mirror of
https://github.com/kubevela/kubevela.git
synced 2026-02-14 18:10:21 +00:00
36f217e258
* feat: implement output resource existence validation in component, trait, and policy definitions Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: add validation tests for ComponentDefinition and TraitDefinition outputs - Implement tests for ComponentDefinition with non-existent CRDs in outputs, ensuring they are rejected. - Add tests for valid outputs in ComponentDefinition, confirming acceptance. - Include tests for mixed valid and non-K8s outputs in ComponentDefinition, verifying they pass validation. - Test handling of empty outputs in ComponentDefinition, ensuring they are accepted. - Introduce tests for invalid apiVersion formats in ComponentDefinition, confirming rejection. - Add tests for TraitDefinition with mixed valid and invalid outputs, ensuring proper rejection. - Create YAML manifests for valid and invalid ComponentDefinitions and TraitDefinitions to support e2e tests. - Ensure comprehensive coverage of edge cases in output validation logic. Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> fix: handle errors in resource validation for component, trait, and policy definitions Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> fix: improve error handling in Go module tidy and resource validation Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: add webhook debugging setup and validation tests for ComponentDefinition and TraitDefinition Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: add VS Code launch configuration for debugging webhook validation Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> refactor: streamline error handling in Go module tidy and remove obsolete test manifests Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: add mock context support for CUE template compilation Signed-off-by: Reetika Malhotra <malhotra.reetika25@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: enhance validation for WorkflowStepDefinition resources and improve output resource checks Signed-off-by: viskumar <viskumar@guidewire.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: implement resource validation for CUE templates and add unit tests Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: enhance logging and validation for component, policy, and trait definitions Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: improve error handling and logging in validation handlers for component, policy, trait, and workflow step definitions Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Remove testUnknownResource folder from repository Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: implement structured logging for validation handlers and remove deprecated request_logger Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: enhance structured logging and error handling in admission validation handlers Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: improve logging messages in validating handlers for better clarity Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: refactor logging field definitions for consistency and improve error handling in resource validation Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> chore: add license header to invalid_resource_check.go and invalid_resource_check_test.go Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: enhance validation tests for WorkflowStepDefinition and improve error messages Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: add e2e-test-local target for k3d cluster setup and webhook validation Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: add webhook configuration for workflow step definitions with validation rules Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: update e2e-test-local configuration and improve Ingress API version compatibility Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: add installation of FluxCD CRDs in pre-hook to prevent webhook validation errors Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: add ValidateResourcesExist feature gate and enhance resource validation in webhook handlers Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: enhance resource validation in e2e tests and improve addon definition checks Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: enhance addon definition detection by using owner references for validation Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: add ValidateResourcesExist feature gate and implement webhook validation for resource existence Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: update Ingress API version to v1 and adjust service references in tests Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> chore: remove webhook test commands and related YAML files from makefiles and tests Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> chore: remove architecture section from webhook debugging guide Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> feat: update webhook setup script with k3d host gateway IP note and improve cluster creation logic Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> * Fix: Correct path in Ingress resource definition in template tests Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> * Chore: add empty line to re-trigger failing workflow Signed-off-by: Vaibhav Agrawal <vaibhav.agrawal0096@gmail.com> * Chore: remove space to re-trigger workflow Signed-off-by: Chaitanya Reddy Onteddu <co@guidewire.com> --------- Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Signed-off-by: Vaibhav Agrawal <vaibhav.agrawal0096@gmail.com> Signed-off-by: Chaitanya Reddy Onteddu <co@guidewire.com> Co-authored-by: Chaitanya Reddy Onteddu <chaitanyareddy0702@gmail.com> Co-authored-by: Amit Singh <amisingh@guidewire.com>
330 lines
14 KiB
YAML
330 lines
14 KiB
YAML
# Default values for kubevela.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
## @section KubeVela core parameters
|
|
|
|
## @param systemDefinitionNamespace System definition namespace, if unspecified, will use built-in variable `.Release.Namespace`.
|
|
systemDefinitionNamespace:
|
|
|
|
## @param applicationRevisionLimit Application revision limit
|
|
applicationRevisionLimit: 2
|
|
|
|
## @param definitionRevisionLimit Definition revision limit
|
|
definitionRevisionLimit: 2
|
|
|
|
## @param concurrentReconciles concurrentReconciles is the concurrent reconcile number of the controller
|
|
concurrentReconciles: 4
|
|
|
|
## @param controllerArgs.reSyncPeriod The period for resync the applications
|
|
controllerArgs:
|
|
reSyncPeriod: 5m
|
|
|
|
|
|
## @section KubeVela workflow parameters
|
|
|
|
## @param workflow.enableSuspendOnFailure Enable suspend on workflow failure
|
|
## @param workflow.enableExternalPackageForDefaultCompiler Enable external package for default cuex compiler
|
|
## @param workflow.enableExternalPackageWatchForDefaultCompiler Enable external package watch for default cuex compiler
|
|
## @param workflow.backoff.maxTime.waitState The max backoff time of workflow in a wait condition
|
|
## @param workflow.backoff.maxTime.failedState The max backoff time of workflow in a failed condition
|
|
## @param workflow.step.errorRetryTimes The max retry times of a failed workflow step
|
|
workflow:
|
|
enableSuspendOnFailure: false
|
|
enableExternalPackageForDefaultCompiler: true
|
|
enableExternalPackageWatchForDefaultCompiler: false
|
|
backoff:
|
|
maxTime:
|
|
waitState: 60
|
|
failedState: 300
|
|
step:
|
|
errorRetryTimes: 10
|
|
|
|
|
|
## @section KubeVela controller parameters
|
|
|
|
## @param replicaCount KubeVela controller replica count
|
|
replicaCount: 1
|
|
|
|
## @param imageRegistry Image registry
|
|
imageRegistry: ""
|
|
## @param image.repository Image repository
|
|
## @param image.tag Image tag
|
|
## @param image.pullPolicy Image pull policy
|
|
image:
|
|
repository: oamdev/vela-core
|
|
tag: latest
|
|
pullPolicy: Always
|
|
|
|
## @param resources.limits.cpu KubeVela controller's cpu limit
|
|
## @param resources.limits.memory KubeVela controller's memory limit
|
|
## @param resources.requests.cpu KubeVela controller's cpu request
|
|
## @param resources.requests.memory KubeVela controller's memory request
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 1Gi
|
|
requests:
|
|
cpu: 50m
|
|
memory: 20Mi
|
|
|
|
## @param webhookService.type KubeVela webhook service type
|
|
## @param webhookService.port KubeVela webhook service port
|
|
webhookService:
|
|
type: ClusterIP
|
|
port: 9443
|
|
|
|
## @param healthCheck.port KubeVela health check port
|
|
healthCheck:
|
|
port: 9440
|
|
|
|
## @skip readinessProbe
|
|
readinessProbe:
|
|
failureThreshold: 3
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 5
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
## @skip livenessProbe
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
initialDelaySeconds: 90
|
|
periodSeconds: 5
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
|
|
## @section KubeVela controller optimization parameters
|
|
##@param optimize.cachedGvks Optimize types of resources to be cached.
|
|
##@param optimize.markWithProb Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately.
|
|
##@param optimize.disableComponentRevision Optimize componentRevision by disabling the creation and gc
|
|
##@param optimize.disableApplicationRevision Optimize ApplicationRevision by disabling the creation and gc.
|
|
##@param optimize.enableInMemoryWorkflowContext Optimize workflow by use in-memory context.
|
|
##@param optimize.disableResourceApplyDoubleCheck Optimize workflow by ignoring resource double check after apply.
|
|
##@param optimize.enableResourceTrackerDeleteOnlyTrigger Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.
|
|
optimize:
|
|
cachedGvks: ""
|
|
markWithProb: 0.1
|
|
disableComponentRevision: true
|
|
disableApplicationRevision: false
|
|
enableInMemoryWorkflowContext: false
|
|
disableResourceApplyDoubleCheck: false
|
|
enableResourceTrackerDeleteOnlyTrigger: true
|
|
|
|
##@param featureGates.gzipResourceTracker compress ResourceTracker using gzip (good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers.
|
|
##@param featureGates.zstdResourceTracker compress ResourceTracker using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers. Note that zstd will be prioritized if you enable other compression options.
|
|
##@param featureGates.applyOnce if enabled, the apply-once feature will be applied to all applications, no state-keep and no resource data storage in ResourceTracker
|
|
##@param featureGates.multiStageComponentApply if enabled, the multiStageComponentApply feature will be combined with the stage field in TraitDefinition to complete the multi-stage apply.
|
|
##@param featureGates.gzipApplicationRevision compress apprev using gzip (good) before being stored. This is reduces network throughput when dealing with huge apprevs.
|
|
##@param featureGates.zstdApplicationRevision compress apprev using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge apprevs. Note that zstd will be prioritized if you enable other compression options.
|
|
##@param featureGates.preDispatchDryRun enable dryrun before dispatching resources. Enable this flag can help prevent unsuccessful dispatch resources entering resourcetracker and improve the user experiences of gc but at the cost of increasing network requests.
|
|
##@param featureGates.validateComponentWhenSharding enable component validation in webhook when sharding mode enabled
|
|
##@param featureGates.disableWebhookAutoSchedule disable auto schedule for application mutating webhook when sharding enabled
|
|
##@param featureGates.disableBootstrapClusterInfo disable the cluster info bootstrap at the starting of the controller
|
|
##@param featureGates.informerCacheFilterUnnecessaryFields filter unnecessary fields for informer cache
|
|
##@param featureGates.sharedDefinitionStorageForApplicationRevision use definition cache to reduce duplicated definition storage for application revision, must be used with InformerCacheFilterUnnecessaryFields
|
|
##@param featureGates.disableWorkflowContextConfigMapCache disable the workflow context's configmap informer cache
|
|
##@param featureGates.enableCueValidation enable the strict cue validation for cue required parameter fields
|
|
##@param featureGates.enableApplicationStatusMetrics enable application status metrics and structured logging
|
|
##@param featureGates.validateResourcesExist enable webhook validation to check if resource types referenced in definition templates exist in the cluster
|
|
##@param
|
|
featureGates:
|
|
gzipResourceTracker: false
|
|
zstdResourceTracker: true
|
|
applyOnce: false
|
|
multiStageComponentApply: true
|
|
gzipApplicationRevision: false
|
|
zstdApplicationRevision: true
|
|
preDispatchDryRun: true
|
|
validateComponentWhenSharding: false
|
|
disableWebhookAutoSchedule: false
|
|
disableBootstrapClusterInfo: false
|
|
informerCacheFilterUnnecessaryFields: true
|
|
sharedDefinitionStorageForApplicationRevision: true
|
|
disableWorkflowContextConfigMapCache: true
|
|
enableCueValidation: false
|
|
enableApplicationStatusMetrics: false
|
|
validateResourcesExist: false
|
|
|
|
## @section MultiCluster parameters
|
|
|
|
## @param multicluster.enabled Whether to enable multi-cluster
|
|
## @param multicluster.metrics.enabled Whether to enable multi-cluster metrics collect
|
|
## @param multicluster.clusterGateway.direct controller will connect to ClusterGateway directly instead of going to Kubernetes APIServer
|
|
## @param multicluster.clusterGateway.replicaCount ClusterGateway replica count
|
|
## @param multicluster.clusterGateway.port ClusterGateway port
|
|
## @param multicluster.clusterGateway.image.repository ClusterGateway image repository
|
|
## @param multicluster.clusterGateway.image.tag ClusterGateway image tag
|
|
## @param multicluster.clusterGateway.image.pullPolicy ClusterGateway image pull policy
|
|
## @param multicluster.clusterGateway.resources.requests.cpu ClusterGateway cpu request
|
|
## @param multicluster.clusterGateway.resources.requests.memory ClusterGateway memory request
|
|
## @param multicluster.clusterGateway.resources.limits.cpu ClusterGateway cpu limit
|
|
## @param multicluster.clusterGateway.resources.limits.memory ClusterGateway memory limit
|
|
## @param multicluster.clusterGateway.secureTLS.enabled Whether to enable secure TLS
|
|
## @param multicluster.clusterGateway.secureTLS.certPath Path to the certificate file
|
|
## @param multicluster.clusterGateway.secureTLS.certManager.enabled Whether to enable cert-manager
|
|
## @param multicluster.clusterGateway.serviceMonitor.enabled Whether to enable service monitor
|
|
## @param multicluster.clusterGateway.serviceMonitor.additionalLabels Additional labels for service monitor
|
|
multicluster:
|
|
enabled: true
|
|
metrics:
|
|
enabled: false
|
|
clusterGateway:
|
|
direct: true
|
|
serviceMonitor:
|
|
enabled: false
|
|
additionalLabels: { }
|
|
replicaCount: 1
|
|
port: 9443
|
|
image:
|
|
repository: oamdev/cluster-gateway
|
|
tag: v1.9.0-alpha.2
|
|
pullPolicy: IfNotPresent
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 20Mi
|
|
limits:
|
|
cpu: 500m
|
|
memory: 200Mi
|
|
secureTLS:
|
|
enabled: true
|
|
certManager:
|
|
enabled: false
|
|
certPath: /etc/k8s-cluster-gateway-certs
|
|
|
|
|
|
## @section Test parameters
|
|
|
|
## @param test.app.repository Test app repository
|
|
## @param test.app.tag Test app tag
|
|
## @param test.k8s.repository Test k8s repository
|
|
## @param test.k8s.tag Test k8s tag
|
|
test:
|
|
app:
|
|
repository: oamdev/hello-world
|
|
tag: v1
|
|
k8s:
|
|
repository: oamdev/alpine-k8s
|
|
tag: 1.18.2
|
|
|
|
|
|
## @section Common parameters
|
|
|
|
## @param imagePullSecrets Image pull secrets
|
|
imagePullSecrets: []
|
|
## @param nameOverride Override name
|
|
nameOverride: ""
|
|
## @param fullnameOverride Fullname override
|
|
fullnameOverride: ""
|
|
|
|
## @param serviceAccount.create Specifies whether a service account should be created
|
|
## @param serviceAccount.annotations Annotations to add to the service account
|
|
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name:
|
|
|
|
## @skip podSecurityContext
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
## @skip securityContext
|
|
securityContext: {}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
## @param nodeSelector Node selector
|
|
nodeSelector: {}
|
|
|
|
## @param tolerations Tolerations
|
|
tolerations: []
|
|
|
|
## @param affinity Affinity
|
|
affinity: {}
|
|
|
|
## @param rbac.create Specifies whether a RBAC role should be created
|
|
rbac:
|
|
create: true
|
|
|
|
## @param logDebug Enable debug logs for development purpose
|
|
logDebug: false
|
|
|
|
## @param logFilePath If non-empty, write log files in this path
|
|
logFilePath: ""
|
|
|
|
## @param logFileMaxSize Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.
|
|
logFileMaxSize: 1024
|
|
|
|
## @skip admissionWebhooks
|
|
admissionWebhooks:
|
|
enabled: true
|
|
failurePolicy: Fail
|
|
certificate:
|
|
mountPath: /etc/k8s-webhook-certs
|
|
patch:
|
|
enabled: true
|
|
image:
|
|
repository: oamdev/kube-webhook-certgen
|
|
tag: v2.4.1
|
|
pullPolicy: IfNotPresent
|
|
nodeSelector: {}
|
|
affinity: {}
|
|
tolerations: []
|
|
appConversion:
|
|
enabled: false
|
|
certManager:
|
|
enabled: false
|
|
revisionHistoryLimit: 3
|
|
|
|
## @param kubeClient.qps The qps for reconcile clients
|
|
## @param kubeClient.burst The burst for reconcile clients
|
|
kubeClient:
|
|
qps: 400
|
|
burst: 600
|
|
|
|
## @param authentication.enabled Enable authentication framework for applications
|
|
## SECURITY NOTE: When enabled WITH authentication.withUser=true, KubeVela impersonates the requesting user
|
|
## when deploying resources, ensuring that users cannot deploy resources beyond their RBAC permissions.
|
|
## This is strongly recommended when KubeVela has cluster-admin or other high-level permissions.
|
|
## @param authentication.withUser Application authentication will impersonate as the request User (must be true for security)
|
|
## @param authentication.defaultUser Application authentication will impersonate as the User if no user provided or withUser is false
|
|
## @param authentication.groupPattern Application authentication will impersonate as the request Group that matches the pattern
|
|
authentication:
|
|
enabled: false
|
|
withUser: true
|
|
defaultUser: kubevela:vela-core
|
|
groupPattern: kubevela:*
|
|
|
|
## @param authorization.definitionValidationEnabled Enable definition permission validation for RBAC checks on definitions
|
|
## SECURITY NOTE: If KubeVela is running with cluster-admin or high-level permissions,
|
|
## consider enabling this feature and/or authentication.enabled for security:
|
|
## - This feature: Validates users can only reference definitions they have RBAC access to
|
|
## - authentication.enabled: Makes KubeVela impersonate users, applying their full RBAC permissions
|
|
## Both features can be used together for defense in depth.
|
|
authorization:
|
|
definitionValidationEnabled: false
|
|
|
|
## @param sharding.enabled When sharding enabled, the controller will run as master mode. Refer to https://github.com/kubevela/kubevela/blob/master/design/vela-core/sharding.md for details.
|
|
## @param sharding.schedulableShards The shards available for scheduling. If empty, dynamic discovery will be used.
|
|
sharding:
|
|
enabled: false
|
|
schedulableShards: ""
|
|
|
|
## @param core.metrics.enabled Enable metrics for vela-core
|
|
## @param core.metrics.serviceMonitor.enabled Enable service monitor for metrics
|
|
## @param core.metrics.serviceMonitor.additionalLabels Additional labels for service monitor
|
|
core:
|
|
metrics:
|
|
enabled: false
|
|
serviceMonitor:
|
|
enabled: false
|
|
additionalLabels: {} |