Merge pull request #972 from vshn/develop

⬆️ Update appcat version to v4.172.0

Author: Kidswiss

.gitignore

@@ -8,6 +8,7 @@
 .kind
 .idea
 .vscode
+.env
 
 # sloth artifacts
 sloth-*-*-*

Makefile

@@ -103,6 +103,8 @@ cluster=https://kubernetes.default.svc
 push-golden: commodore_args += -f tests/$(instance).yml
 push-golden: clean gen-golden ## Push the target instance to the local forgejo instance, so it can be applied by argocd
 	cd tests/golden/$(instance)/appcat/appcat && \
+	git config user.email "[email protected]" && \
+	git config user.name "DevContainer User" && \
 	git init --initial-branch=master && \
 	git add . && \
 	git commit -m "update" && \

README.md

@@ -80,6 +80,38 @@ Linux oneliner: echo `ip -4 addr show dev docker0 | grep inet | awk -F' ' '{prin
 
 Also make sure that `facts.appcat_dev` is set on the target you want to proxy. This is a safeguard so we don't accidentally enable it on prod clusters.
 
+## Kubeconfig Environment Variables in Kuttl E2E Tests
+
+Our Kuttl E2E tests use a job-within-a-job pattern where tests run in two separate clusters:
+- **control plane cluster** (where AppCat CRDs live)
+- **service cluster** (where actual workloads run).
+
+This requires careful handling of kubeconfig files to enable cross-cluster operations.
+
+### Environment Variables
+
+We use four environment variables to manage kubeconfigs:
+
+### 1. `CONTROL_PLANE_KUBECONFIG_CONTENT` **mandatory** (base64-encoded)
+- **Purpose**: Contains the entire control plane kubeconfig as a base64-encoded string
+- **Why needed**: Can be injected as an environment variable into containers and scripts
+- **Usage**: Scripts decode this to create `/tmp/control-plane-config`
+
+### 2. `SERVICE_CLUSTER_KUBECONFIG_CONTENT` **mandatory** (base64-encoded)
+- **Purpose**: Contains the entire service cluster kubeconfig as a base64-encoded string, equals to `CONTROL_PLANE_KUBECONFIG_CONTENT` in converged mode
+- **Why needed**: Can be injected as an environment variable into containers and scripts
+- **Usage**: Scripts decode this to create `/tmp/service-cluster-config`
+
+### 3. `IN_CLUSTER_CONTROL_PLANE_KUBECONFIG` **optional** (file path)
+- **Purpose**: Path to the kubeconfig file **as seen from within the control plane cluster**
+- **Why needed**: Used to create Kubernetes secrets that mount the kubeconfig into pods
+- **Example**: `/tmp/control-plane-config` or the original `~/.kube/config`
+
+### 4. `IN_CLUSTER_SERVICE_CLUSTER_KUBECONFIG` **optional**  (file path)
+- **Purpose**: Path to the kubeconfig file **as seen from within the service cluster**
+- **Why needed**: Used to create Kubernetes secrets that mount the kubeconfig into pods
+- **Example**: `/tmp/service-cluster-config` or the original `~/.kube/config`
+
 ## Documentation
 
 The rendered documentation for this component is available on the [Commodore Components Hub](https://hub.syn.tools/appcat).

class/defaults.yml

@@ -18,13 +18,13 @@ parameters:
         version: 5.4.0
       keycloak:
         source: https://codecentric.github.io/helm-charts
-        version: 7.1.3
+        version: 7.1.4
       nextcloud:
         source: https://nextcloud.github.io/helm/
-        version: 8.0.1
+        version: 8.4.1
       forgejo:
         source: oci://code.forgejo.org/forgejo-helm/forgejo
-        version: 14.0.2
+        version: 14.0.4
       cnpg:
         source: https://cloudnative-pg.io/charts/
         version: 0.26.0
@@ -44,7 +44,7 @@ parameters:
       provider-helm:
         registry: ghcr.io
         repository: crossplane-contrib/provider-helm
-        tag: v1.0.0
+        tag: v1.0.2
       provider-exoscale:
         registry: ghcr.io
         repository: vshn/provider-exoscale
@@ -72,31 +72,31 @@ parameters:
       appcat:
         registry: ghcr.io
         repository: vshn/appcat
-        tag: v4.171.3
+        tag: v4.172.0
       functionAppcat:
         registry: ${appcat:images:appcat:registry}
         repository: ${appcat:images:appcat:repository}
         tag: ${appcat:images:appcat:tag}-func
       functionpnt:
         registry: xpkg.upbound.io
         repository: crossplane-contrib/function-patch-and-transform
-        tag: v0.1.4
+        tag: v0.9.1
       reporting:
         registry: ghcr.io
         repository: appuio/appuio-reporting
-        tag: v0.2.1
+        tag: v0.2.2
       collector:
         registry: ghcr.io
         repository: vshn/billing-collector-cloudservices
         tag: v3.6.0
       kubectl:
         registry: docker.io
         image: bitnamilegacy/kubectl
-        tag: '1.25.15'
+        tag: "1.25.15"
       proxysql:
         registry: docker.io
         image: proxysql/proxysql
-        version: '3.0.2'
+        version: "3.0.2"
       collabora:
         registry: docker.io
         image: collabora/code
@@ -166,6 +166,7 @@ parameters:
       hotfix: ""
       enabled: true
       additionalFunctionBranches: []
+      minimumRevisionAge: 168h # 7 days
 
     crossplane:
       namespace: syn-crossplane
@@ -231,6 +232,7 @@ parameters:
       clusterID: ${cluster:name}
       cloudZone: ""
       instanceUOM: uom_uom_45_1e112771
+      customResourceDeletionAfter: "180"
       enableMockOrgInfo: false
       salesOrder: ${facts:sales_order}
       vshn:
@@ -239,6 +241,7 @@ parameters:
         # Deploy metering prometheus rules
         meteringRules: true
       cloud:
+        appuioControlKubeConfig: "?{vaultkv:__shared__/__shared__/appcat/appuio-control-kubeconfig}"
         secrets:
           exoscale:
             credentials:
@@ -1035,6 +1038,7 @@ parameters:
             registry_password: "?{vaultkv:__shared__/__shared__/appcat/inventage_registry_password}"
             ingress_annotations: |
               cert-manager.io/cluster-issuer: letsencrypt-production
+            defaultPGComposition: vshnpostgres.vshn.appcat.vshn.io
           openshiftTemplate:
             serviceName: keycloakbyvshn
             description: "Keycloak is an open source identity and access management solution."
@@ -1099,6 +1103,7 @@ parameters:
             nextcloud_image: ${appcat:images:nextcloud:registry}/${appcat:images:nextcloud:image}
             busybox_image: ${appcat:images:busybox:registry}/${appcat:images:busybox:image}
             kubectl_image: ${appcat:images:kubectl:registry}/${appcat:images:kubectl:image}:${appcat:images:kubectl:tag}
+            defaultPGComposition: vshnpostgres.vshn.appcat.vshn.io
           openshiftTemplate:
             serviceName: nextcloudbyvshn
             description: "Nextcloud is an open source suite of client-server software for creating and using file hosting services."

component/billing.jsonnet

@@ -35,6 +35,16 @@ local odooSecret = kube.Secret('odoo-credentials') {
   },
 };
 
+local appuioControlSecret = kube.Secret('appuio-control-sa') {
+  metadata+: {
+    namespace: paramsBilling.namespace,
+    labels+: cronjob.Labels,
+  },
+  stringData: {
+    kubeconfig: paramsBilling.cloud.appuioControlKubeConfig,
+  },
+};
+
 local commonEnv = std.prune([
   {
     name: 'AR_ODOO_OAUTH_TOKEN_URL',
@@ -225,7 +235,9 @@ local vshnServices = common.FilterServiceByBoolean('billing');
 local billingCronjobs = std.flattenArrays(std.flatMap(function(r) [ generateCloudAndManaged(r.name, false) ], vshnServices));
 local billingAddOnsCronjobs = std.flattenArrays(std.flatMap(function(addOn) [ generateCloudAndManaged(addOn, true) ], addOns));
 
-if paramsBilling.vshn.enableCronjobs then
+{
+  [if params.billingEnabled then 'billing/10_appuio_control_secret']: appuioControlSecret,
+} + if paramsBilling.vshn.enableCronjobs then
   {
     [if std.length(std.filter(function(name) paramsBilling.network_policies.target_namespaces[name] == true, std.objectFields(paramsBilling.network_policies.target_namespaces))) > 0 then 'billing/01_netpol']: netPol.Policies,
     'billing/10_odoo_secret': odooSecret,

component/common.libsonnet

@@ -275,10 +275,15 @@ local getDefaultInputs(name, serviceParams, plans, xrd, appuioManaged) = {
   [if std.objectHas(serviceParams, 'sideCars') then 'sideCars']: std.toString(serviceParams.sideCars),
   crossplaneNamespace: params.crossplane.namespace,
   ignoreNamespaceForBilling: params.billing.ignoreNamespace,
+  billingUnitID: params.billing.instanceUOM,
+  crDeletionAfter: params.billing.customResourceDeletionAfter,
+  billingEnabled: std.toString(params.billingEnabled),
+  clusterName: inv.parameters.cluster.name,
   [if std.objectHas(serviceParams, 'imageRegistry') then 'imageRegistry']: serviceParams.imageRegistry,
   [if std.objectHas(serviceParams, 'imageRepositoryPrefix') then 'imageRepositoryPrefix']: serviceParams.imageRepositoryPrefix,
   [if std.objectHas(serviceParams, 'maintenanceURL') then 'maintenanceURL']: serviceParams.maintenanceURL,
   releaseManagementEnabled: std.toString(params.deploymentManagementSystem.enabled),
+  minimumRevisionAge: params.deploymentManagementSystem.minimumRevisionAge,
 } + (if std.objectHas(params.charts, name) then {
        chartRepository: params.charts[name].source,
        chartVersion: params.charts[name].version,

component/provider.jsonnet

@@ -194,6 +194,11 @@ local providerRBAC = {
         resources: [ 'compositionrevisions' ],
         verbs: [ 'get', 'list' ],
       },
+      {
+        apiGroups: [ 'vshn.appcat.vshn.io' ],
+        resources: [ 'billingservices' ],
+        verbs: [ 'get', 'list', 'watch', 'create', 'watch', 'patch', 'update', 'delete' ],
+      },
     ],
   },
   helm: {

postprocess/add_argo_annotations.jsonnet

@@ -23,6 +23,9 @@ local annotationMap = {
   ClusterRoleBinding: {
     'argocd.argoproj.io/sync-wave': '-100',
   },
+  Secret: {
+    'argocd.argoproj.io/sync-wave': '-100',
+  },
   ObjectBucket: {
     'argocd.argoproj.io/sync-options': 'Prune=false,SkipDryRunOnMissingResource=true',
   },

tests/control-plane.yml

@@ -7,33 +7,25 @@ parameters:
       - type: https
         source: https://raw.githubusercontent.com/appuio/component-openshift4-operators/v1.4.0/lib/openshift4-operators.libsonnet
         output_path: vendor/lib/openshift4-operators.libsonnet
-
   facts:
     cloud: cloudscale
     sales_order: "10431"
     appcat_dev: true
     service_level: "premium"
-
-
   global:
     appuio_metered_billing_zone_label_map:
       c-green-test-1234: 'Kind - Local Test 0'
-
   crossplane:
     namespace: syn-crossplane
-
   appcat:
-
     clusterManagementSystem:
       controlPlaneCluster: true
       serviceCluster: false
       serviceClusterKubeconfigs:
         - name: kind
           config: "dummy" # `make vcluster-host-kubeconfig` in kindev
-
-    grpcEndpoint: 172.17.0.1:9443
+    grpcEndpoint: 172.19.0.1:9443
     proxyFunction: false
-
     quotasEnabled: false
     appuioManaged: false
     billing:
@@ -49,7 +41,6 @@ parameters:
       prometheus:
         url: http://prometheus-operated.prometheus-system:9090/prometheus
       cloudZone: ${global:appuio_metered_billing_zone_label_map:${cluster:name}}
-
     slos:
       enabled: true
       alertsEnabled: false
@@ -80,18 +71,17 @@ parameters:
             apiSecretRef:
               name: minio-secret
               namespace: syn-crossplane
-
     apiserver:
       enabled: true
       env:
         APPCAT_HANDLER_ENABLED: "true"
         VSHN_POSTGRES_BACKUP_HANDLER_ENABLED: "true"
         VSHN_REDIS_BACKUP_HANDLER_ENABLED: "true"
-
     services:
       emailAlerting:
         enabled: false
       vshn:
+        e2eTests: true
         enabled: true
         externalDatabaseConnectionsEnabled: true
         mariadb:
@@ -112,19 +102,17 @@ parameters:
               cert-manager.io/cluster-issuer: letsencrypt-staging
               nginx.ingress.kubernetes.io/enable-cors: "true"
               nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
-
         forgejo:
           enabled: true
           # https://vault-prod.syn.vshn.net/ui/vault/secrets/clusters%2Fkv/kv/__shared__%2F__shared__%2Fappcat/details?version=2
           additionalInputs:
             registry_username: ""
             registry_password: ""
-
         postgres:
           sgNamespace: stackgres
           additionalInputs:
             loadbalancerAnnotations: |
-                foo: bar
+              foo: bar
           plans:
             standard-8:
               enabled: false
@@ -182,11 +170,9 @@ parameters:
                     disk: 20Gi
                 writeConnectionSecretToRef:
                   name: minio-cluster-credentials
-
       generic:
         objectstorage:
           enabled: true
-
           defaultComposition: minio
           compositions:
             exoscale:

tests/dev.yml

@@ -12,6 +12,9 @@ parameters:
     appcat:
       version: debug
 
+  cluster:
+    name: c-green-test-1234
+
   facts:
     cloud: cloudscale
     region: lpg
@@ -42,14 +45,14 @@ parameters:
         registry: dockerhub.vshn.net
       busybox:
         registry: dockerhub.vshn.net
-
-    grpcEndpoint: 172.19.0.1:9443
+    grpcEndpoint: 172.18.0.1:9443
     proxyFunction: true
 
     quotasEnabled: false
     appuioManaged: false
+    #billingEnabled: true
     billing:
-      salesOrder: ST10120
+      salesOrder: ""
       vshn:
         enableCronjobs: false
         meteringRules: true
@@ -82,8 +85,18 @@ parameters:
         enabled: false
       kubernetes:
         enabled: true
+        additionalProviderConfigs:
+          - name: kind
+            spec:
+              credentials:
+                source: InjectedIdentity
       helm:
         enabled: true
+        additionalProviderConfigs:
+          - name: kind
+            spec:
+              credentials:
+                source: InjectedIdentity
       minio:
         enabled: true
         defaultProviderConfig: