diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 593851c..9d38a2e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,6 +18,6 @@ jobs: registry-server: ghcr.io registry-username: ${{ github.actor }} image: ${{ github.repository }} - version: 0.7.0 + version: 0.9.0 secrets: pull-request-token: ${{ secrets.GH_ORG_PAT }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5a79ea9..b37dc51 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,7 +14,7 @@ jobs: name: Integration Tests strategy: matrix: - k8s_version: [v1.27, v1.28, v1.29] + k8s_version: [v1.28, v1.29, v1.30] permissions: contents: read uses: kadras-io/github-reusable-workflows/.github/workflows/carvel-package-test-integration.yml@main diff --git a/Makefile b/Makefile index 5ba5c07..663175c 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -K8S_VERSION=v1.29 +K8S_VERSION=v1.30 # Build package configuration build: package diff --git a/README.md b/README.md index 49b9d72..53792df 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ A Carvel package for [Service Binding](https://servicebinding.io), a standard an ### Prerequisites -* Kubernetes 1.27+ +* Kubernetes 1.28+ * Carvel [`kctrl`](https://carvel.dev/kapp-controller/docs/latest/install/#installing-kapp-controller-cli-kctrl) CLI. * Carvel [kapp-controller](https://carvel.dev/kapp-controller) deployed in your Kubernetes cluster. You can install it with Carvel [`kapp`](https://carvel.dev/kapp/docs/latest/install) (recommended choice) or `kubectl`. diff --git a/package/config/upstream/servicebinding-runtime-v0.7.0.yaml b/package/config/upstream/servicebinding-runtime-v0.7.0.yaml deleted file mode 100644 index 2910391..0000000 --- a/package/config/upstream/servicebinding-runtime-v0.7.0.yaml +++ /dev/null @@ -1,1308 +0,0 @@ -# Copyright 2022 the original author or authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - name: servicebinding-system ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: clusterworkloadresourcemappings.servicebinding.io -spec: - group: servicebinding.io - names: - kind: ClusterWorkloadResourceMapping - listKind: ClusterWorkloadResourceMappingList - plural: clusterworkloadresourcemappings - singular: clusterworkloadresourcemapping - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: servicebinding.io/v1alpha3 is deprecated and will be removed - in a future release, use v1beta1 instead - name: v1alpha3 - schema: - openAPIV3Schema: - description: ClusterWorkloadResourceMapping is the Schema for the clusterworkloadresourcemappings - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterWorkloadResourceMappingSpec defines the desired state - of ClusterWorkloadResourceMapping - properties: - versions: - description: Versions is the collection of versions for a given resource, - with mappings. - items: - description: ClusterWorkloadResourceMappingTemplate defines the - mapping for a specific version of an workload resource to a logical - PodTemplateSpec-like structure. - properties: - annotations: - description: Annotations is a Restricted JSONPath that references - the annotations map within the workload resource. These annotations - must end up in the resulting Pod, and are generally not the - workload resource's annotations. Defaults to `.spec.template.metadata.annotations`. - type: string - containers: - description: Containers is the collection of mappings to container-like - fragments of the workload resource. Defaults to mappings appropriate - for a PodSpecable resource. - items: - description: "ClusterWorkloadResourceMappingContainer defines - the mapping for a specific fragment of an workload resource - to a Container-like structure. \n Each mapping defines exactly - one path that may match multiple container-like fragments - within the workload resource. For each object matching the - path the name, env and volumeMounts expressions are resolved - to find those structures." - properties: - env: - description: Env is a Restricted JSONPath that references - the slice of environment variables for the container - with the container-like workload resource fragment. - The referenced location is created if it does not exist. - Defaults to `.envs`. - type: string - name: - description: Name is a Restricted JSONPath that references - the name of the container with the container-like workload - resource fragment. If not defined, container name filtering - is ignored. - type: string - path: - description: Path is the JSONPath within the workload - resource that matches an existing fragment that is container-like. - type: string - volumeMounts: - description: VolumeMounts is a Restricted JSONPath that - references the slice of volume mounts for the container - with the container-like workload resource fragment. - The referenced location is created if it does not exist. - Defaults to `.volumeMounts`. - type: string - required: - - path - type: object - type: array - version: - description: Version is the version of the workload resource - that this mapping is for. - type: string - volumes: - description: Volumes is a Restricted JSONPath that references - the slice of volumes within the workload resource. Defaults - to `.spec.template.spec.volumes`. - type: string - required: - - version - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterWorkloadResourceMapping is the Schema for the clusterworkloadresourcemappings - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterWorkloadResourceMappingSpec defines the desired state - of ClusterWorkloadResourceMapping - properties: - versions: - description: Versions is the collection of versions for a given resource, - with mappings. - items: - description: ClusterWorkloadResourceMappingTemplate defines the - mapping for a specific version of an workload resource to a logical - PodTemplateSpec-like structure. - properties: - annotations: - description: Annotations is a Restricted JSONPath that references - the annotations map within the workload resource. These annotations - must end up in the resulting Pod, and are generally not the - workload resource's annotations. Defaults to `.spec.template.metadata.annotations`. - type: string - containers: - description: Containers is the collection of mappings to container-like - fragments of the workload resource. Defaults to mappings appropriate - for a PodSpecable resource. - items: - description: "ClusterWorkloadResourceMappingContainer defines - the mapping for a specific fragment of an workload resource - to a Container-like structure. \n Each mapping defines exactly - one path that may match multiple container-like fragments - within the workload resource. For each object matching the - path the name, env and volumeMounts expressions are resolved - to find those structures." - properties: - env: - description: Env is a Restricted JSONPath that references - the slice of environment variables for the container - with the container-like workload resource fragment. - The referenced location is created if it does not exist. - Defaults to `.envs`. - type: string - name: - description: Name is a Restricted JSONPath that references - the name of the container with the container-like workload - resource fragment. If not defined, container name filtering - is ignored. - type: string - path: - description: Path is the JSONPath within the workload - resource that matches an existing fragment that is container-like. - type: string - volumeMounts: - description: VolumeMounts is a Restricted JSONPath that - references the slice of volume mounts for the container - with the container-like workload resource fragment. - The referenced location is created if it does not exist. - Defaults to `.volumeMounts`. - type: string - required: - - path - type: object - type: array - version: - description: Version is the version of the workload resource - that this mapping is for. - type: string - volumes: - description: Volumes is a Restricted JSONPath that references - the slice of volumes within the workload resource. Defaults - to `.spec.template.spec.volumes`. - type: string - required: - - version - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: servicebindings.servicebinding.io -spec: - group: servicebinding.io - names: - kind: ServiceBinding - listKind: ServiceBindingList - plural: servicebindings - singular: servicebinding - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.binding.name - name: Secret - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Reason - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: servicebinding.io/v1alpha3 is deprecated and will be removed - in a future release, use v1beta1 instead - name: v1alpha3 - schema: - openAPIV3Schema: - description: ServiceBinding is the Schema for the servicebindings API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ServiceBindingSpec defines the desired state of ServiceBinding - properties: - env: - description: Env is the collection of mappings from Secret entries - to environment variables - items: - description: EnvMapping defines a mapping from the value of a Secret - entry to an environment variable - properties: - key: - description: Key is the key in the Secret that will be exposed - type: string - name: - description: Name is the name of the environment variable - type: string - required: - - key - - name - type: object - type: array - name: - description: Name is the name of the service as projected into the - workload container. Defaults to .metadata.name. - type: string - provider: - description: Provider is the provider of the service as projected - into the workload container - type: string - service: - description: Service is a reference to an object that fulfills the - ProvisionedService duck type - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - apiVersion - - kind - - name - type: object - type: - description: Type is the type of the service as projected into the - workload container - type: string - workload: - description: Workload is a reference to an object - properties: - apiVersion: - description: API version of the referent. - type: string - containers: - description: Containers describes which containers in a Pod should - be bound to - items: - type: string - type: array - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - selector: - description: Selector is a query that selects the workload or - workloads to bind the service to - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - apiVersion - - kind - type: object - required: - - service - - workload - type: object - status: - description: ServiceBindingStatus defines the observed state of ServiceBinding - properties: - binding: - description: Binding exposes the projected secret for this ServiceBinding - properties: - name: - description: 'Name of the referent secret. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - conditions: - description: Conditions are the conditions of this ServiceBinding - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the 'Generation' of the ServiceBinding - that was last processed by the controller. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.binding.name - name: Secret - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Reason - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: ServiceBinding is the Schema for the servicebindings API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ServiceBindingSpec defines the desired state of ServiceBinding - properties: - env: - description: Env is the collection of mappings from Secret entries - to environment variables - items: - description: EnvMapping defines a mapping from the value of a Secret - entry to an environment variable - properties: - key: - description: Key is the key in the Secret that will be exposed - type: string - name: - description: Name is the name of the environment variable - type: string - required: - - key - - name - type: object - type: array - name: - description: Name is the name of the service as projected into the - workload container. Defaults to .metadata.name. - type: string - provider: - description: Provider is the provider of the service as projected - into the workload container - type: string - service: - description: Service is a reference to an object that fulfills the - ProvisionedService duck type - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - apiVersion - - kind - - name - type: object - type: - description: Type is the type of the service as projected into the - workload container - type: string - workload: - description: Workload is a reference to an object - properties: - apiVersion: - description: API version of the referent. - type: string - containers: - description: Containers describes which containers in a Pod should - be bound to - items: - type: string - type: array - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - selector: - description: Selector is a query that selects the workload or - workloads to bind the service to - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - apiVersion - - kind - type: object - required: - - service - - workload - type: object - status: - description: ServiceBindingStatus defines the observed state of ServiceBinding - properties: - binding: - description: Binding exposes the projected secret for this ServiceBinding - properties: - name: - description: 'Name of the referent secret. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - conditions: - description: Conditions are the conditions of this ServiceBinding - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the 'Generation' of the ServiceBinding - that was last processed by the controller. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: servicebinding-controller-manager - namespace: servicebinding-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: servicebinding-leader-election-role - namespace: servicebinding-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -aggregationRule: - clusterRoleSelectors: - - matchLabels: - servicebinding.io/controller: "true" - - matchLabels: - service.binding/controller: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: servicebinding-aggregate-role ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - servicebinding.io/controller: "true" - name: servicebinding-k8s-workloads-role -rules: -- apiGroups: - - "" - resources: - - replicationcontrollers - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - apps - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - batch - resources: - - cronjobs - - jobs - verbs: - - get - - list - - watch - - update - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: servicebinding-manager-role -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - servicebinding.io - resources: - - clusterworkloadresourcemappings - verbs: - - get - - list - - watch -- apiGroups: - - servicebinding.io - resources: - - servicebindings - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - servicebinding.io - resources: - - servicebindings/finalizers - verbs: - - update -- apiGroups: - - servicebinding.io - resources: - - servicebindings/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: servicebinding-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: servicebinding-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: servicebinding-leader-election-rolebinding - namespace: servicebinding-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: servicebinding-leader-election-role -subjects: -- kind: ServiceAccount - name: servicebinding-controller-manager - namespace: servicebinding-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: servicebinding-aggregate-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: servicebinding-aggregate-role -subjects: -- kind: ServiceAccount - name: servicebinding-controller-manager - namespace: servicebinding-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: servicebinding-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: servicebinding-manager-role -subjects: -- kind: ServiceAccount - name: servicebinding-controller-manager - namespace: servicebinding-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: servicebinding-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: servicebinding-proxy-role -subjects: -- kind: ServiceAccount - name: servicebinding-controller-manager - namespace: servicebinding-system ---- -apiVersion: v1 -data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: a359ffaf.servicebinding.io -kind: ConfigMap -metadata: - name: servicebinding-manager-config - namespace: servicebinding-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: servicebinding-controller-manager-metrics-service - namespace: servicebinding-system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager ---- -apiVersion: v1 -kind: Service -metadata: - name: servicebinding-webhook-service - namespace: servicebinding-system -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - control-plane: controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - kbld.k14s.io/images: | - - origins: - - resolved: - tag: v0.11.0 - url: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 - - preresolved: - url: ghcr.io/servicebinding/runtime/bundle@sha256:0df4ae70e3bd0feffcec8f5cdb428f4abe666b667af991269ec5cb0bbda65869 - url: ghcr.io/servicebinding/runtime/bundle@sha256:0df4ae70e3bd0feffcec8f5cdb428f4abe666b667af991269ec5cb0bbda65869 - - origins: - - preresolved: - url: ghcr.io/servicebinding/runtime/bundle@sha256:53dd39cce5a3f2ba4fdd4526199195a4d4d6dee9169af8fdf9638036dbda5b36 - url: ghcr.io/servicebinding/runtime/bundle@sha256:53dd39cce5a3f2ba4fdd4526199195a4d4d6dee9169af8fdf9638036dbda5b36 - labels: - control-plane: controller-manager - name: servicebinding-controller-manager - namespace: servicebinding-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - image: ghcr.io/servicebinding/runtime/bundle@sha256:53dd39cce5a3f2ba4fdd4526199195a4d4d6dee9169af8fdf9638036dbda5b36 - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: ghcr.io/servicebinding/runtime/bundle@sha256:0df4ae70e3bd0feffcec8f5cdb428f4abe666b667af991269ec5cb0bbda65869 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - runAsNonRoot: true - serviceAccountName: servicebinding-controller-manager - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: servicebinding-serving-cert - namespace: servicebinding-system -spec: - dnsNames: - - servicebinding-webhook-service.servicebinding-system.svc - - servicebinding-webhook-service.servicebinding-system.svc.cluster.local - issuerRef: - kind: Issuer - name: servicebinding-selfsigned-issuer - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: servicebinding-selfsigned-issuer - namespace: servicebinding-system -spec: - selfSigned: {} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: servicebinding-system/servicebinding-serving-cert - webhook.servicebinding.io/dynamic-rules: "" - name: servicebinding-admission-projector -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: servicebinding-webhook-service - namespace: servicebinding-system - path: /interceptor - failurePolicy: Fail - name: interceptor.servicebinding.io - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - servicebinding-system - - kube-system - reinvocationPolicy: IfNeeded - sideEffects: None ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: servicebinding-system/servicebinding-serving-cert - webhook.servicebinding.io/dynamic-rules: "" - name: servicebinding-trigger -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: servicebinding-webhook-service - namespace: servicebinding-system - path: /trigger - failurePolicy: Ignore - name: trigger.servicebinding.io - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - servicebinding-system - - kube-system - sideEffects: None ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: servicebinding-system/servicebinding-serving-cert - name: servicebinding-validating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: servicebinding-webhook-service - namespace: servicebinding-system - path: /validate-servicebinding-io-v1beta1-clusterworkloadresourcemapping - failurePolicy: Fail - name: v1beta1.clusterworkloadresourcemappings.servicebinding.io - rules: - - apiGroups: - - servicebinding.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - clusterworkloadresourcemappings - sideEffects: None -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: servicebinding-webhook-service - namespace: servicebinding-system - path: /validate-servicebinding-io-v1beta1-servicebinding - failurePolicy: Fail - name: v1beta1.servicebindings.servicebinding.io - rules: - - apiGroups: - - servicebinding.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - servicebindings - sideEffects: None -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: servicebinding-webhook-service - namespace: servicebinding-system - path: /validate-servicebinding-io-v1alpha3-clusterworkloadresourcemapping - failurePolicy: Fail - name: v1alpha3.clusterworkloadresourcemappings.servicebinding.io - rules: - - apiGroups: - - servicebinding.io - apiVersions: - - v1alpha3 - operations: - - CREATE - - UPDATE - resources: - - clusterworkloadresourcemappings - sideEffects: None -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: servicebinding-webhook-service - namespace: servicebinding-system - path: /validate-servicebinding-io-v1alpha3-servicebinding - failurePolicy: Fail - name: v1alpha3.servicebindings.servicebinding.io - rules: - - apiGroups: - - servicebinding.io - apiVersions: - - v1alpha3 - operations: - - CREATE - - UPDATE - resources: - - servicebindings - sideEffects: None diff --git a/package/config/upstream/servicebinding-runtime-v0.9.0.yaml b/package/config/upstream/servicebinding-runtime-v0.9.0.yaml new file mode 100644 index 0000000..8051c53 --- /dev/null +++ b/package/config/upstream/servicebinding-runtime-v0.9.0.yaml @@ -0,0 +1,1738 @@ +# Copyright 2022 the original author or authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: servicebinding-system +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: clusterworkloadresourcemappings.servicebinding.io +spec: + group: servicebinding.io + names: + kind: ClusterWorkloadResourceMapping + listKind: ClusterWorkloadResourceMappingList + plural: clusterworkloadresourcemappings + singular: clusterworkloadresourcemapping + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterWorkloadResourceMapping is the Schema for the clusterworkloadresourcemappings + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ClusterWorkloadResourceMappingSpec defines the desired state + of ClusterWorkloadResourceMapping + properties: + versions: + description: Versions is the collection of versions for a given resource, + with mappings. + items: + description: |- + ClusterWorkloadResourceMappingTemplate defines the mapping for a specific version of an workload resource to a + logical PodTemplateSpec-like structure. + properties: + annotations: + description: |- + Annotations is a Restricted JSONPath that references the annotations map within the workload resource. These + annotations must end up in the resulting Pod, and are generally not the workload resource's annotations. + Defaults to `.spec.template.metadata.annotations`. + type: string + containers: + description: |- + Containers is the collection of mappings to container-like fragments of the workload resource. Defaults to + mappings appropriate for a PodSpecable resource. + items: + description: |- + ClusterWorkloadResourceMappingContainer defines the mapping for a specific fragment of an workload resource + to a Container-like structure. + + + Each mapping defines exactly one path that may match multiple container-like fragments within the workload + resource. For each object matching the path the name, env and volumeMounts expressions are resolved to find those + structures. + properties: + env: + description: |- + Env is a Restricted JSONPath that references the slice of environment variables for the container with the + container-like workload resource fragment. The referenced location is created if it does not exist. Defaults + to `.envs`. + type: string + name: + description: |- + Name is a Restricted JSONPath that references the name of the container with the container-like workload resource + fragment. If not defined, container name filtering is ignored. + type: string + path: + description: Path is the JSONPath within the workload + resource that matches an existing fragment that is container-like. + type: string + volumeMounts: + description: |- + VolumeMounts is a Restricted JSONPath that references the slice of volume mounts for the container with the + container-like workload resource fragment. The referenced location is created if it does not exist. Defaults + to `.volumeMounts`. + type: string + required: + - path + type: object + type: array + version: + description: Version is the version of the workload resource + that this mapping is for. + type: string + volumes: + description: |- + Volumes is a Restricted JSONPath that references the slice of volumes within the workload resource. Defaults to + `.spec.template.spec.volumes`. + type: string + required: + - version + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: servicebinding.io/v1alpha3 is deprecated and will be removed + in a future release, use v1 instead + name: v1alpha3 + schema: + openAPIV3Schema: + description: ClusterWorkloadResourceMapping is the Schema for the clusterworkloadresourcemappings + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ClusterWorkloadResourceMappingSpec defines the desired state + of ClusterWorkloadResourceMapping + properties: + versions: + description: Versions is the collection of versions for a given resource, + with mappings. + items: + description: |- + ClusterWorkloadResourceMappingTemplate defines the mapping for a specific version of an workload resource to a + logical PodTemplateSpec-like structure. + properties: + annotations: + description: |- + Annotations is a Restricted JSONPath that references the annotations map within the workload resource. These + annotations must end up in the resulting Pod, and are generally not the workload resource's annotations. + Defaults to `.spec.template.metadata.annotations`. + type: string + containers: + description: |- + Containers is the collection of mappings to container-like fragments of the workload resource. Defaults to + mappings appropriate for a PodSpecable resource. + items: + description: |- + ClusterWorkloadResourceMappingContainer defines the mapping for a specific fragment of an workload resource + to a Container-like structure. + + + Each mapping defines exactly one path that may match multiple container-like fragments within the workload + resource. For each object matching the path the name, env and volumeMounts expressions are resolved to find those + structures. + properties: + env: + description: |- + Env is a Restricted JSONPath that references the slice of environment variables for the container with the + container-like workload resource fragment. The referenced location is created if it does not exist. Defaults + to `.envs`. + type: string + name: + description: |- + Name is a Restricted JSONPath that references the name of the container with the container-like workload resource + fragment. If not defined, container name filtering is ignored. + type: string + path: + description: Path is the JSONPath within the workload + resource that matches an existing fragment that is container-like. + type: string + volumeMounts: + description: |- + VolumeMounts is a Restricted JSONPath that references the slice of volume mounts for the container with the + container-like workload resource fragment. The referenced location is created if it does not exist. Defaults + to `.volumeMounts`. + type: string + required: + - path + type: object + type: array + version: + description: Version is the version of the workload resource + that this mapping is for. + type: string + volumes: + description: |- + Volumes is a Restricted JSONPath that references the slice of volumes within the workload resource. Defaults to + `.spec.template.spec.volumes`. + type: string + required: + - version + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: ClusterWorkloadResourceMapping is the Schema for the clusterworkloadresourcemappings + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ClusterWorkloadResourceMappingSpec defines the desired state + of ClusterWorkloadResourceMapping + properties: + versions: + description: Versions is the collection of versions for a given resource, + with mappings. + items: + description: |- + ClusterWorkloadResourceMappingTemplate defines the mapping for a specific version of an workload resource to a + logical PodTemplateSpec-like structure. + properties: + annotations: + description: |- + Annotations is a Restricted JSONPath that references the annotations map within the workload resource. These + annotations must end up in the resulting Pod, and are generally not the workload resource's annotations. + Defaults to `.spec.template.metadata.annotations`. + type: string + containers: + description: |- + Containers is the collection of mappings to container-like fragments of the workload resource. Defaults to + mappings appropriate for a PodSpecable resource. + items: + description: |- + ClusterWorkloadResourceMappingContainer defines the mapping for a specific fragment of an workload resource + to a Container-like structure. + + + Each mapping defines exactly one path that may match multiple container-like fragments within the workload + resource. For each object matching the path the name, env and volumeMounts expressions are resolved to find those + structures. + properties: + env: + description: |- + Env is a Restricted JSONPath that references the slice of environment variables for the container with the + container-like workload resource fragment. The referenced location is created if it does not exist. Defaults + to `.envs`. + type: string + name: + description: |- + Name is a Restricted JSONPath that references the name of the container with the container-like workload resource + fragment. If not defined, container name filtering is ignored. + type: string + path: + description: Path is the JSONPath within the workload + resource that matches an existing fragment that is container-like. + type: string + volumeMounts: + description: |- + VolumeMounts is a Restricted JSONPath that references the slice of volume mounts for the container with the + container-like workload resource fragment. The referenced location is created if it does not exist. Defaults + to `.volumeMounts`. + type: string + required: + - path + type: object + type: array + version: + description: Version is the version of the workload resource + that this mapping is for. + type: string + volumes: + description: |- + Volumes is a Restricted JSONPath that references the slice of volumes within the workload resource. Defaults to + `.spec.template.spec.volumes`. + type: string + required: + - version + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: servicebindings.servicebinding.io +spec: + group: servicebinding.io + names: + kind: ServiceBinding + listKind: ServiceBindingList + plural: servicebindings + singular: servicebinding + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.binding.name + name: Secret + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ServiceBinding is the Schema for the servicebindings API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ServiceBindingSpec defines the desired state of ServiceBinding + properties: + env: + description: Env is the collection of mappings from Secret entries + to environment variables + items: + description: EnvMapping defines a mapping from the value of a Secret + entry to an environment variable + properties: + key: + description: Key is the key in the Secret that will be exposed + type: string + name: + description: Name is the name of the environment variable + type: string + required: + - key + - name + type: object + type: array + name: + description: Name is the name of the service as projected into the + workload container. Defaults to .metadata.name. + type: string + provider: + description: Provider is the provider of the service as projected + into the workload container + type: string + service: + description: Service is a reference to an object that fulfills the + ProvisionedService duck type + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - apiVersion + - kind + - name + type: object + type: + description: Type is the type of the service as projected into the + workload container + type: string + workload: + description: Workload is a reference to an object + properties: + apiVersion: + description: API version of the referent. + type: string + containers: + description: Containers describes which containers in a Pod should + be bound to + items: + type: string + type: array + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + selector: + description: Selector is a query that selects the workload or + workloads to bind the service to + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - apiVersion + - kind + type: object + required: + - service + - workload + type: object + status: + description: ServiceBindingStatus defines the observed state of ServiceBinding + properties: + binding: + description: Binding exposes the projected secret for this ServiceBinding + properties: + name: + description: |- + Name of the referent secret. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + conditions: + description: Conditions are the conditions of this ServiceBinding + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the 'Generation' of the ServiceBinding that + was last processed by the controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.binding.name + name: Secret + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: servicebinding.io/v1alpha3 is deprecated and will be removed + in a future release, use v1 instead + name: v1alpha3 + schema: + openAPIV3Schema: + description: ServiceBinding is the Schema for the servicebindings API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ServiceBindingSpec defines the desired state of ServiceBinding + properties: + env: + description: Env is the collection of mappings from Secret entries + to environment variables + items: + description: EnvMapping defines a mapping from the value of a Secret + entry to an environment variable + properties: + key: + description: Key is the key in the Secret that will be exposed + type: string + name: + description: Name is the name of the environment variable + type: string + required: + - key + - name + type: object + type: array + name: + description: Name is the name of the service as projected into the + workload container. Defaults to .metadata.name. + type: string + provider: + description: Provider is the provider of the service as projected + into the workload container + type: string + service: + description: Service is a reference to an object that fulfills the + ProvisionedService duck type + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - apiVersion + - kind + - name + type: object + type: + description: Type is the type of the service as projected into the + workload container + type: string + workload: + description: Workload is a reference to an object + properties: + apiVersion: + description: API version of the referent. + type: string + containers: + description: Containers describes which containers in a Pod should + be bound to + items: + type: string + type: array + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + selector: + description: Selector is a query that selects the workload or + workloads to bind the service to + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - apiVersion + - kind + type: object + required: + - service + - workload + type: object + status: + description: ServiceBindingStatus defines the observed state of ServiceBinding + properties: + binding: + description: Binding exposes the projected secret for this ServiceBinding + properties: + name: + description: |- + Name of the referent secret. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + conditions: + description: Conditions are the conditions of this ServiceBinding + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the 'Generation' of the ServiceBinding that + was last processed by the controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.binding.name + name: Secret + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: ServiceBinding is the Schema for the servicebindings API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ServiceBindingSpec defines the desired state of ServiceBinding + properties: + env: + description: Env is the collection of mappings from Secret entries + to environment variables + items: + description: EnvMapping defines a mapping from the value of a Secret + entry to an environment variable + properties: + key: + description: Key is the key in the Secret that will be exposed + type: string + name: + description: Name is the name of the environment variable + type: string + required: + - key + - name + type: object + type: array + name: + description: Name is the name of the service as projected into the + workload container. Defaults to .metadata.name. + type: string + provider: + description: Provider is the provider of the service as projected + into the workload container + type: string + service: + description: Service is a reference to an object that fulfills the + ProvisionedService duck type + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - apiVersion + - kind + - name + type: object + type: + description: Type is the type of the service as projected into the + workload container + type: string + workload: + description: Workload is a reference to an object + properties: + apiVersion: + description: API version of the referent. + type: string + containers: + description: Containers describes which containers in a Pod should + be bound to + items: + type: string + type: array + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + selector: + description: Selector is a query that selects the workload or + workloads to bind the service to + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - apiVersion + - kind + type: object + required: + - service + - workload + type: object + status: + description: ServiceBindingStatus defines the observed state of ServiceBinding + properties: + binding: + description: Binding exposes the projected secret for this ServiceBinding + properties: + name: + description: |- + Name of the referent secret. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + conditions: + description: Conditions are the conditions of this ServiceBinding + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the 'Generation' of the ServiceBinding that + was last processed by the controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: servicebinding-controller-manager + namespace: servicebinding-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: servicebinding-leader-election-role + namespace: servicebinding-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +aggregationRule: + clusterRoleSelectors: + - matchLabels: + servicebinding.io/controller: "true" + - matchLabels: + service.binding/controller: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: servicebinding-aggregate-role +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + servicebinding.io/controller: "true" + name: servicebinding-k8s-workloads-role +rules: +- apiGroups: + - "" + resources: + - replicationcontrollers + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: servicebinding-manager-role +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - servicebinding.io + resources: + - clusterworkloadresourcemappings + verbs: + - get + - list + - watch +- apiGroups: + - servicebinding.io + resources: + - servicebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - servicebinding.io + resources: + - servicebindings/finalizers + verbs: + - update +- apiGroups: + - servicebinding.io + resources: + - servicebindings/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: servicebinding-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: servicebinding-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: servicebinding-leader-election-rolebinding + namespace: servicebinding-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: servicebinding-leader-election-role +subjects: +- kind: ServiceAccount + name: servicebinding-controller-manager + namespace: servicebinding-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: servicebinding-aggregate-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: servicebinding-aggregate-role +subjects: +- kind: ServiceAccount + name: servicebinding-controller-manager + namespace: servicebinding-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: servicebinding-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: servicebinding-manager-role +subjects: +- kind: ServiceAccount + name: servicebinding-controller-manager + namespace: servicebinding-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: servicebinding-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: servicebinding-proxy-role +subjects: +- kind: ServiceAccount + name: servicebinding-controller-manager + namespace: servicebinding-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: servicebinding-controller-manager-metrics-service + namespace: servicebinding-system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager +--- +apiVersion: v1 +kind: Service +metadata: + name: servicebinding-webhook-service + namespace: servicebinding-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + control-plane: controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + kbld.k14s.io/images: | + - origins: + - resolved: + tag: v0.11.0 + url: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 + - preresolved: + url: ghcr.io/servicebinding/runtime/bundle@sha256:0df4ae70e3bd0feffcec8f5cdb428f4abe666b667af991269ec5cb0bbda65869 + url: ghcr.io/servicebinding/runtime/bundle@sha256:0df4ae70e3bd0feffcec8f5cdb428f4abe666b667af991269ec5cb0bbda65869 + - origins: + - preresolved: + url: ghcr.io/servicebinding/runtime/bundle@sha256:2723d68d49f941094afcf560b18ee886de71c13a4b0f3e9a9b2f4a9d2fc60baf + url: ghcr.io/servicebinding/runtime/bundle@sha256:2723d68d49f941094afcf560b18ee886de71c13a4b0f3e9a9b2f4a9d2fc60baf + labels: + control-plane: controller-manager + name: servicebinding-controller-manager + namespace: servicebinding-system +spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + image: ghcr.io/servicebinding/runtime/bundle@sha256:2723d68d49f941094afcf560b18ee886de71c13a4b0f3e9a9b2f4a9d2fc60baf + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: ghcr.io/servicebinding/runtime/bundle@sha256:0df4ae70e3bd0feffcec8f5cdb428f4abe666b667af991269ec5cb0bbda65869 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + runAsNonRoot: true + serviceAccountName: servicebinding-controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: servicebinding-serving-cert + namespace: servicebinding-system +spec: + dnsNames: + - servicebinding-webhook-service.servicebinding-system.svc + - servicebinding-webhook-service.servicebinding-system.svc.cluster.local + issuerRef: + kind: Issuer + name: servicebinding-selfsigned-issuer + secretName: webhook-server-cert +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: servicebinding-selfsigned-issuer + namespace: servicebinding-system +spec: + selfSigned: {} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: servicebinding-system/servicebinding-serving-cert + webhook.servicebinding.io/dynamic-rules: "" + name: servicebinding-admission-projector +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: servicebinding-webhook-service + namespace: servicebinding-system + path: /interceptor + failurePolicy: Fail + name: interceptor.servicebinding.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - servicebinding-system + - kube-system + reinvocationPolicy: IfNeeded + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: servicebinding-system/servicebinding-serving-cert + webhook.servicebinding.io/dynamic-rules: "" + name: servicebinding-trigger +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: servicebinding-webhook-service + namespace: servicebinding-system + path: /trigger + failurePolicy: Ignore + name: trigger.servicebinding.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - servicebinding-system + - kube-system + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: servicebinding-system/servicebinding-serving-cert + name: servicebinding-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: servicebinding-webhook-service + namespace: servicebinding-system + path: /validate-servicebinding-io-v1-clusterworkloadresourcemapping + failurePolicy: Fail + name: v1.clusterworkloadresourcemappings.servicebinding.io + rules: + - apiGroups: + - servicebinding.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clusterworkloadresourcemappings + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: servicebinding-webhook-service + namespace: servicebinding-system + path: /validate-servicebinding-io-v1-servicebinding + failurePolicy: Fail + name: v1.servicebindings.servicebinding.io + rules: + - apiGroups: + - servicebinding.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - servicebindings + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: servicebinding-webhook-service + namespace: servicebinding-system + path: /validate-servicebinding-io-v1alpha3-clusterworkloadresourcemapping + failurePolicy: Fail + name: v1alpha3.clusterworkloadresourcemappings.servicebinding.io + rules: + - apiGroups: + - servicebinding.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - clusterworkloadresourcemappings + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: servicebinding-webhook-service + namespace: servicebinding-system + path: /validate-servicebinding-io-v1alpha3-servicebinding + failurePolicy: Fail + name: v1alpha3.servicebindings.servicebinding.io + rules: + - apiGroups: + - servicebinding.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - servicebindings + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: servicebinding-webhook-service + namespace: servicebinding-system + path: /validate-servicebinding-io-v1beta1-clusterworkloadresourcemapping + failurePolicy: Fail + name: v1beta1.clusterworkloadresourcemappings.servicebinding.io + rules: + - apiGroups: + - servicebinding.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - clusterworkloadresourcemappings + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: servicebinding-webhook-service + namespace: servicebinding-system + path: /validate-servicebinding-io-v1beta1-servicebinding + failurePolicy: Fail + name: v1beta1.servicebindings.servicebinding.io + rules: + - apiGroups: + - servicebinding.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - servicebindings + sideEffects: None diff --git a/package/config/upstream/servicebinding-workloadresourcemappings-v0.7.0.yaml b/package/config/upstream/servicebinding-workloadresourcemappings-v0.9.0.yaml similarity index 96% rename from package/config/upstream/servicebinding-workloadresourcemappings-v0.7.0.yaml rename to package/config/upstream/servicebinding-workloadresourcemappings-v0.9.0.yaml index b6b15f9..c94c9f3 100644 --- a/package/config/upstream/servicebinding-workloadresourcemappings-v0.7.0.yaml +++ b/package/config/upstream/servicebinding-workloadresourcemappings-v0.9.0.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. --- -apiVersion: servicebinding.io/v1beta1 +apiVersion: servicebinding.io/v1 kind: ClusterWorkloadResourceMapping metadata: name: cronjobs.batch diff --git a/package/vendir.lock.yml b/package/vendir.lock.yml index 5159cef..2bd58ee 100644 --- a/package/vendir.lock.yml +++ b/package/vendir.lock.yml @@ -2,8 +2,8 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - githubRelease: - tag: v0.7.0 - url: https://api.github.com/repos/servicebinding/runtime/releases/132695530 + tag: v0.9.0 + url: https://api.github.com/repos/servicebinding/runtime/releases/155781958 path: . path: config/upstream kind: LockConfig diff --git a/package/vendir.yml b/package/vendir.yml index b0df139..e73a7f6 100644 --- a/package/vendir.yml +++ b/package/vendir.yml @@ -4,7 +4,7 @@ directories: - githubRelease: disableAutoChecksumValidation: true slug: servicebinding/runtime - tag: v0.7.0 + tag: v0.9.0 includePaths: - servicebinding-runtime-*.yaml - servicebinding-workloadresourcemappings-*.yaml diff --git a/test/integration/kuttl-test.yml b/test/integration/kuttl-test.yml index 9057857..8746595 100644 --- a/test/integration/kuttl-test.yml +++ b/test/integration/kuttl-test.yml @@ -17,14 +17,14 @@ commands: - script: | kubectl config set-context --current --namespace=tests && \ kapp deploy -a cert-manager-package -y \ - -f https://github.com/kadras-io/package-for-cert-manager/releases/download/v1.14.3/package.yml \ - -f https://github.com/kadras-io/package-for-cert-manager/releases/download/v1.14.3/metadata.yml + -f https://github.com/kadras-io/package-for-cert-manager/releases/download/v1.14.5/package.yml \ + -f https://github.com/kadras-io/package-for-cert-manager/releases/download/v1.14.5/metadata.yml kapp deploy -a contour-package -y \ - -f https://github.com/kadras-io/package-for-contour/releases/download/v1.28.1/package.yml \ - -f https://github.com/kadras-io/package-for-contour/releases/download/v1.28.1/metadata.yml + -f https://github.com/kadras-io/package-for-contour/releases/download/v1.29.0/package.yml \ + -f https://github.com/kadras-io/package-for-contour/releases/download/v1.29.0/metadata.yml kapp deploy -a knative-serving-package -y \ - -f https://github.com/kadras-io/package-for-knative-serving/releases/download/v1.13.1/package.yml \ - -f https://github.com/kadras-io/package-for-knative-serving/releases/download/v1.13.1/metadata.yml + -f https://github.com/kadras-io/package-for-knative-serving/releases/download/v1.14.0/package.yml \ + -f https://github.com/kadras-io/package-for-knative-serving/releases/download/v1.14.0/metadata.yml - script: | kubectl config set-context --current --namespace=tests && \ kapp deploy -a dependencies -y -f ./test/setup/dependencies diff --git a/test/setup/dependencies/cert-manager.yml b/test/setup/dependencies/cert-manager.yml index 6cd3db1..642e3b5 100644 --- a/test/setup/dependencies/cert-manager.yml +++ b/test/setup/dependencies/cert-manager.yml @@ -12,7 +12,7 @@ spec: packageRef: refName: cert-manager.packages.kadras.io versionSelection: - constraints: 1.14.3 + constraints: 1.14.5 values: - secretRef: name: cert-manager-values diff --git a/test/setup/dependencies/contour.yml b/test/setup/dependencies/contour.yml index 16823e0..fdf0276 100644 --- a/test/setup/dependencies/contour.yml +++ b/test/setup/dependencies/contour.yml @@ -13,7 +13,7 @@ spec: packageRef: refName: contour.packages.kadras.io versionSelection: - constraints: 1.28.1 + constraints: 1.29.0 values: - secretRef: name: contour-values diff --git a/test/setup/dependencies/knative-serving.yml b/test/setup/dependencies/knative-serving.yml index 7ee36f2..2fdc658 100644 --- a/test/setup/dependencies/knative-serving.yml +++ b/test/setup/dependencies/knative-serving.yml @@ -13,7 +13,7 @@ spec: packageRef: refName: knative-serving.packages.kadras.io versionSelection: - constraints: 1.13.1 + constraints: 1.14.0 values: - secretRef: name: knative-serving-values diff --git a/test/setup/kind/v1.28/kind-config.yml b/test/setup/kind/v1.28/kind-config.yml index 8c67fca..88636af 100644 --- a/test/setup/kind/v1.28/kind-config.yml +++ b/test/setup/kind/v1.28/kind-config.yml @@ -3,6 +3,6 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane - image: kindest/node:v1.28.7 + image: kindest/node:v1.28.9 - role: worker - image: kindest/node:v1.28.7 + image: kindest/node:v1.28.9 diff --git a/test/setup/kind/v1.29/kind-config.yml b/test/setup/kind/v1.29/kind-config.yml index 8dea726..1284fef 100644 --- a/test/setup/kind/v1.29/kind-config.yml +++ b/test/setup/kind/v1.29/kind-config.yml @@ -3,6 +3,6 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane - image: kindest/node:v1.29.2 + image: kindest/node:v1.29.4 - role: worker - image: kindest/node:v1.29.2 + image: kindest/node:v1.29.4 diff --git a/test/setup/kind/v1.27/kind-config.yml b/test/setup/kind/v1.30/kind-config.yml similarity index 61% rename from test/setup/kind/v1.27/kind-config.yml rename to test/setup/kind/v1.30/kind-config.yml index 36a8d8a..a477444 100644 --- a/test/setup/kind/v1.27/kind-config.yml +++ b/test/setup/kind/v1.30/kind-config.yml @@ -3,6 +3,6 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane - image: kindest/node:v1.27.11 + image: kindest/node:v1.30.0 - role: worker - image: kindest/node:v1.27.11 + image: kindest/node:v1.30.0