It should be run by config/default
24 | resources:
25 | - bases/appconfigmgr.cft.dev_appenvconfigtemplatev2s.yaml
26 | # +kubebuilder:scaffold:crdkustomizeresource
27 |
28 | # patches:
29 | # [WEBHOOK] patches here are for enabling the conversion webhook for each CRD
30 | # - patches/webhook_in_appenvconfigtemplatev2s.yaml
31 | # +kubebuilder:scaffold:crdkustomizewebhookpatch
32 |
33 | # [CAINJECTION] patches here are for enabling the CA injection for each CRD
34 | #- patches/cainjection_in_appenvconfigtemplatev2.yaml
35 | # +kubebuilder:scaffold:crdkustomizecainjectionpatch
36 |
37 | # the following config is for teaching kustomize how to do kustomization for CRDs.
38 | configurations:
39 | - kustomizeconfig.yaml
40 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/crd/kustomizeconfig.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD
22 | nameReference:
23 | - kind: Service
24 | version: v1
25 | fieldSpecs:
26 | - kind: CustomResourceDefinition
27 | group: apiextensions.k8s.io
28 | path: spec/conversion/webhookClientConfig/service/name
29 |
30 | namespace:
31 | - kind: CustomResourceDefinition
32 | group: apiextensions.k8s.io
33 | path: spec/conversion/webhookClientConfig/service/namespace
34 | create: false
35 |
36 | varReference:
37 | - path: metadata/annotations
38 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/crd/patches/cainjection_in_appenvconfigtemplatev2s.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # The following patch adds a directive for certmanager to inject CA into the CRD
22 | # CRD conversion requires k8s 1.13 or later.
23 | apiVersion: apiextensions.k8s.io/v1beta1
24 | kind: CustomResourceDefinition
25 | metadata:
26 | annotations:
27 | certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
28 | name: appenvconfigtemplatev2s.appconfigmgr.cft.dev
29 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/crd/patches/webhook_in_appenvconfigtemplatev2s.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # The following patch enables conversion webhook for CRD
22 | # CRD conversion requires k8s 1.13 or later.
23 | #apiVersion: apiextensions.k8s.io/v1beta1
24 | #kind: CustomResourceDefinition
25 | #metadata:
26 | # name: appenvconfigtemplatev2s.appconfigmgr.cft.dev
27 | #spec:
28 | # conversion:
29 | # strategy: Webhook
30 | # webhookClientConfig:
31 | # # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
32 | # # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
33 | # caBundle: ""
34 | # service:
35 | # namespace: appconfigmgrv2-system
36 | # name: webhook-service
37 | # path: /convert
38 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/default/manager_auth_proxy_patch.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # This patch inject a sidecar container which is a HTTP proxy for the controller manager,
22 | # it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: controller-manager
27 | namespace: system
28 | spec:
29 | template:
30 | spec:
31 | containers:
32 | - name: kube-rbac-proxy
33 | image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
34 | args:
35 | - "--secure-listen-address=0.0.0.0:8443"
36 | - "--upstream=http://127.0.0.1:8080/"
37 | - "--logtostderr=true"
38 | - "--v=10"
39 | ports:
40 | - containerPort: 8443
41 | name: https
42 | - name: manager
43 | args:
44 | - "--metrics-addr=127.0.0.1:8080"
45 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/default/manager_image_patch.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: controller-manager
25 | namespace: system
26 | spec:
27 | template:
28 | spec:
29 | containers:
30 | # Change the value of image field below to your controller image URL
31 | - image: gcr.io/anthos-appconfig/appconfigtemplatev2_controller:v2.1.0-20190710-234948
32 | name: manager
33 | env:
34 | - name: CONTROLLER_REGISTRY
35 | value: "gcr.io/anthos-appconfig"
36 | - name: CONTROLLER_BUILD
37 | value: "latest-dev"
38 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/default/manager_image_patch.yaml-e:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: controller-manager
5 | namespace: system
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | # Change the value of image field below to your controller image URL
11 | - image: gcr.io/anthos-appconfig/appconfigtemplatev2_controller:v2.0.0-20190626-111547
12 | name: manager
13 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/default/manager_prometheus_metrics_patch.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # This patch enables Prometheus scraping for the manager pod.
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: controller-manager
26 | namespace: system
27 | spec:
28 | template:
29 | metadata:
30 | annotations:
31 | prometheus.io/scrape: 'true'
32 | spec:
33 | containers:
34 | # Expose the prometheus metrics on default port
35 | - name: manager
36 | ports:
37 | - containerPort: 8080
38 | name: metrics
39 | protocol: TCP
40 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/default/manager_webhook_patch.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: controller-manager
25 | namespace: system
26 | spec:
27 | template:
28 | spec:
29 | containers:
30 | - name: manager
31 | ports:
32 | - containerPort: 443
33 | name: webhook-server
34 | protocol: TCP
35 | volumeMounts:
36 | - mountPath: /tmp/k8s-webhook-server/serving-certs
37 | name: cert
38 | readOnly: true
39 | volumes:
40 | - name: cert
41 | secret:
42 | defaultMode: 420
43 | secretName: webhook-server-cert
44 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/default/webhookcainjection_patch.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # This patch add annotation to admission webhook config and
22 | # the variables $(NAMESPACE) and $(CERTIFICATENAME) will be substituted by kustomize.
23 | apiVersion: admissionregistration.k8s.io/v1beta1
24 | kind: MutatingWebhookConfiguration
25 | metadata:
26 | name: mutating-webhook-configuration
27 | annotations:
28 | certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
29 | ---
30 | apiVersion: admissionregistration.k8s.io/v1beta1
31 | kind: ValidatingWebhookConfiguration
32 | metadata:
33 | name: validating-webhook-configuration
34 | annotations:
35 | certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
36 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/default/webhookinfo_patch.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: admissionregistration.k8s.io/v1beta1
22 | kind: MutatingWebhookConfiguration
23 | metadata:
24 | name: mutating-webhook-configuration
25 | webhooks:
26 | - name: upod.appconfigmgr.cft.dev
27 | namespaceSelector:
28 | matchLabels:
29 | mutating-create-update-pod-appconfig-cft-dev: "enabled"
30 | clientConfig:
31 | caBundle: ""
32 | ---
33 | apiVersion: admissionregistration.k8s.io/v1beta1
34 | kind: ValidatingWebhookConfiguration
35 | metadata:
36 | name: validating-webhook-configuration
37 | webhooks:
38 | - name: vpod.appconfigmgr.cft.dev
39 | namespaceSelector:
40 | matchLabels:
41 | mutating-create-update-pod-appconfig-cft-dev: "enabled"
42 | clientConfig:
43 | caBundle: ""
44 | service:
45 | name: appconfigmgrv2-webhook-service
46 | namespace: appconfigmgrv2-system
--------------------------------------------------------------------------------
/appconfigmgrv2/config/manager/kustomization.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | resources:
22 | - manager.yaml
23 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/manager/manager.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: Namespace
23 | metadata:
24 | labels:
25 | control-plane: controller-manager
26 | name: system
27 | ---
28 | apiVersion: apps/v1
29 | kind: Deployment
30 | metadata:
31 | name: controller-manager
32 | namespace: system
33 | labels:
34 | control-plane: controller-manager
35 | spec:
36 | selector:
37 | matchLabels:
38 | control-plane: controller-manager
39 | replicas: 1
40 | template:
41 | metadata:
42 | labels:
43 | control-plane: controller-manager
44 | spec:
45 | containers:
46 | - command:
47 | - /manager
48 | args:
49 | - --enable-leader-election
50 | - --v=10
51 | image: controller:latest
52 | tty: true
53 | name: manager
54 | resources:
55 | limits:
56 | cpu: 100m
57 | memory: 30Mi
58 | requests:
59 | cpu: 100m
60 | memory: 20Mi
61 | terminationGracePeriodSeconds: 10
62 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/opa/constraints.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 | apiVersion: constraints.gatekeeper.sh/v1beta1
19 | kind: AppConfigNamespaceLimit
20 | metadata:
21 | name: max-one-appconfig
22 | spec:
23 | match:
24 | kinds:
25 | - apiGroups: ["appconfigmgr.cft.dev"]
26 | kinds: ["AppEnvConfigTemplateV2"]
27 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/rbac/auth_proxy_role.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: ClusterRole
23 | metadata:
24 | name: proxy-role
25 | rules:
26 | - apiGroups: ["authentication.k8s.io"]
27 | resources:
28 | - tokenreviews
29 | verbs: ["create"]
30 | - apiGroups: ["authorization.k8s.io"]
31 | resources:
32 | - subjectaccessreviews
33 | verbs: ["create"]
34 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/rbac/auth_proxy_role_binding.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: ClusterRoleBinding
23 | metadata:
24 | name: proxy-rolebinding
25 | roleRef:
26 | apiGroup: rbac.authorization.k8s.io
27 | kind: ClusterRole
28 | name: proxy-role
29 | subjects:
30 | - kind: ServiceAccount
31 | name: default
32 | namespace: system
33 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/rbac/auth_proxy_service.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: Service
23 | metadata:
24 | annotations:
25 | prometheus.io/port: "8443"
26 | prometheus.io/scheme: https
27 | prometheus.io/scrape: "true"
28 | labels:
29 | control-plane: controller-manager
30 | name: controller-manager-metrics-service
31 | namespace: system
32 | spec:
33 | ports:
34 | - name: https
35 | port: 8443
36 | targetPort: https
37 | selector:
38 | control-plane: controller-manager
39 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/rbac/kustomization.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | resources:
22 | - role.yaml
23 | - role_binding.yaml
24 | - leader_election_role.yaml
25 | - leader_election_role_binding.yaml
26 | # Comment the following 3 lines if you want to disable
27 | # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
28 | # which protects your /metrics endpoint.
29 | - auth_proxy_service.yaml
30 | - auth_proxy_role.yaml
31 | - auth_proxy_role_binding.yaml
32 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/rbac/leader_election_role.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # permissions to do leader election.
22 | apiVersion: rbac.authorization.k8s.io/v1
23 | kind: Role
24 | metadata:
25 | name: leader-election-role
26 | rules:
27 | - apiGroups:
28 | - ""
29 | resources:
30 | - configmaps
31 | verbs:
32 | - get
33 | - list
34 | - watch
35 | - create
36 | - update
37 | - patch
38 | - delete
39 | - apiGroups:
40 | - ""
41 | resources:
42 | - configmaps/status
43 | verbs:
44 | - get
45 | - update
46 | - patch
47 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/rbac/leader_election_role_binding.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: RoleBinding
23 | metadata:
24 | name: leader-election-rolebinding
25 | roleRef:
26 | apiGroup: rbac.authorization.k8s.io
27 | kind: Role
28 | name: leader-election-role
29 | subjects:
30 | - kind: ServiceAccount
31 | name: default
32 | namespace: system
33 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/rbac/role_binding.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: ClusterRoleBinding
23 | metadata:
24 | name: manager-rolebinding
25 | roleRef:
26 | apiGroup: rbac.authorization.k8s.io
27 | kind: ClusterRole
28 | name: manager-role
29 | subjects:
30 | - kind: ServiceAccount
31 | name: default
32 | namespace: system
33 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/samples/appconfigmgr_v1alpha1_appenvconfigtemplate-test-v2.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: appconfigmgr.cft.dev/v1alpha1
22 | kind: AppEnvConfigTemplateV2
23 | metadata:
24 | name: "appmain"
25 | namespace: "risk-services-3-istio"
26 | spec:
27 | allowedEgress:
28 | - type: "https"
29 | hosts:
30 | - "pubsub.googleapis.com"
31 | - "oauth2.googleapis.com"
32 | auth:
33 | gcpAccess:
34 | accessType: "secret"
35 | secretInfo:
36 | name: "risk-services-3-secret"
37 | services:
38 | - name: "appconfigv2-service-sm-1"
39 | deploymentApp: "hello-app-sm-py-1"
40 | deploymentPort: 8080
41 | servicePort: 80
42 | deploymentPortProtocol: "TCP"
43 | allowedClients:
44 | - name: "hello-app-sm-py-2"
45 | - name: "appconfig-service-sm-2"
46 | deploymentApp: "hello-app-sm-py-2"
47 | deploymentPort: 8080
48 | servicePort: 80
49 | deploymentPortProtocol: "TCP"
50 | - name: "appconfigv2-service-sm-3"
51 | deploymentApp: "hello-app-sm-py-3"
52 | deploymentPort: 8080
53 | servicePort: 80
54 | deploymentPortProtocol: "TCP"
55 | allowedClients:
56 | - name: "hello-app-sm-py-4"
57 | - name: "appconfigv2-service-sm-4"
58 | deploymentApp: "hello-app-sm-py-4"
59 | deploymentPort: 8080
60 | servicePort: 80
61 | deploymentPortProtocol: "TCP"
62 | allowedClients:
63 | - name: "hello-app-sm-py-1"
64 | - name: "hello-app-sm-py-2"
65 | - name: "appconfigv2-service-pubsub"
66 | deploymentApp: "hello-app-pubsub"
67 | deploymentPort: 8000
68 | servicePort: 80
69 | deploymentPortProtocol: "TCP"
70 | allowedClients:
71 | - name: "hello-app-sm-py-1"
72 |
73 |
74 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/samples/appconfigmgr_v1alpha1_appenvconfigtemplatev2.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: appconfigmgr.cft.dev/v1alpha1
22 | kind: AppEnvConfigTemplateV2
23 | metadata:
24 | name: "appmain"
25 | namespace: "risk-services-3-istio"
26 | spec:
27 | allowedEgress:
28 | - type: "https"
29 | hosts:
30 | - "pubsub.googleapis.com"
31 | - "oauth2.googleapis.com"
32 | services:
33 | - name: "appconfigv2-service-sm-1"
34 | deploymentApp: "hello-app-sm-py-1"
35 | deploymentPort: 8080
36 | servicePort: 80
37 | deploymentPortProtocol: "TCP"
38 | allowedClients:
39 | - name: "hello-app-sm-py-2"
40 | - name: "appconfig-service-sm-2"
41 | deploymentApp: "hello-app-sm-py-2"
42 | deploymentPort: 8080
43 | servicePort: 80
44 | deploymentPortProtocol: "TCP"
45 | - name: "appconfigv2-service-sm-3"
46 | deploymentApp: "hello-app-sm-py-3"
47 | deploymentPort: 8080
48 | servicePort: 80
49 | deploymentPortProtocol: "TCP"
50 | allowedClients:
51 | - name: "hello-app-sm-py-4"
52 | - name: "appconfigv2-service-sm-4"
53 | deploymentApp: "hello-app-sm-py-4"
54 | deploymentPort: 8080
55 | servicePort: 80
56 | deploymentPortProtocol: "TCP"
57 | allowedClients:
58 | - name: "hello-app-sm-py-1"
59 | - name: "hello-app-sm-py-2"
60 | - name: "appconfigv2-service-pubsub"
61 | deploymentApp: "hello-app-pubsub"
62 | deploymentPort: 8000
63 | servicePort: 80
64 | deploymentPortProtocol: "TCP"
65 | allowedClients:
66 | - name: "hello-app-sm-py-1"
67 |
68 |
69 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/webhook/kustomization.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | resources:
22 | - manifests.yaml
23 | - service.yaml
24 |
25 | configurations:
26 | - kustomizeconfig.yaml
27 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/webhook/kustomizeconfig.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # the following config is for teaching kustomize where to look at when substituting vars.
22 | # It requires kustomize v2.1.0 or newer to work properly.
23 | nameReference:
24 | - kind: Service
25 | version: v1
26 | fieldSpecs:
27 | - kind: MutatingWebhookConfiguration
28 | group: admissionregistration.k8s.io
29 | path: webhooks/clientConfig/service/name
30 | - kind: ValidatingWebhookConfiguration
31 | group: admissionregistration.k8s.io
32 | path: webhooks/clientConfig/service/name
33 |
34 | namespace:
35 | - kind: MutatingWebhookConfiguration
36 | group: admissionregistration.k8s.io
37 | path: webhooks/clientConfig/service/namespace
38 | create: true
39 | - kind: ValidatingWebhookConfiguration
40 | group: admissionregistration.k8s.io
41 | path: webhooks/clientConfig/service/namespace
42 | create: true
43 |
44 |
45 | varReference:
46 | - path: metadata/annotations
47 | - path: webhooks/clientConfig/caBundle
48 |
49 |
50 |
51 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/webhook/manifests.yaml:
--------------------------------------------------------------------------------
1 |
2 | ---
3 | apiVersion: admissionregistration.k8s.io/v1beta1
4 | kind: MutatingWebhookConfiguration
5 | metadata:
6 | creationTimestamp: null
7 | name: mutating-webhook-configuration
8 | webhooks:
9 | - clientConfig:
10 | caBundle: Cg==
11 | service:
12 | name: webhook-service
13 | namespace: system
14 | path: /mutate-v1-pod
15 | failurePolicy: Fail
16 | name: upod.appconfigmgr.cft.dev
17 | rules:
18 | - apiGroups:
19 | - ""
20 | apiVersions:
21 | - v1
22 | operations:
23 | - CREATE
24 | - UPDATE
25 | resources:
26 | - pods
27 |
28 | ---
29 | apiVersion: admissionregistration.k8s.io/v1beta1
30 | kind: ValidatingWebhookConfiguration
31 | metadata:
32 | creationTimestamp: null
33 | name: validating-webhook-configuration
34 | webhooks:
35 | - clientConfig:
36 | caBundle: Cg==
37 | service:
38 | name: webhook-service
39 | namespace: system
40 | path: /validate-v1-pod
41 | failurePolicy: Fail
42 | name: vpod.appconfigmgr.cft.dev
43 | rules:
44 | - apiGroups:
45 | - ""
46 | apiVersions:
47 | - v1
48 | operations:
49 | - CREATE
50 | - UPDATE
51 | resources:
52 | - pods
53 |
--------------------------------------------------------------------------------
/appconfigmgrv2/config/webhook/service.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 |
22 | apiVersion: v1
23 | kind: Service
24 | metadata:
25 | name: webhook-service
26 | namespace: system
27 | spec:
28 | ports:
29 | - port: 443
30 | targetPort: 443
31 | selector:
32 | control-plane: controller-manager
33 |
--------------------------------------------------------------------------------
/appconfigmgrv2/controllers/config.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package controllers
20 |
21 | import (
22 | istiov1a3 "istio.io/api/networking/v1alpha3"
23 | )
24 |
25 | // Config for the controller. This encompasses all knobs that control controller
26 | // behavior outside of app configs.
27 | type Config struct {
28 | // PolicyCachingInterval determines how long caches should be valid for
29 | // istio policy decisions.
30 | PolicyCachingInterval string
31 | EgressTypes map[string][]*istiov1a3.Port
32 | }
33 |
34 | var defaultConfig = Config{
35 | // TODO: Update this to be longer for production.
36 | PolicyCachingInterval: "10s",
37 | EgressTypes: map[string][]*istiov1a3.Port{
38 | "https": {
39 | {
40 | Name: "https",
41 | Number: 443,
42 | Protocol: "HTTPS",
43 | },
44 | },
45 | "http": {
46 | {
47 | Name: "http",
48 | Number: 80,
49 | Protocol: "HTTP",
50 | },
51 | },
52 | "kafka": {
53 | {
54 | Name: "kafka",
55 | Number: 9092,
56 | Protocol: "TCP",
57 | },
58 | {
59 | Name: "kafka-rest",
60 | Number: 8082,
61 | Protocol: "HTTP",
62 | },
63 | {
64 | Name: "kafka-zookeeper",
65 | Number: 2181,
66 | Protocol: "TCP",
67 | },
68 | },
69 | },
70 | }
71 |
--------------------------------------------------------------------------------
/appconfigmgrv2/controllers/ingress_test.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package controllers
20 |
21 | import (
22 | "context"
23 | "testing"
24 |
25 | "github.com/stretchr/testify/require"
26 | "k8s.io/api/extensions/v1beta1"
27 | "k8s.io/apimachinery/pkg/types"
28 | )
29 |
30 | func TestReconcileIngress(t *testing.T) {
31 | r, stop := startTestReconciler(t)
32 | defer stop()
33 | in, cleanup := createTestInstance(t, testFeatureFlags{})
34 | defer cleanup()
35 |
36 | ing := ingress(in)
37 | require.NotNil(t, ing)
38 |
39 | key := types.NamespacedName{
40 | Name: ing.Name,
41 | Namespace: in.Namespace,
42 | }
43 | obj := &v1beta1.Ingress{}
44 |
45 | ctx := context.Background()
46 | retryTest(t, func() error { return r.Client.Get(ctx, key, obj) })
47 |
48 | // Clear the ingress spec and expect the ingress to be garbage collected.
49 | noIng := in.DeepCopy()
50 | for i := range noIng.Spec.Services {
51 | noIng.Spec.Services[i].Ingress = nil
52 | }
53 | require.NoError(t, r.Client.Update(ctx, noIng))
54 |
55 | retryTest(t, func() error { return shouldBeNotFound(r.Client.Get(ctx, key, obj)) })
56 | }
57 |
--------------------------------------------------------------------------------
/appconfigmgrv2/controllers/istio.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package controllers
20 |
21 | import "k8s.io/apimachinery/pkg/runtime/schema"
22 |
23 | var istioTypes = []struct {
24 | Resource schema.GroupVersionResource
25 | Kind schema.GroupVersionKind
26 | }{
27 | {
28 | Resource: istioHandlerGVR(),
29 | Kind: istioHandlerGVK(),
30 | },
31 | {
32 | Resource: istioInstanceGVR(),
33 | Kind: istioInstanceGVK(),
34 | },
35 | {
36 | Resource: istioPolicyGVR(),
37 | Kind: istioPolicyGVK(),
38 | },
39 | {
40 | Resource: istioRuleGVR(),
41 | Kind: istioRuleGVK(),
42 | },
43 | {
44 | Resource: istioServiceEntryGVR(),
45 | Kind: istioServiceEntryGVK(),
46 | },
47 | {
48 | Resource: istioVirtualServiceGVR(),
49 | Kind: istioVirtualServiceGVK(),
50 | },
51 | }
52 |
--------------------------------------------------------------------------------
/appconfigmgrv2/controllers/istio_handlers_test.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package controllers
20 |
21 | import (
22 | "testing"
23 |
24 | "github.com/stretchr/testify/require"
25 | )
26 |
27 | func TestIstioHandlers(t *testing.T) {
28 | r, stop := startTestReconciler(t)
29 | defer stop()
30 | in, cleanup := createTestInstance(t, testFeatureFlags{istio: true})
31 | defer cleanup()
32 |
33 | cfg, err := r.getConfig()
34 | require.NoError(t, err)
35 |
36 | list, err := istioHandlers(cfg, in)
37 | require.NoError(t, err)
38 | require.Len(t, list, len(in.Spec.Services))
39 |
40 | gvr := istioHandlerGVR()
41 |
42 | for _, h := range list {
43 | unstructuredShouldExist(t, r.Dynamic, gvr, h)
44 | }
45 |
46 | for i := range in.Spec.Services {
47 | removeServiceFromSpec(t, r.Client, in, i)
48 | }
49 |
50 | for _, h := range list {
51 | unstructuredShouldNotExist(t, r.Dynamic, gvr, h)
52 | }
53 | }
54 |
--------------------------------------------------------------------------------
/appconfigmgrv2/controllers/istio_instances_test.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package controllers
20 |
21 | import (
22 | "testing"
23 |
24 | "github.com/stretchr/testify/require"
25 | )
26 |
27 | func TestIstioInstances(t *testing.T) {
28 | r, stop := startTestReconciler(t)
29 | defer stop()
30 | in, cleanup := createTestInstance(t, testFeatureFlags{istio: true})
31 | defer cleanup()
32 |
33 | gvr := istioInstanceGVR()
34 |
35 | appLabelInst, err := istioAppLabelInstance(in)
36 | require.NoError(t, err)
37 |
38 | unstructuredShouldExist(t, r.Dynamic, gvr, appLabelInst)
39 | }
40 |
--------------------------------------------------------------------------------
/appconfigmgrv2/controllers/istio_rules_test.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package controllers
20 |
21 | import (
22 | "testing"
23 |
24 | "github.com/stretchr/testify/require"
25 | )
26 |
27 | func TestIstioRules(t *testing.T) {
28 | r, stop := startTestReconciler(t)
29 | defer stop()
30 | in, cleanup := createTestInstance(t, testFeatureFlags{istio: true})
31 | defer cleanup()
32 |
33 | cfg, err := r.getConfig()
34 | require.NoError(t, err)
35 |
36 | list, err := istioRules(cfg, in)
37 | require.NoError(t, err)
38 | require.Len(t, list, len(in.Spec.Services))
39 |
40 | gvr := istioRuleGVR()
41 |
42 | for i, rule := range list {
43 | unstructuredShouldExist(t, r.Dynamic, gvr, rule)
44 | removeServiceFromSpec(t, r.Client, in, i)
45 | unstructuredShouldNotExist(t, r.Dynamic, gvr, rule)
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/appconfigmgrv2/controllers/istio_service_entries_test.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package controllers
20 |
21 | import (
22 | "testing"
23 |
24 | "github.com/stretchr/testify/require"
25 | )
26 |
27 | func TestIstioServiceEntries(t *testing.T) {
28 | r, stop := startTestReconciler(t)
29 | defer stop()
30 | in, cleanup := createTestInstance(t, testFeatureFlags{istio: true})
31 | defer cleanup()
32 |
33 | cfg, err := r.getConfig()
34 | require.NoError(t, err)
35 |
36 | list, err := istioServiceEntries(cfg, in)
37 | require.NoError(t, err)
38 | require.Len(t, list, len(in.Spec.AllowedEgress))
39 |
40 | gvr := istioServiceEntryGVR()
41 |
42 | for i, entry := range list {
43 | unstructuredShouldExist(t, r.Dynamic, gvr, entry)
44 | removeAllowedEgressFromSpec(t, r.Client, in, i)
45 | unstructuredShouldNotExist(t, r.Dynamic, gvr, entry)
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/appconfigmgrv2/controllers/istio_test.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package controllers
20 |
21 | import (
22 | "testing"
23 |
24 | "github.com/stretchr/testify/require"
25 | )
26 |
27 | func TestIstioInstalled(t *testing.T) {
28 | r, stop := startTestReconciler(t)
29 | defer stop()
30 | in, cleanup := createTestInstance(t, testFeatureFlags{istio: true})
31 | defer cleanup()
32 |
33 | cfg, err := r.getConfig()
34 | require.NoError(t, err)
35 |
36 | list, err := istioHandlers(cfg, in)
37 | require.NoError(t, err)
38 | require.Len(t, list, len(in.Spec.Services))
39 |
40 | gvr := istioHandlerGVR()
41 |
42 | for _, h := range list {
43 | unstructuredShouldExist(t, r.Dynamic, gvr, h)
44 | }
45 |
46 | for i := range in.Spec.Services {
47 | removeServiceFromSpec(t, r.Client, in, i)
48 | }
49 |
50 | for _, h := range list {
51 | unstructuredShouldNotExist(t, r.Dynamic, gvr, h)
52 | }
53 | }
54 |
--------------------------------------------------------------------------------
/appconfigmgrv2/controllers/istio_virtual_services_test.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package controllers
20 |
21 | import (
22 | "testing"
23 |
24 | "github.com/stretchr/testify/require"
25 | )
26 |
27 | func TestIstioVirtualServices(t *testing.T) {
28 | r, stop := startTestReconciler(t)
29 | defer stop()
30 | in, cleanup := createTestInstance(t, testFeatureFlags{istio: true})
31 | defer cleanup()
32 |
33 | list, err := istioVirtualServices(in)
34 | require.NoError(t, err)
35 | require.Len(t, list, len(in.Spec.Services))
36 |
37 | gvr := istioVirtualServiceGVR()
38 |
39 | for i, vs := range list {
40 | unstructuredShouldExist(t, r.Dynamic, gvr, vs)
41 | removeServiceFromSpec(t, r.Client, in, i)
42 | unstructuredShouldNotExist(t, r.Dynamic, gvr, vs)
43 | }
44 | }
45 |
--------------------------------------------------------------------------------
/appconfigmgrv2/controllers/opa_constraints_test.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package controllers
20 |
21 | import (
22 | "testing"
23 | )
24 |
25 | func TestOPAConstraints(t *testing.T) {
26 | r, stop := startTestReconciler(t)
27 | defer stop()
28 | instance, cleanup := createTestInstance(t, testFeatureFlags{})
29 | defer cleanup()
30 |
31 | gvr := opaConstraintGVR()
32 |
33 | c := opaDeploymentLabelConstraint([]string{instance.Namespace})
34 |
35 | _, _, _ = r, gvr, c
36 | /*
37 | TODO: Test existance of constraint. Requires dynamically generated CRD
38 | to exist, something that a running Gatekeeper controller does.
39 | unstructuredShouldExist(t, r.Dynamic, gvr, c)
40 | */
41 | }
42 |
--------------------------------------------------------------------------------
/appconfigmgrv2/controllers/vault_test.go:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google LLC
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 | //
15 | // Copyright 2019 Google LLC. This software is provided as-is,
16 | // without warranty or representation for any use or purpose.
17 | //
18 |
19 | package controllers
20 |
21 | import (
22 | "context"
23 | "testing"
24 |
25 | "github.com/GoogleCloudPlatform/anthos-appconfig/appconfigmgrv2/api/webhooks/builtins"
26 | corev1 "k8s.io/api/core/v1"
27 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
28 | "k8s.io/apimachinery/pkg/types"
29 | )
30 |
31 | func TestReconcileVault(t *testing.T) {
32 | r, stop := startTestReconciler(t)
33 | defer stop()
34 | in, cleanup := createTestInstance(t, testFeatureFlags{vault: true})
35 | defer cleanup()
36 |
37 | s0 := &corev1.Secret{
38 | ObjectMeta: metav1.ObjectMeta{
39 | Name: builtins.VAULT_CA_SECRET_NAME,
40 | Namespace: builtins.TODO_FIND_NAMESPACE,
41 | },
42 | StringData: map[string]string{
43 | "key.json": "abc",
44 | },
45 | }
46 | retryTest(t, func() error { return r.Client.Create(context.Background(), s0) })
47 |
48 | // Assert that the secret gets copied into the instance namespace.
49 | retryTest(t, func() error {
50 | return r.Client.Get(context.Background(),
51 | types.NamespacedName{
52 | Name: s0.Name,
53 | Namespace: in.Namespace,
54 | }, &corev1.Secret{})
55 | })
56 | }
57 |
--------------------------------------------------------------------------------
/appconfigmgrv2/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/GoogleCloudPlatform/anthos-appconfig/appconfigmgrv2
2 |
3 | go 1.12
4 |
5 | require (
6 | github.com/go-logr/logr v0.1.0
7 | github.com/gogo/protobuf v1.3.0
8 | github.com/onsi/ginkgo v1.8.0
9 | github.com/onsi/gomega v1.5.0
10 | github.com/stretchr/testify v1.3.0
11 | golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09
12 | istio.io/api v0.0.0-20190930220724-33a483a29b8e
13 | k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b
14 | k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d
15 | k8s.io/client-go v11.0.1-0.20190409021438-1a26190bd76a+incompatible
16 | sigs.k8s.io/controller-runtime v0.2.0-beta.2
17 | sigs.k8s.io/controller-tools v0.2.1 // indirect
18 | )
19 |
--------------------------------------------------------------------------------
/appconfigmgrv2/hack/boilerplate.go.txt:
--------------------------------------------------------------------------------
1 | /* Copyright 2019 Google LLC
2 |
3 | Licensed under the Apache License, Version 2.0 (the "License");
4 | you may not use this file except in compliance with the License.
5 | You may obtain a copy of the License at
6 |
7 | http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | Unless required by applicable law or agreed to in writing, software
10 | distributed under the License is distributed on an "AS IS" BASIS,
11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | See the License for the specific language governing permissions and
13 | limitations under the License.
14 | */
--------------------------------------------------------------------------------
/appconfigmgrv2/hack/install/controller-setup-helper-rbac.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: ClusterRole
23 | metadata:
24 | name: controller-setup-helper-cluster-role
25 | rules:
26 | - apiGroups: ["admissionregistration.k8s.io"]
27 | resources: ["mutatingwebhookconfigurations"]
28 | verbs: ["get", "create", "patch"]
29 | - apiGroups: ["admissionregistration.k8s.io"]
30 | resources: ["validatingwebhookconfigurations"]
31 | verbs: ["get", "create", "patch"]
32 | - apiGroups: ["certificates.k8s.io"]
33 | resources: ["certificatesigningrequests"]
34 | verbs: ["create", "get", "delete"]
35 | - apiGroups: ["certificates.k8s.io"]
36 | resources: ["certificatesigningrequests/approval"]
37 | verbs: ["update"]
38 | - apiGroups: [""]
39 | resources: ["secrets"]
40 | verbs: ["create", "get", "patch"]
41 | - apiGroups: [""]
42 | resources: ["configmaps"]
43 | verbs: ["get"]
44 | ---
45 | apiVersion: rbac.authorization.k8s.io/v1
46 | kind: ClusterRoleBinding
47 | metadata:
48 | name: controller-setup-helper-cluster-role-binding
49 | roleRef:
50 | apiGroup: rbac.authorization.k8s.io
51 | kind: ClusterRole
52 | name: controller-setup-helper-cluster-role
53 | subjects:
54 | - kind: ServiceAccount
55 | name: controller-setup-helper-service-account
56 | namespace: appconfigmgrv2-system
57 |
--------------------------------------------------------------------------------
/appconfigmgrv2/hack/install/controller-setup-helper.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: v1
22 | kind: ServiceAccount
23 | metadata:
24 | name: controller-setup-helper-service-account
25 | ---
26 | apiVersion: apps/v1beta1
27 | kind: Deployment
28 | metadata:
29 | name: controller-setup-helper
30 | labels:
31 | app: controller-setup-helper
32 | spec:
33 | replicas: 1
34 | template:
35 | metadata:
36 | labels:
37 | app: controller-setup-helper
38 | version: v1.0.11
39 | spec:
40 | serviceAccountName: controller-setup-helper-service-account
41 | containers:
42 | - name: controller-setup-helper
43 | image: gcr.io/anthos-appconfig/appconfigmonitor-init:v1.1.4
44 | command: ["sh", "generate-keys-webhook.sh"]
45 | tty: true
46 |
47 |
--------------------------------------------------------------------------------
/appconfigmgrv2/third_party/README.md:
--------------------------------------------------------------------------------
1 | Copyright 2019 Google LLC
2 |
3 | Licensed under the Apache License, Version 2.0 (the "License");
4 | you may not use this file except in compliance with the License.
5 | You may obtain a copy of the License at
6 |
7 | http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | Unless required by applicable law or agreed to in writing, software
10 | distributed under the License is distributed on an "AS IS" BASIS,
11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | See the License for the specific language governing permissions and
13 | limitations under the License.
14 | # Third Party Files
15 |
16 | ## Istio
17 |
18 | Where CRDs came from:
19 | ```sh
20 | curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.1.7 sh -
21 | ./istio-$ISTIO_VERSION/install/kubernetes/helm/istio-init/files/* ./third_party/istio/v$ISTIO_VERSION/original-crds
22 | rm -rf ./istio-$ISTIO_VERSION
23 |
24 | # Pull any used CRDs from original-crds/ and place in seperate files in crds/
25 | # because test harness cannot handle multiple documents defined in a single
26 | # .yaml file.
27 | ```
28 |
--------------------------------------------------------------------------------
/appconfigmgrv2/third_party/istio/v1.1.7/crds/handler.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | kind: CustomResourceDefinition
22 | apiVersion: apiextensions.k8s.io/v1beta1
23 | metadata:
24 | name: handlers.config.istio.io
25 | labels:
26 | app: mixer
27 | package: handler
28 | istio: mixer-handler
29 | chart: istio
30 | heritage: Tiller
31 | release: istio
32 | annotations:
33 | "helm.sh/resource-policy": keep
34 | spec:
35 | group: config.istio.io
36 | names:
37 | kind: handler
38 | plural: handlers
39 | singular: handler
40 | categories:
41 | - istio-io
42 | - policy-istio-io
43 | scope: Namespaced
44 | version: v1alpha2
45 |
--------------------------------------------------------------------------------
/appconfigmgrv2/third_party/istio/v1.1.7/crds/instance.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | kind: CustomResourceDefinition
22 | apiVersion: apiextensions.k8s.io/v1beta1
23 | metadata:
24 | name: instances.config.istio.io
25 | labels:
26 | app: mixer
27 | package: instance
28 | istio: mixer-instance
29 | chart: istio
30 | heritage: Tiller
31 | release: istio
32 | annotations:
33 | "helm.sh/resource-policy": keep
34 | spec:
35 | group: config.istio.io
36 | names:
37 | kind: instance
38 | plural: instances
39 | singular: instance
40 | categories:
41 | - istio-io
42 | - policy-istio-io
43 | scope: Namespaced
44 | version: v1alpha2
45 |
--------------------------------------------------------------------------------
/appconfigmgrv2/third_party/istio/v1.1.7/crds/policy.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | kind: CustomResourceDefinition
22 | apiVersion: apiextensions.k8s.io/v1beta1
23 | metadata:
24 | name: policies.authentication.istio.io
25 | labels:
26 | app: istio-citadel
27 | chart: istio
28 | heritage: Tiller
29 | release: istio
30 | annotations:
31 | "helm.sh/resource-policy": keep
32 | spec:
33 | group: authentication.istio.io
34 | names:
35 | kind: Policy
36 | plural: policies
37 | singular: policy
38 | categories:
39 | - istio-io
40 | - authentication-istio-io
41 | scope: Namespaced
42 | version: v1alpha1
43 |
--------------------------------------------------------------------------------
/appconfigmgrv2/third_party/istio/v1.1.7/crds/rule.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | kind: CustomResourceDefinition
22 | apiVersion: apiextensions.k8s.io/v1beta1
23 | metadata:
24 | name: rules.config.istio.io
25 | labels:
26 | app: mixer
27 | package: istio.io.mixer
28 | istio: core
29 | chart: istio
30 | heritage: Tiller
31 | release: istio
32 | annotations:
33 | "helm.sh/resource-policy": keep
34 | spec:
35 | group: config.istio.io
36 | names:
37 | kind: rule
38 | plural: rules
39 | singular: rule
40 | categories:
41 | - istio-io
42 | - policy-istio-io
43 | scope: Namespaced
44 | version: v1alpha2
45 |
--------------------------------------------------------------------------------
/appconfigmgrv2/third_party/istio/v1.1.7/crds/service-entry.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: apiextensions.k8s.io/v1beta1
22 | kind: CustomResourceDefinition
23 | metadata:
24 | name: serviceentries.networking.istio.io
25 | labels:
26 | app: istio-pilot
27 | chart: istio
28 | heritage: Tiller
29 | release: istio
30 | annotations:
31 | "helm.sh/resource-policy": keep
32 | spec:
33 | group: networking.istio.io
34 | names:
35 | kind: ServiceEntry
36 | listKind: ServiceEntryList
37 | plural: serviceentries
38 | singular: serviceentry
39 | shortNames:
40 | - se
41 | categories:
42 | - istio-io
43 | - networking-istio-io
44 | scope: Namespaced
45 | version: v1alpha3
46 | additionalPrinterColumns:
47 | - JSONPath: .spec.hosts
48 | description: The hosts associated with the ServiceEntry
49 | name: Hosts
50 | type: string
51 | - JSONPath: .spec.location
52 | description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL)
53 | name: Location
54 | type: string
55 | - JSONPath: .spec.resolution
56 | description: Service discovery mode for the hosts (NONE, STATIC, or DNS)
57 | name: Resolution
58 | type: string
59 | - JSONPath: .metadata.creationTimestamp
60 | description: |-
61 | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
62 |
63 | Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
64 | name: Age
65 | type: date
66 |
--------------------------------------------------------------------------------
/appconfigmgrv2/third_party/istio/v1.1.7/crds/virtual-service.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: apiextensions.k8s.io/v1beta1
22 | kind: CustomResourceDefinition
23 | metadata:
24 | name: virtualservices.networking.istio.io
25 | labels:
26 | app: istio-pilot
27 | chart: istio
28 | heritage: Tiller
29 | release: istio
30 | annotations:
31 | "helm.sh/resource-policy": keep
32 | spec:
33 | group: networking.istio.io
34 | names:
35 | kind: VirtualService
36 | listKind: VirtualServiceList
37 | plural: virtualservices
38 | singular: virtualservice
39 | shortNames:
40 | - vs
41 | categories:
42 | - istio-io
43 | - networking-istio-io
44 | scope: Namespaced
45 | version: v1alpha3
46 | additionalPrinterColumns:
47 | - JSONPath: .spec.gateways
48 | description: The names of gateways and sidecars that should apply these routes
49 | name: Gateways
50 | type: string
51 | - JSONPath: .spec.hosts
52 | description: The destination hosts to which traffic is being sent
53 | name: Hosts
54 | type: string
55 | - JSONPath: .metadata.creationTimestamp
56 | description: |-
57 | CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
58 |
59 | Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
60 | name: Age
61 | type: date
62 |
--------------------------------------------------------------------------------
/builder/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ```bash
4 | gsutil mb -p anthos-appconfig -c multi_regional -l us gs://anthos-appconfig/
5 | gsutil mb -p anthos-appconfig -c multi_regional -l us -b on gs://anthos-appconfig_build/
6 | gsutil bucketpolicyonly set off gs://anthos-appconfig_build/
7 | gsutil defacl set private gs://anthos-appconfig_build/
8 |
9 | gsutil mb -p anthos-appconfig -c multi_regional -l us -b on gs://anthos-appconfig_public/
10 | gsutil acl ch -u AllUsers:R gs://anthos-appconfig_public/
11 |
12 | ```
13 |
14 |
15 | ```bash
16 | PROJECT_ID_NUMBER=20604585440
17 | gcloud iam
18 | ssh-keygen -t rsa -N '' -b 4096 -C "20604585440@cloudbuild.gserviceaccount.com" \
19 | -f $HOME/.ssh/id_rsa_anthos-appconfig-repo
20 |
21 | gsutil cp $HOME/.ssh/id_rsa_anthos-appconfig-repo* gs://anthos-appconfig_build/repo/keys/
22 | gsutil acl ch -u 20604585440@cloudbuild.gserviceaccount.com:R gs://anthos-appconfig_build/repo/keys/*
23 | ```
24 |
25 | ```bash
26 | gcloud builds submit \
27 | --config=./builder/kubebuilder-build/cloudbuild.yaml \
28 | ./builder/kubebuilder-build \
29 | --project anthos-appconfig --substitutions="_BUILDER_VERSION=v2.0.1"
30 |
31 | gsutil iam ch allUsers:objectViewer gs://artifacts.anthos-appconfig.appspot.com
32 | ```
33 |
34 | ```bash
35 | gcloud builds submit \
36 | --config=./kubebuilder-build/builder/utils/acmsplit/build/cloudbuild.yaml \
37 | ./kubebuilder-build/builder/utils/acmsplit \
38 | --project anthos-appconfig --substitutions="_BUILDER_VERSION=v2.0.1"
39 | ```
40 |
41 | ```bash
42 | gcloud builds submit \
43 | --config=./builder/appconfig-crd/cloudbuild.yaml \
44 | ./builder/appconfig-crd \
45 | --project anthos-appconfig \
46 | --substitutions="_BRANCH_NAME=master,_BUILDER_VERSION=v2.0.1,_APP_VERSION=v2.0.0"
47 | ```
48 |
49 | ```bash
50 | gsutil -m cp -R "gs://anthos-appconfig_public/acm/anthos-config-management/$RELEASE_NAME/acm-crd/config-management-root/* ${ACM_ROOT}"
51 | ```
--------------------------------------------------------------------------------
/builder/appconfig-crd/build-ssh-config-git-hub:
--------------------------------------------------------------------------------
1 | # GitLab.com server
2 | Host github.com
3 | HostName github.com
4 | RSAAuthentication yes
5 | IdentityFile /root/.ssh/id_rsa
6 | StrictHostKeyChecking no
--------------------------------------------------------------------------------
/builder/appconfig-crd/placeholder.txt:
--------------------------------------------------------------------------------
1 | Copyright 2019 Google LLC
2 |
3 | Licensed under the Apache License, Version 2.0 (the "License");
4 | you may not use this file except in compliance with the License.
5 | You may obtain a copy of the License at
6 |
7 | http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | Unless required by applicable law or agreed to in writing, software
10 | distributed under the License is distributed on an "AS IS" BASIS,
11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | See the License for the specific language governing permissions and
13 | limitations under the License.
14 |
--------------------------------------------------------------------------------
/builder/kubebuilder-build/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM golang:1.12.6
2 |
3 | ARG KUBECTL_VERSION="v1.13.0"
4 | ENV GOPATH=/go
5 | ENV GO111MODULE=on
6 |
7 | RUN export os=$(go env GOOS) && export arch=$(go env GOARCH) \
8 | && curl -sL https://go.kubebuilder.io/dl/2.0.0-alpha.4/${os}/${arch} | tar -xz -C /tmp/ \
9 | && mv /tmp/kubebuilder_2.0.0-alpha.4_${os}_${arch} /usr/local/kubebuilder \
10 | && curl -o /usr/local/kubebuilder/bin/kustomize -sL https://github.com/kubernetes-sigs/kustomize/releases/download/v2.1.0/kustomize_2.1.0_linux_amd64 \
11 | && chmod 755 /usr/local/kubebuilder/bin/kustomize
12 |
13 | ENV PATH "$PATH:/usr/local/kubebuilder/bin"
14 |
15 | CMD ["bash"]
16 |
--------------------------------------------------------------------------------
/builder/kubebuilder-build/cloudbuild.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 |
22 | steps:
23 | - name: gcr.io/cloud-builders/docker
24 | args: [
25 | 'build', '-t',
26 | 'gcr.io/${PROJECT_ID}/acmsplit:${_BUILDER_VERSION}',
27 | '.'
28 | ]
29 | dir: utils/acmsplit
30 | - name: gcr.io/cloud-builders/docker
31 | args: [
32 | 'push',
33 | 'gcr.io/${PROJECT_ID}/acmsplit:${_BUILDER_VERSION}',
34 | ]
35 | dir: utils/acmsplit
36 | - name: gcr.io/cloud-builders/docker
37 | args: [
38 | 'build', '-t',
39 | 'gcr.io/${PROJECT_ID}/appconfighelper-build:${_BUILDER_VERSION}',
40 | '.'
41 | ]
42 | - name: gcr.io/cloud-builders/docker
43 | args: [
44 | 'push',
45 | 'gcr.io/${PROJECT_ID}/appconfighelper-build:${_BUILDER_VERSION}',
46 | ]
47 |
--------------------------------------------------------------------------------
/builder/kubebuilder-build/utils/acmsplit/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM golang:1.12.6 as builder
2 | RUN mkdir /go/src/app
3 | WORKDIR /go/src/app
4 | ENV GOPATH=/go
5 | ENV GO111MODULE=on
6 | RUN go mod init
7 | #RUN go get -u github.com/golang/dep/cmd/dep
8 | ADD ./main.go /go/src/app
9 | #COPY Gopkg.toml /go/src/app
10 |
11 | #RUN dep ensure
12 | RUN go test -v
13 | RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o app
14 |
15 | FROM alpine:3.9
16 | RUN apk add --no-cache ca-certificates
17 | CMD ["./app"]
18 | COPY --from=builder /go/src/app/app .
19 |
--------------------------------------------------------------------------------
/builder/kubebuilder-build/utils/acmsplit/go.mod:
--------------------------------------------------------------------------------
1 | module appconfigv2-cft-dev/examples/acmsplit
2 |
3 | go 1.12
4 |
5 | require (
6 | github.com/pkg/errors v0.8.1
7 | gopkg.in/yaml.v2 v2.2.2
8 | k8s.io/api v0.0.0-20190620073856-dcce3486da33
9 | k8s.io/apimachinery v0.0.0-20190620073744-d16981aedf33
10 | k8s.io/client-go v11.0.0+incompatible
11 | )
12 |
--------------------------------------------------------------------------------
/examples/use-cases/uc-firebase/deploy-apps.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: tasks
25 | namespace: uc-firebase
26 | labels:
27 | version: v1
28 | spec:
29 | replicas: 1
30 | selector:
31 | matchLabels:
32 | app: tasks
33 | template:
34 | metadata:
35 | labels:
36 | app: tasks
37 | version: v1
38 | spec:
39 | containers:
40 | - name: main
41 | image: gcr.io/anthos-appconfig/firebase-tasks-api:v1.0.0
42 | resources:
43 | requests:
44 | cpu: "50m"
45 | ports:
46 | - containerPort: 8000
47 | imagePullPolicy: Always
48 | ---
49 | apiVersion: apps/v1
50 | kind: Deployment
51 | metadata:
52 | name: webapp
53 | namespace: uc-firebase
54 | labels:
55 | version: v1
56 | spec:
57 | replicas: 1
58 | selector:
59 | matchLabels:
60 | app: webapp
61 | template:
62 | metadata:
63 | labels:
64 | app: webapp
65 | version: v1
66 | spec:
67 | containers:
68 | - name: main
69 | image: gcr.io/anthos-appconfig/firebase-webapp:v1.0.0
70 | resources:
71 | requests:
72 | cpu: "50m"
73 | ports:
74 | - containerPort: 80
75 | imagePullPolicy: Always
76 |
--------------------------------------------------------------------------------
/examples/use-cases/uc-ingress-k8s-https/deploy-apps.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | apiVersion: apps/v1beta1
16 | kind: Deployment
17 | metadata:
18 | name: my-server
19 | namespace: uc-ingress-k8s-https
20 | labels:
21 | app: my-server
22 | version: v1.0.0
23 | annotations:
24 | appconfigmgr.cft.dev/application: "my-server"
25 | spec:
26 | replicas: 1
27 | template:
28 | metadata:
29 | labels:
30 | app: my-server
31 | version: v1.0.0
32 | annotations:
33 | appconfigmgr.cft.dev/application: "my-server"
34 | spec:
35 | containers:
36 | - name: my-server
37 | image: docker.io/nstogner/itsallok
38 | imagePullPolicy: Always
39 | tty: true
40 | env:
41 | - name: ADDR
42 | value: ":80"
43 | ports:
44 | - containerPort: 80
45 | name: http
46 | readinessProbe:
47 | httpGet:
48 | path: /get
49 | port: 80
50 |
--------------------------------------------------------------------------------
/examples/use-cases/uc-ingress-k8s/deploy-apps.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | apiVersion: apps/v1beta1
16 | kind: Deployment
17 | metadata:
18 | name: my-server
19 | namespace: uc-ingress-k8s
20 | labels:
21 | app: my-server
22 | version: v1.0.0
23 | annotations:
24 | appconfigmgr.cft.dev/application: "my-server"
25 | spec:
26 | replicas: 1
27 | template:
28 | metadata:
29 | labels:
30 | app: my-server
31 | version: v1.0.0
32 | annotations:
33 | appconfigmgr.cft.dev/application: "my-server"
34 | spec:
35 | containers:
36 | - name: my-server
37 | image: docker.io/nstogner/itsallok
38 | imagePullPolicy: Always
39 | tty: true
40 | env:
41 | - name: ADDR
42 | value: ":80"
43 | ports:
44 | - containerPort: 80
45 | name: http
46 | readinessProbe:
47 | httpGet:
48 | path: /get
49 | port: 80
50 |
--------------------------------------------------------------------------------
/examples/use-cases/uc-opa/deploy-apps.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | apiVersion: apps/v1
20 | kind: Deployment
21 | metadata:
22 | name: missing-version-label-on-pods
23 | namespace: uc-opa
24 | labels:
25 | app: missing-version-label-on-pods
26 | version: v1
27 | spec:
28 | replicas: 3
29 | selector:
30 | matchLabels:
31 | app: missing-version-label-on-pods
32 | template:
33 | metadata:
34 | labels:
35 | app: missing-version-label-on-pods
36 | spec:
37 | containers:
38 | - name: main
39 | image: nginx
40 |
41 | apiVersion: apps/v1
42 | kind: Deployment
43 | metadata:
44 | name: satisfies-labels
45 | namespace: uc-opa
46 | labels:
47 | app: satisfies-labels
48 | version: v1
49 | spec:
50 | replicas: 3
51 | selector:
52 | matchLabels:
53 | app: satisfies-labels
54 | version: v1
55 | template:
56 | metadata:
57 | labels:
58 | app: satisfies-labels
59 | version: v1
60 | spec:
61 | containers:
62 | - name: main
63 | image: nginx
64 |
--------------------------------------------------------------------------------
/examples/use-cases/uc-secrets-vault-k8s/vault-roles-policy.sh:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 | cat > ${ROLE_NAME}-gcp.hcl < ${ROLE_NAME}-policy.hcl < 0 or len(results.failures) > 0:
47 | sys.exit(1)
48 |
--------------------------------------------------------------------------------
/tests/artifacts/drivers/simple_hello/requirements.txt:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | #flask
22 | #flask-cors
23 | requests
24 | httplib2
25 | PyCrypto
26 | google-api-python-client
27 | google-auth-httplib2
28 | oauth2client
29 | html-testRunner
30 | kubernetes
31 |
--------------------------------------------------------------------------------
/tests/artifacts/drivers/simple_hello/test/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.
17 | #
--------------------------------------------------------------------------------
/tests/artifacts/drivers/simple_hello/test/config/opa-appconfig-1.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 | apiVersion: appconfigmgr.cft.dev/v1alpha1
19 | kind: AppEnvConfigTemplateV2
20 | metadata:
21 | name: should-be-created
22 | namespace: uc-opa
23 | spec:
24 | services:
25 | - name: a
26 | deploymentApp: a
27 | deploymentPort: 8000
28 | servicePort: 8000
29 | deploymentPortProtocol: TCP
30 |
--------------------------------------------------------------------------------
/tests/artifacts/drivers/simple_hello/test/config/opa-appconfig-2.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 | apiVersion: appconfigmgr.cft.dev/v1alpha1
19 | kind: AppEnvConfigTemplateV2
20 | metadata:
21 | name: should-not-be-created
22 | namespace: uc-opa
23 | spec:
24 | services:
25 | - name: a
26 | deploymentApp: a
27 | deploymentPort: 8000
28 | servicePort: 8000
29 | deploymentPortProtocol: TCP
30 |
--------------------------------------------------------------------------------
/tests/artifacts/drivers/simple_hello/test/test_ingress.py:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.
17 | #
18 |
19 | import os
20 | import sys
21 | import unittest
22 | import time
23 | import requests
24 |
25 | # sys.path.append(os.path.abspath('../simple_hello'))
26 | # from auth_helper import GCPAuthHelper
27 |
28 | from kubernetes import client, config
29 | from pprint import pprint
30 |
31 | config.load_kube_config()
32 |
33 | class IngressTestCase(unittest.TestCase):
34 |
35 | def test_k8s_ingress(self):
36 | retries = 20
37 | ns = "uc-ingress-k8s"
38 | proto = "http"
39 | while retries > 0:
40 | try:
41 | self.call_k8s_ingress(ns, proto)
42 | break
43 | time.sleep(15)
44 | except:
45 | retries -= 1
46 | if retries == 0:
47 | self.call_k8s_ingress(ns, proto)
48 |
49 | def test_k8s_ingress_https(self):
50 | retries = 20
51 | ns = "uc-ingress-k8s-https"
52 | proto = "https"
53 | while retries > 0:
54 | try:
55 | self.call_k8s_ingress(ns, proto)
56 | break
57 | time.sleep(15)
58 | except:
59 | retries -= 1
60 | if retries == 0:
61 | self.call_k8s_ingress(ns, proto)
62 |
63 | def call_k8s_ingress(self, ns, proto):
64 | exts = client.ExtensionsV1beta1Api()
65 | ig = exts.read_namespaced_ingress("ingress-k8s", ns)
66 | ip = ig.status.load_balancer.ingress[0].ip
67 | r = requests.get(url=proto+"://"+ip+"/get", headers={'Host':'example.com'}, verify=False)
68 | self.assertEqual(r.status_code, 200)
69 |
70 |
71 | if __name__ == '__main__':
72 | unittest.main()
73 |
74 |
--------------------------------------------------------------------------------
/tests/artifacts/drivers/simple_hello/test/test_opa.py:
--------------------------------------------------------------------------------
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.
17 | #
18 |
19 | import os
20 | from os import path
21 | import sys
22 | import unittest
23 | import subprocess
24 | import time
25 |
26 | from kubernetes import client, config
27 | from pprint import pprint
28 |
29 | config.load_kube_config()
30 | core_v1 = client.CoreV1Api()
31 | namespace = "uc-opa"
32 |
33 | class OpaTestCase(unittest.TestCase):
34 |
35 | def test_pod_creation(self):
36 | # Assert that gatekeeper has blocked the creation of pods
37 | # that are missing required labels.
38 | should_exist = core_v1.list_namespaced_pod(namespace, label_selector="app=satisfies-labels")
39 | should_not_exist = core_v1.list_namespaced_pod(namespace, label_selector="app=missing-version-label-on-pods")
40 | self.assertEqual(len(should_exist.items), 3)
41 | self.assertEqual(len(should_not_exist.items), 0)
42 |
43 | def test_appconfig_ns_limit(self):
44 | # Assert that no more than one app config can be created in a single
45 | # namespace.
46 | time.sleep(300)
47 |
48 | # Should succeed.
49 | self.kubectl_apply("opa-appconfig-1.yaml")
50 |
51 | time.sleep(300)
52 | # Only one appconfig per namespaces should be allowed, so this should fail.
53 | with self.assertRaises(subprocess.CalledProcessError):
54 | self.kubectl_apply("opa-appconfig-2.yaml")
55 |
56 | def kubectl_apply(self, name):
57 | subprocess.check_call(["kubectl", "apply", "-f", path.join(path.dirname(__file__), "config", name)])
58 |
59 | if __name__ == '__main__':
60 | unittest.main()
61 |
62 |
--------------------------------------------------------------------------------
/tests/artifacts/pytest-sel/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3.7
2 | COPY . /app
3 | WORKDIR /app
4 | RUN \
5 | apt-get update && \
6 | apt-get install unzip wget -y && \
7 | rm -rf /var/lib/apt/lists/*
8 |
9 | RUN mkdir -p /app/utils/down && wget -O "/app/utils/down/chromedriver.zip" \
10 | "https://chromedriver.storage.googleapis.com/76.0.3809.68/chromedriver_linux64.zip"
11 |
12 | RUN unzip '/app/utils/down/chromedriver.zip' -d "/app/utils/"
13 |
14 | RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.15.0/bin/linux/amd64/kubectl
15 | RUN chmod +x ./kubectl
16 | RUN mv ./kubectl /usr/local/bin/kubectl
17 |
18 | RUN pip install -r "requirements.txt"
19 |
20 | CMD [python3]
21 |
--------------------------------------------------------------------------------
/tests/artifacts/pytest-sel/README.md:
--------------------------------------------------------------------------------
1 | Copyright 2019 Google LLC
2 |
3 | Licensed under the Apache License, Version 2.0 (the "License");
4 | you may not use this file except in compliance with the License.
5 | You may obtain a copy of the License at
6 |
7 | http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | Unless required by applicable law or agreed to in writing, software
10 | distributed under the License is distributed on an "AS IS" BASIS,
11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | See the License for the specific language governing permissions and
13 | limitations under the License.
14 | ```bash
15 | python3 -m venv venv
16 | source venv/bin/activate
17 | python3 -m pip install -r requirements.txt
18 |
19 | ```
20 |
21 | ```bash
22 | gcloud builds submit \
23 | --config=examples/hello-app-sm-py/build/cloudbuild.yaml \
24 | examples/hello-app-sm-py \
25 | --project anthos-crd-v1-dev-t2 --substitutions="_APP_VERSION=v3.0.20"
26 | ```
27 |
28 | https://chromedriver.storage.googleapis.com/76.0.3809.68/chromedriver_linux64.zip
29 |
30 | ```bash
31 | docker build . -t pso-e2e-testing-py:v1.0.1
32 | docker tag pso-e2e-testing-py:v1.0.1 gcr.io/anthos-appconfig/pso-e2e-testing-py:v1.0.1
33 | docker push gcr.io/anthos-appconfig/pso-e2e-testing-py:v1.0.1
34 |
35 | ```
--------------------------------------------------------------------------------
/tests/artifacts/pytest-sel/requirements.txt:
--------------------------------------------------------------------------------
1 | #Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | # Copyright 2019 Google LLC. This software is provided as-is,
16 | # without warranty or representation for any use or purpose.#
17 | #
18 |
19 |
20 |
21 | # flask
22 | # flask-cors
23 | requests
24 | httplib2
25 | PyCrypto
26 | google-api-python-client
27 | google-auth-httplib2
28 | oauth2client
29 | pytest-webdriver
30 | html-testRunner
31 | kubernetes
32 |
--------------------------------------------------------------------------------
/tests/setup/README.md:
--------------------------------------------------------------------------------
1 | # Testing
2 |
3 |
4 | ## Build Environment
5 |
6 | ```bash
7 | gcloud builds submit --config=tests/setup/cloudbuild.yaml \
8 | tests/setup --project anthos-appconfig \
9 | --substitutions='_BRANCH_NAME=feat_end_to_end_2_137548002,_STEPS_X=CRD1,_REF_PATH=*BRANCH-MANUAL*'
10 | ```
11 |
12 |
--------------------------------------------------------------------------------
/tests/setup/build-ssh-config-git-hub:
--------------------------------------------------------------------------------
1 | # GitLab.com server
2 | Host github.com
3 | HostName github.com
4 | RSAAuthentication yes
5 | IdentityFile /root/.ssh/id_rsa
6 | StrictHostKeyChecking no
7 | # source repos server
8 | Host source.developers.google.com
9 | HostName source.developers.google.com
10 | RSAAuthentication yes
11 | IdentityFile /root/.ssh/id_rsa_test
12 | StrictHostKeyChecking no
--------------------------------------------------------------------------------
/tests/setup/jobtemp/placeholder.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-appconfig/16baae606132e83bbb6d6a03a8a55cd72c9953bd/tests/setup/jobtemp/placeholder.txt
--------------------------------------------------------------------------------
/tests/setup/setup_mapping_execution.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | # Copyright 2019 Google LLC
3 | #
4 | # Licensed under the Apache License, Version 2.0 (the "License");
5 | # you may not use this file except in compliance with the License.
6 | # You may obtain a copy of the License at
7 | #
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | #
16 | # Copyright 2019 Google LLC. This software is provided as-is,
17 | # without warranty or representation for any use or purpose.#
18 | #
19 |
20 | # TODO - Rules to map Request to Test Project and Cluster
21 |
22 |
--------------------------------------------------------------------------------
/tests/use-cases-basic/demos.bats:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bats
2 | # docker run -it -v "/Users/joseret/go112/src/github.com/GoogleCloudPlatform/anthos-appconfig/tests:/code" bats/bats:latest
3 |
4 | @test "uc-1" {
5 | COMMAND="curl \""
6 | COMMAND="$COMMANDhttp://${INGRESS_NO_ISTIO_HOST}/testcallseq?"
7 | COMMAND="$COMMANDcall1=http://app-allowed-k8s-appconfigv2-service-sm-2.uc-allowed-services-k8s/testcallseq&"
8 | COMMAND="$COMMANDcall2=http://app-allowed-k8s-appconfigv2-service-sm-1/testcallseq&"
9 | COMMAND="$COMMANDccall3=https://httpbin.org/get\""
10 | run "curl https://www.google.com"
11 | [ "$status" -eq 127 ]
12 | }
13 |
14 |
--------------------------------------------------------------------------------
/third_party/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-appconfig/16baae606132e83bbb6d6a03a8a55cd72c9953bd/third_party/README.md
--------------------------------------------------------------------------------
/vault-api-helper/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM golang:1.12.7 as builder
2 |
3 | RUN mkdir /go/src/app
4 | WORKDIR /go/src/app
5 | ENV GOPATH=/go
6 | ENV GO111MODULE=on
7 | RUN go mod init
8 | RUN go get k8s.io/client-go@v12.0.0
9 | ADD ./main.go /go/src/app
10 |
11 | #COPY Gopkg.toml /go/src/app
12 |
13 | RUN go test -v
14 | RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o app
15 |
16 | # Use distroless as minimal base image to package the vault-api-helper binary
17 | # Refer to https://github.com/GoogleContainerTools/distroless for more details
18 | #FROM gcr.io/distroless/static:latest
19 | #WORKDIR /
20 | #COPY --from=builder /go/src/app/app .
21 | #ENTRYPOINT ["/app"]
22 |
23 | FROM alpine:3.9
24 | RUN apk add --no-cache ca-certificates
25 | CMD ["./app"]
26 | COPY --from=builder /go/src/app/app .
27 |
--------------------------------------------------------------------------------