From 243c4fa57e333b15f005e28f50137e884b1e7f61 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Tue, 10 Mar 2026 15:18:06 +0100 Subject: [PATCH 1/5] Reformat `control-api.jsonnet` --- component/control-api.jsonnet | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/component/control-api.jsonnet b/component/control-api.jsonnet index 9b76511..fdbc78f 100644 --- a/component/control-api.jsonnet +++ b/component/control-api.jsonnet @@ -178,11 +178,12 @@ local apiserverDeploymentVolumesPatch = if validCertSecret then { ], } else {}; -local apiserverDeploymentPatch = apiserverDeploymentArgsPatch - + apiserverDeploymentEnvPatch - + apiserverDeploymentResourcesPatch - + apiserverOdooConfigPatch - + apiserverDeploymentVolumesPatch; +local apiserverDeploymentPatch = + apiserverDeploymentArgsPatch + + apiserverDeploymentEnvPatch + + apiserverDeploymentResourcesPatch + + apiserverOdooConfigPatch + + apiserverDeploymentVolumesPatch; local apiserverRoleBindingPatch = patches.LabelPatch('Service', 'control-api-apiserver', std.toString({ name: 'control-api-apiserver', @@ -364,9 +365,10 @@ local controllerServicePatch = patches.LabelPatch('Service', 'control-api-contro //////////////// // Misc -local apiservicePatches = patches.ApiServicePatch('v1.organization.appuio.io', params.apiserver.apiservice.insecureSkipTLSVerify, params.apiserver.tls.serverCert) - + patches.ApiServicePatch('v1.user.appuio.io', params.apiserver.apiservice.insecureSkipTLSVerify, params.apiserver.tls.serverCert) - + patches.ApiServicePatch('v1.billing.appuio.io', params.apiserver.apiservice.insecureSkipTLSVerify, params.apiserver.tls.serverCert); +local apiservicePatches = + patches.ApiServicePatch('v1.organization.appuio.io', params.apiserver.apiservice.insecureSkipTLSVerify, params.apiserver.tls.serverCert) + + patches.ApiServicePatch('v1.user.appuio.io', params.apiserver.apiservice.insecureSkipTLSVerify, params.apiserver.tls.serverCert) + + patches.ApiServicePatch('v1.billing.appuio.io', params.apiserver.apiservice.insecureSkipTLSVerify, params.apiserver.tls.serverCert); local kustomize_input = params.kustomize_input + apiservicePatches From de96b8762c83e59f5c3ac1b063a589e05de38723 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Tue, 10 Mar 2026 15:19:05 +0100 Subject: [PATCH 2/5] Don't render `spec.insecureSkipTLSVerify=false` for `ApiService` resources This restores component version v3 behavior for `ApiService` rendering. Currently on a vcluster with K8s version 1.25, the ArgoCD app is permanently out of sync due to the presence of `spec.insecureSkipTLSVerify=false` in the `ApiService` manifests in the GitOps repo. Most likely, we can drop this commit once we upgrade the control-api vclusters to a more recent K8s version. --- component/patches.libsonnet | 16 +++++++++++----- ...8s.io_v1_apiservice_v1.billing.appuio.io.yaml | 1 - ..._v1_apiservice_v1.organization.appuio.io.yaml | 1 - ...n.k8s.io_v1_apiservice_v1.user.appuio.io.yaml | 1 - ...8s.io_v1_apiservice_v1.billing.appuio.io.yaml | 1 - ..._v1_apiservice_v1.organization.appuio.io.yaml | 1 - ...n.k8s.io_v1_apiservice_v1.user.appuio.io.yaml | 1 - 7 files changed, 11 insertions(+), 11 deletions(-) diff --git a/component/patches.libsonnet b/component/patches.libsonnet index 3ed28a7..7432d35 100644 --- a/component/patches.libsonnet +++ b/component/patches.libsonnet @@ -2,11 +2,17 @@ ApiServicePatch(name, insecureSkipTLSVerify, caCert=null): { patches+: [ { - patch: std.format(||| - - op: add - path: /spec/insecureSkipTLSVerify - value: %s - |||, insecureSkipTLSVerify), + patch: std.manifestJsonMinified([ + { + path: '/spec/insecureSkipTLSVerify', + } + + if insecureSkipTLSVerify then { + op: 'add', + value: insecureSkipTLSVerify, + } else { + op: 'remove', + }, + ]), target: { kind: 'APIService', name: name, diff --git a/tests/golden/defaults/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml b/tests/golden/defaults/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml index b264ac3..0fa60dc 100644 --- a/tests/golden/defaults/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml +++ b/tests/golden/defaults/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml @@ -8,7 +8,6 @@ spec: caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZUekNDQXplZ0F3SUJBZ0lVZC9BTlZkbWVodHBORU5lSEYxZm91dU15TW5zd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0pERWlNQ0FHQTFVRUF3d1pZWEJwYzJWeWRtVnlMbU52Ym5SeWIyd3RZWEJwTG5OMll6QWVGdzB5TWpBeApNVEF4TXpJd05URmFGdzB6TWpBeE1EZ3hNekl3TlRGYU1DUXhJakFnQmdOVkJBTU1HV0Z3YVhObGNuWmxjaTVqCmIyNTBjbTlzTFdGd2FTNXpkbU13Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRREYKaGxrVU9pd3FMK1FSQ2N4YjR0UlpDaDJhYVZRMXdqa2wyQ0gzTm1DQmt6N3A2UUhPaHFxa1huc2lERmJtM1F4cgp1b3N0bkcyRzhISnR2b0IyVndRNW9FVGg3Z0NDZy93UmlJVXNhUWdBZVBtb1N0ZmhNVVArSWE1cnF2eXI3dEtMCnNZWHZrVllpRXVJWWFZeGIwdnQ3RVpOa29ad1lZanVaaHYrejdPSTc2STR1QkgzTjNPK3d6VWl3MTZVeDZjSXYKcitBT0tGaVlrOEhRekxCOCtLMEswSndTTVQzL2lCOVpsQ3ZrK28rRHYreG9VWGNueVcvT05zOVM2NGdzcTdSawpEY3hNQWFCZWplNG55dklzY0RjQjdHdDY1d2MzTE16bW9hT000ZGdkVnIzSGVFbWQwMWMzK3BvUFRUVDZySkZnCk8ySGhKbjlieFVpV3dtcnNHa2Z5Z2hmb3dhM1NDNkNpMTN4RWh0QVF3UjE1RzVrK3htclBHZGd0R294aXM4R0MKTzE4NGpoVnBLM2xEN0I2TDlTbnlueTh4ano5b2Z2NVBaM2p6MTJvOE5BaVNmWHNmRCtSZzUvZW1ONS95K0JnQQp1UTZWUStlSzJmSEttTFpOeXJTUTByOGVGbXlCMVhMRzdyQ2FVVG9ISnpPaG9kVEI3ZStQNEh3OWszVjVsR01QClBUeXpGRlhUTjRSRVM2eHpabXR6QVJ6cm4yZ1EzS3JoSDlMRkh0elBsK25YejVjUGdhSXd0SDJhN21XTUhIbGwKdXpaTDBuTU5DQndDc0svM3h6OG9DSUp3dCtITU1KcmxUMHlKRXVla2VIVDRTWTR0YVpkcTlkc0k3eHZoWml0YQowUDBVZ1p6cUFjR3E3eDc3TDV4elpMaTNEUnFQZXZ6U1RHTkV4QTY5eVFJREFRQUJvM2t3ZHpBZEJnTlZIUTRFCkZnUVVwVEE5Mi95M21xcS9lT3ZPaTlqUUF0RGJncW93SHdZRFZSMGpCQmd3Rm9BVXBUQTkyL3kzbXFxL2VPdk8KaTlqUUF0RGJncW93RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFrQmdOVkhSRUVIVEFiZ2hsaGNHbHpaWEoyWlhJdQpZMjl1ZEhKdmJDMWhjR2t1YzNaak1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQmpMSGJRVEp0eEE0K3FIc040Cm1hMjNxL2dTTlZXbW5DYlJYUk54aER3SkxXME1XR2RsamhuUVVZUGNWK0RuSzNUQjNIckxHb2QzTG9ETThZYXUKaW14ZXppd21EVjVLMmlIRWVnczNOUitiV2d4aE13L0xDU0hMWk10clFsNUJXY084aFh3bHBZa2h6UEdrUnBzYQpMWFllS3I5cDVTY0MvaEpYRDMxbXd0MEQwU0FTWkczaGdZbG55RS8rNWxDZERYWkZyOE1Ma2dUODBoRGhkRDVoCnJ2aG5lTCtzT2lTVUJIZ1FhTm9ISWlVakllcTNRb1drdFAwd2pneG8vZTIxYmpPcVR2RXNrSVNzbFdvYmh3RnMKMkY2ZmprQTFRa2Faam4vRENJL3preXRHaEo5ZFpkc25iTjlpSmtMcjdxdGZYeFgrWUJ6TnY3Zk5GOG9RYTdRLwozSm5hZDNiVjRLK0Foek9XT3R0bTkydEcvczRwWUZqT05zY0tNeWhCRWdTczNLZnJZOEQxRWd5SHFVNnY4LzYwCnkwYkVPSE5OWWxwbGZBbURncVRXTkVsTDlhclBDVnJkdnlkcFJJdHRVQi90NFpRSkJiR2tRR0pub3I1WC9vMVMKRUNVaVFObzBhZ1hicGU0ekZQVnRFcHVrdmNIaVdRWVlPQmUrUzZzNCtuOFVZaFhsSml1N09KR3c3bWlDcXF4bgpjZXVhcGhxdVB4bzhoWTFnYkZrMHNlYlh4aVQxWHl0YSt4dkg5UDRVWmlqL1hWVjlMREhCSHNQL3c1czJFOGk0Cit5L0c3dnZxRTBBMWdxNDhCVGxybDh5MDlQMnRydmdpaExWcnhYamxlbjIrS1RBeXh2bDFLb3JaSnMrVWZNWXgKNlB0N1ZDNE0vOWt2LzJHdmR0S1Z6YmlSanc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t group: billing.appuio.io groupPriorityMinimum: 1000 - insecureSkipTLSVerify: false service: name: control-api-apiserver namespace: appuio-control-api diff --git a/tests/golden/defaults/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml b/tests/golden/defaults/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml index 09e5f16..24c8889 100644 --- a/tests/golden/defaults/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml +++ b/tests/golden/defaults/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml @@ -8,7 +8,6 @@ spec: caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZUekNDQXplZ0F3SUJBZ0lVZC9BTlZkbWVodHBORU5lSEYxZm91dU15TW5zd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0pERWlNQ0FHQTFVRUF3d1pZWEJwYzJWeWRtVnlMbU52Ym5SeWIyd3RZWEJwTG5OMll6QWVGdzB5TWpBeApNVEF4TXpJd05URmFGdzB6TWpBeE1EZ3hNekl3TlRGYU1DUXhJakFnQmdOVkJBTU1HV0Z3YVhObGNuWmxjaTVqCmIyNTBjbTlzTFdGd2FTNXpkbU13Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRREYKaGxrVU9pd3FMK1FSQ2N4YjR0UlpDaDJhYVZRMXdqa2wyQ0gzTm1DQmt6N3A2UUhPaHFxa1huc2lERmJtM1F4cgp1b3N0bkcyRzhISnR2b0IyVndRNW9FVGg3Z0NDZy93UmlJVXNhUWdBZVBtb1N0ZmhNVVArSWE1cnF2eXI3dEtMCnNZWHZrVllpRXVJWWFZeGIwdnQ3RVpOa29ad1lZanVaaHYrejdPSTc2STR1QkgzTjNPK3d6VWl3MTZVeDZjSXYKcitBT0tGaVlrOEhRekxCOCtLMEswSndTTVQzL2lCOVpsQ3ZrK28rRHYreG9VWGNueVcvT05zOVM2NGdzcTdSawpEY3hNQWFCZWplNG55dklzY0RjQjdHdDY1d2MzTE16bW9hT000ZGdkVnIzSGVFbWQwMWMzK3BvUFRUVDZySkZnCk8ySGhKbjlieFVpV3dtcnNHa2Z5Z2hmb3dhM1NDNkNpMTN4RWh0QVF3UjE1RzVrK3htclBHZGd0R294aXM4R0MKTzE4NGpoVnBLM2xEN0I2TDlTbnlueTh4ano5b2Z2NVBaM2p6MTJvOE5BaVNmWHNmRCtSZzUvZW1ONS95K0JnQQp1UTZWUStlSzJmSEttTFpOeXJTUTByOGVGbXlCMVhMRzdyQ2FVVG9ISnpPaG9kVEI3ZStQNEh3OWszVjVsR01QClBUeXpGRlhUTjRSRVM2eHpabXR6QVJ6cm4yZ1EzS3JoSDlMRkh0elBsK25YejVjUGdhSXd0SDJhN21XTUhIbGwKdXpaTDBuTU5DQndDc0svM3h6OG9DSUp3dCtITU1KcmxUMHlKRXVla2VIVDRTWTR0YVpkcTlkc0k3eHZoWml0YQowUDBVZ1p6cUFjR3E3eDc3TDV4elpMaTNEUnFQZXZ6U1RHTkV4QTY5eVFJREFRQUJvM2t3ZHpBZEJnTlZIUTRFCkZnUVVwVEE5Mi95M21xcS9lT3ZPaTlqUUF0RGJncW93SHdZRFZSMGpCQmd3Rm9BVXBUQTkyL3kzbXFxL2VPdk8KaTlqUUF0RGJncW93RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFrQmdOVkhSRUVIVEFiZ2hsaGNHbHpaWEoyWlhJdQpZMjl1ZEhKdmJDMWhjR2t1YzNaak1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQmpMSGJRVEp0eEE0K3FIc040Cm1hMjNxL2dTTlZXbW5DYlJYUk54aER3SkxXME1XR2RsamhuUVVZUGNWK0RuSzNUQjNIckxHb2QzTG9ETThZYXUKaW14ZXppd21EVjVLMmlIRWVnczNOUitiV2d4aE13L0xDU0hMWk10clFsNUJXY084aFh3bHBZa2h6UEdrUnBzYQpMWFllS3I5cDVTY0MvaEpYRDMxbXd0MEQwU0FTWkczaGdZbG55RS8rNWxDZERYWkZyOE1Ma2dUODBoRGhkRDVoCnJ2aG5lTCtzT2lTVUJIZ1FhTm9ISWlVakllcTNRb1drdFAwd2pneG8vZTIxYmpPcVR2RXNrSVNzbFdvYmh3RnMKMkY2ZmprQTFRa2Faam4vRENJL3preXRHaEo5ZFpkc25iTjlpSmtMcjdxdGZYeFgrWUJ6TnY3Zk5GOG9RYTdRLwozSm5hZDNiVjRLK0Foek9XT3R0bTkydEcvczRwWUZqT05zY0tNeWhCRWdTczNLZnJZOEQxRWd5SHFVNnY4LzYwCnkwYkVPSE5OWWxwbGZBbURncVRXTkVsTDlhclBDVnJkdnlkcFJJdHRVQi90NFpRSkJiR2tRR0pub3I1WC9vMVMKRUNVaVFObzBhZ1hicGU0ekZQVnRFcHVrdmNIaVdRWVlPQmUrUzZzNCtuOFVZaFhsSml1N09KR3c3bWlDcXF4bgpjZXVhcGhxdVB4bzhoWTFnYkZrMHNlYlh4aVQxWHl0YSt4dkg5UDRVWmlqL1hWVjlMREhCSHNQL3c1czJFOGk0Cit5L0c3dnZxRTBBMWdxNDhCVGxybDh5MDlQMnRydmdpaExWcnhYamxlbjIrS1RBeXh2bDFLb3JaSnMrVWZNWXgKNlB0N1ZDNE0vOWt2LzJHdmR0S1Z6YmlSanc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t group: organization.appuio.io groupPriorityMinimum: 1000 - insecureSkipTLSVerify: false service: name: control-api-apiserver namespace: appuio-control-api diff --git a/tests/golden/defaults/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml b/tests/golden/defaults/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml index c855399..b1d89f4 100644 --- a/tests/golden/defaults/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml +++ b/tests/golden/defaults/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml @@ -8,7 +8,6 @@ spec: caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZUekNDQXplZ0F3SUJBZ0lVZC9BTlZkbWVodHBORU5lSEYxZm91dU15TW5zd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0pERWlNQ0FHQTFVRUF3d1pZWEJwYzJWeWRtVnlMbU52Ym5SeWIyd3RZWEJwTG5OMll6QWVGdzB5TWpBeApNVEF4TXpJd05URmFGdzB6TWpBeE1EZ3hNekl3TlRGYU1DUXhJakFnQmdOVkJBTU1HV0Z3YVhObGNuWmxjaTVqCmIyNTBjbTlzTFdGd2FTNXpkbU13Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRREYKaGxrVU9pd3FMK1FSQ2N4YjR0UlpDaDJhYVZRMXdqa2wyQ0gzTm1DQmt6N3A2UUhPaHFxa1huc2lERmJtM1F4cgp1b3N0bkcyRzhISnR2b0IyVndRNW9FVGg3Z0NDZy93UmlJVXNhUWdBZVBtb1N0ZmhNVVArSWE1cnF2eXI3dEtMCnNZWHZrVllpRXVJWWFZeGIwdnQ3RVpOa29ad1lZanVaaHYrejdPSTc2STR1QkgzTjNPK3d6VWl3MTZVeDZjSXYKcitBT0tGaVlrOEhRekxCOCtLMEswSndTTVQzL2lCOVpsQ3ZrK28rRHYreG9VWGNueVcvT05zOVM2NGdzcTdSawpEY3hNQWFCZWplNG55dklzY0RjQjdHdDY1d2MzTE16bW9hT000ZGdkVnIzSGVFbWQwMWMzK3BvUFRUVDZySkZnCk8ySGhKbjlieFVpV3dtcnNHa2Z5Z2hmb3dhM1NDNkNpMTN4RWh0QVF3UjE1RzVrK3htclBHZGd0R294aXM4R0MKTzE4NGpoVnBLM2xEN0I2TDlTbnlueTh4ano5b2Z2NVBaM2p6MTJvOE5BaVNmWHNmRCtSZzUvZW1ONS95K0JnQQp1UTZWUStlSzJmSEttTFpOeXJTUTByOGVGbXlCMVhMRzdyQ2FVVG9ISnpPaG9kVEI3ZStQNEh3OWszVjVsR01QClBUeXpGRlhUTjRSRVM2eHpabXR6QVJ6cm4yZ1EzS3JoSDlMRkh0elBsK25YejVjUGdhSXd0SDJhN21XTUhIbGwKdXpaTDBuTU5DQndDc0svM3h6OG9DSUp3dCtITU1KcmxUMHlKRXVla2VIVDRTWTR0YVpkcTlkc0k3eHZoWml0YQowUDBVZ1p6cUFjR3E3eDc3TDV4elpMaTNEUnFQZXZ6U1RHTkV4QTY5eVFJREFRQUJvM2t3ZHpBZEJnTlZIUTRFCkZnUVVwVEE5Mi95M21xcS9lT3ZPaTlqUUF0RGJncW93SHdZRFZSMGpCQmd3Rm9BVXBUQTkyL3kzbXFxL2VPdk8KaTlqUUF0RGJncW93RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFrQmdOVkhSRUVIVEFiZ2hsaGNHbHpaWEoyWlhJdQpZMjl1ZEhKdmJDMWhjR2t1YzNaak1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQmpMSGJRVEp0eEE0K3FIc040Cm1hMjNxL2dTTlZXbW5DYlJYUk54aER3SkxXME1XR2RsamhuUVVZUGNWK0RuSzNUQjNIckxHb2QzTG9ETThZYXUKaW14ZXppd21EVjVLMmlIRWVnczNOUitiV2d4aE13L0xDU0hMWk10clFsNUJXY084aFh3bHBZa2h6UEdrUnBzYQpMWFllS3I5cDVTY0MvaEpYRDMxbXd0MEQwU0FTWkczaGdZbG55RS8rNWxDZERYWkZyOE1Ma2dUODBoRGhkRDVoCnJ2aG5lTCtzT2lTVUJIZ1FhTm9ISWlVakllcTNRb1drdFAwd2pneG8vZTIxYmpPcVR2RXNrSVNzbFdvYmh3RnMKMkY2ZmprQTFRa2Faam4vRENJL3preXRHaEo5ZFpkc25iTjlpSmtMcjdxdGZYeFgrWUJ6TnY3Zk5GOG9RYTdRLwozSm5hZDNiVjRLK0Foek9XT3R0bTkydEcvczRwWUZqT05zY0tNeWhCRWdTczNLZnJZOEQxRWd5SHFVNnY4LzYwCnkwYkVPSE5OWWxwbGZBbURncVRXTkVsTDlhclBDVnJkdnlkcFJJdHRVQi90NFpRSkJiR2tRR0pub3I1WC9vMVMKRUNVaVFObzBhZ1hicGU0ekZQVnRFcHVrdmNIaVdRWVlPQmUrUzZzNCtuOFVZaFhsSml1N09KR3c3bWlDcXF4bgpjZXVhcGhxdVB4bzhoWTFnYkZrMHNlYlh4aVQxWHl0YSt4dkg5UDRVWmlqL1hWVjlMREhCSHNQL3c1czJFOGk0Cit5L0c3dnZxRTBBMWdxNDhCVGxybDh5MDlQMnRydmdpaExWcnhYamxlbjIrS1RBeXh2bDFLb3JaSnMrVWZNWXgKNlB0N1ZDNE0vOWt2LzJHdmR0S1Z6YmlSanc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t group: user.appuio.io groupPriorityMinimum: 1000 - insecureSkipTLSVerify: false service: name: control-api-apiserver namespace: appuio-control-api diff --git a/tests/golden/withcronjob/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml b/tests/golden/withcronjob/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml index b264ac3..0fa60dc 100644 --- a/tests/golden/withcronjob/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml +++ b/tests/golden/withcronjob/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml @@ -8,7 +8,6 @@ spec: caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZUekNDQXplZ0F3SUJBZ0lVZC9BTlZkbWVodHBORU5lSEYxZm91dU15TW5zd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0pERWlNQ0FHQTFVRUF3d1pZWEJwYzJWeWRtVnlMbU52Ym5SeWIyd3RZWEJwTG5OMll6QWVGdzB5TWpBeApNVEF4TXpJd05URmFGdzB6TWpBeE1EZ3hNekl3TlRGYU1DUXhJakFnQmdOVkJBTU1HV0Z3YVhObGNuWmxjaTVqCmIyNTBjbTlzTFdGd2FTNXpkbU13Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRREYKaGxrVU9pd3FMK1FSQ2N4YjR0UlpDaDJhYVZRMXdqa2wyQ0gzTm1DQmt6N3A2UUhPaHFxa1huc2lERmJtM1F4cgp1b3N0bkcyRzhISnR2b0IyVndRNW9FVGg3Z0NDZy93UmlJVXNhUWdBZVBtb1N0ZmhNVVArSWE1cnF2eXI3dEtMCnNZWHZrVllpRXVJWWFZeGIwdnQ3RVpOa29ad1lZanVaaHYrejdPSTc2STR1QkgzTjNPK3d6VWl3MTZVeDZjSXYKcitBT0tGaVlrOEhRekxCOCtLMEswSndTTVQzL2lCOVpsQ3ZrK28rRHYreG9VWGNueVcvT05zOVM2NGdzcTdSawpEY3hNQWFCZWplNG55dklzY0RjQjdHdDY1d2MzTE16bW9hT000ZGdkVnIzSGVFbWQwMWMzK3BvUFRUVDZySkZnCk8ySGhKbjlieFVpV3dtcnNHa2Z5Z2hmb3dhM1NDNkNpMTN4RWh0QVF3UjE1RzVrK3htclBHZGd0R294aXM4R0MKTzE4NGpoVnBLM2xEN0I2TDlTbnlueTh4ano5b2Z2NVBaM2p6MTJvOE5BaVNmWHNmRCtSZzUvZW1ONS95K0JnQQp1UTZWUStlSzJmSEttTFpOeXJTUTByOGVGbXlCMVhMRzdyQ2FVVG9ISnpPaG9kVEI3ZStQNEh3OWszVjVsR01QClBUeXpGRlhUTjRSRVM2eHpabXR6QVJ6cm4yZ1EzS3JoSDlMRkh0elBsK25YejVjUGdhSXd0SDJhN21XTUhIbGwKdXpaTDBuTU5DQndDc0svM3h6OG9DSUp3dCtITU1KcmxUMHlKRXVla2VIVDRTWTR0YVpkcTlkc0k3eHZoWml0YQowUDBVZ1p6cUFjR3E3eDc3TDV4elpMaTNEUnFQZXZ6U1RHTkV4QTY5eVFJREFRQUJvM2t3ZHpBZEJnTlZIUTRFCkZnUVVwVEE5Mi95M21xcS9lT3ZPaTlqUUF0RGJncW93SHdZRFZSMGpCQmd3Rm9BVXBUQTkyL3kzbXFxL2VPdk8KaTlqUUF0RGJncW93RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFrQmdOVkhSRUVIVEFiZ2hsaGNHbHpaWEoyWlhJdQpZMjl1ZEhKdmJDMWhjR2t1YzNaak1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQmpMSGJRVEp0eEE0K3FIc040Cm1hMjNxL2dTTlZXbW5DYlJYUk54aER3SkxXME1XR2RsamhuUVVZUGNWK0RuSzNUQjNIckxHb2QzTG9ETThZYXUKaW14ZXppd21EVjVLMmlIRWVnczNOUitiV2d4aE13L0xDU0hMWk10clFsNUJXY084aFh3bHBZa2h6UEdrUnBzYQpMWFllS3I5cDVTY0MvaEpYRDMxbXd0MEQwU0FTWkczaGdZbG55RS8rNWxDZERYWkZyOE1Ma2dUODBoRGhkRDVoCnJ2aG5lTCtzT2lTVUJIZ1FhTm9ISWlVakllcTNRb1drdFAwd2pneG8vZTIxYmpPcVR2RXNrSVNzbFdvYmh3RnMKMkY2ZmprQTFRa2Faam4vRENJL3preXRHaEo5ZFpkc25iTjlpSmtMcjdxdGZYeFgrWUJ6TnY3Zk5GOG9RYTdRLwozSm5hZDNiVjRLK0Foek9XT3R0bTkydEcvczRwWUZqT05zY0tNeWhCRWdTczNLZnJZOEQxRWd5SHFVNnY4LzYwCnkwYkVPSE5OWWxwbGZBbURncVRXTkVsTDlhclBDVnJkdnlkcFJJdHRVQi90NFpRSkJiR2tRR0pub3I1WC9vMVMKRUNVaVFObzBhZ1hicGU0ekZQVnRFcHVrdmNIaVdRWVlPQmUrUzZzNCtuOFVZaFhsSml1N09KR3c3bWlDcXF4bgpjZXVhcGhxdVB4bzhoWTFnYkZrMHNlYlh4aVQxWHl0YSt4dkg5UDRVWmlqL1hWVjlMREhCSHNQL3c1czJFOGk0Cit5L0c3dnZxRTBBMWdxNDhCVGxybDh5MDlQMnRydmdpaExWcnhYamxlbjIrS1RBeXh2bDFLb3JaSnMrVWZNWXgKNlB0N1ZDNE0vOWt2LzJHdmR0S1Z6YmlSanc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t group: billing.appuio.io groupPriorityMinimum: 1000 - insecureSkipTLSVerify: false service: name: control-api-apiserver namespace: appuio-control-api diff --git a/tests/golden/withcronjob/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml b/tests/golden/withcronjob/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml index 09e5f16..24c8889 100644 --- a/tests/golden/withcronjob/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml +++ b/tests/golden/withcronjob/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml @@ -8,7 +8,6 @@ spec: caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZUekNDQXplZ0F3SUJBZ0lVZC9BTlZkbWVodHBORU5lSEYxZm91dU15TW5zd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0pERWlNQ0FHQTFVRUF3d1pZWEJwYzJWeWRtVnlMbU52Ym5SeWIyd3RZWEJwTG5OMll6QWVGdzB5TWpBeApNVEF4TXpJd05URmFGdzB6TWpBeE1EZ3hNekl3TlRGYU1DUXhJakFnQmdOVkJBTU1HV0Z3YVhObGNuWmxjaTVqCmIyNTBjbTlzTFdGd2FTNXpkbU13Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRREYKaGxrVU9pd3FMK1FSQ2N4YjR0UlpDaDJhYVZRMXdqa2wyQ0gzTm1DQmt6N3A2UUhPaHFxa1huc2lERmJtM1F4cgp1b3N0bkcyRzhISnR2b0IyVndRNW9FVGg3Z0NDZy93UmlJVXNhUWdBZVBtb1N0ZmhNVVArSWE1cnF2eXI3dEtMCnNZWHZrVllpRXVJWWFZeGIwdnQ3RVpOa29ad1lZanVaaHYrejdPSTc2STR1QkgzTjNPK3d6VWl3MTZVeDZjSXYKcitBT0tGaVlrOEhRekxCOCtLMEswSndTTVQzL2lCOVpsQ3ZrK28rRHYreG9VWGNueVcvT05zOVM2NGdzcTdSawpEY3hNQWFCZWplNG55dklzY0RjQjdHdDY1d2MzTE16bW9hT000ZGdkVnIzSGVFbWQwMWMzK3BvUFRUVDZySkZnCk8ySGhKbjlieFVpV3dtcnNHa2Z5Z2hmb3dhM1NDNkNpMTN4RWh0QVF3UjE1RzVrK3htclBHZGd0R294aXM4R0MKTzE4NGpoVnBLM2xEN0I2TDlTbnlueTh4ano5b2Z2NVBaM2p6MTJvOE5BaVNmWHNmRCtSZzUvZW1ONS95K0JnQQp1UTZWUStlSzJmSEttTFpOeXJTUTByOGVGbXlCMVhMRzdyQ2FVVG9ISnpPaG9kVEI3ZStQNEh3OWszVjVsR01QClBUeXpGRlhUTjRSRVM2eHpabXR6QVJ6cm4yZ1EzS3JoSDlMRkh0elBsK25YejVjUGdhSXd0SDJhN21XTUhIbGwKdXpaTDBuTU5DQndDc0svM3h6OG9DSUp3dCtITU1KcmxUMHlKRXVla2VIVDRTWTR0YVpkcTlkc0k3eHZoWml0YQowUDBVZ1p6cUFjR3E3eDc3TDV4elpMaTNEUnFQZXZ6U1RHTkV4QTY5eVFJREFRQUJvM2t3ZHpBZEJnTlZIUTRFCkZnUVVwVEE5Mi95M21xcS9lT3ZPaTlqUUF0RGJncW93SHdZRFZSMGpCQmd3Rm9BVXBUQTkyL3kzbXFxL2VPdk8KaTlqUUF0RGJncW93RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFrQmdOVkhSRUVIVEFiZ2hsaGNHbHpaWEoyWlhJdQpZMjl1ZEhKdmJDMWhjR2t1YzNaak1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQmpMSGJRVEp0eEE0K3FIc040Cm1hMjNxL2dTTlZXbW5DYlJYUk54aER3SkxXME1XR2RsamhuUVVZUGNWK0RuSzNUQjNIckxHb2QzTG9ETThZYXUKaW14ZXppd21EVjVLMmlIRWVnczNOUitiV2d4aE13L0xDU0hMWk10clFsNUJXY084aFh3bHBZa2h6UEdrUnBzYQpMWFllS3I5cDVTY0MvaEpYRDMxbXd0MEQwU0FTWkczaGdZbG55RS8rNWxDZERYWkZyOE1Ma2dUODBoRGhkRDVoCnJ2aG5lTCtzT2lTVUJIZ1FhTm9ISWlVakllcTNRb1drdFAwd2pneG8vZTIxYmpPcVR2RXNrSVNzbFdvYmh3RnMKMkY2ZmprQTFRa2Faam4vRENJL3preXRHaEo5ZFpkc25iTjlpSmtMcjdxdGZYeFgrWUJ6TnY3Zk5GOG9RYTdRLwozSm5hZDNiVjRLK0Foek9XT3R0bTkydEcvczRwWUZqT05zY0tNeWhCRWdTczNLZnJZOEQxRWd5SHFVNnY4LzYwCnkwYkVPSE5OWWxwbGZBbURncVRXTkVsTDlhclBDVnJkdnlkcFJJdHRVQi90NFpRSkJiR2tRR0pub3I1WC9vMVMKRUNVaVFObzBhZ1hicGU0ekZQVnRFcHVrdmNIaVdRWVlPQmUrUzZzNCtuOFVZaFhsSml1N09KR3c3bWlDcXF4bgpjZXVhcGhxdVB4bzhoWTFnYkZrMHNlYlh4aVQxWHl0YSt4dkg5UDRVWmlqL1hWVjlMREhCSHNQL3c1czJFOGk0Cit5L0c3dnZxRTBBMWdxNDhCVGxybDh5MDlQMnRydmdpaExWcnhYamxlbjIrS1RBeXh2bDFLb3JaSnMrVWZNWXgKNlB0N1ZDNE0vOWt2LzJHdmR0S1Z6YmlSanc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t group: organization.appuio.io groupPriorityMinimum: 1000 - insecureSkipTLSVerify: false service: name: control-api-apiserver namespace: appuio-control-api diff --git a/tests/golden/withcronjob/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml b/tests/golden/withcronjob/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml index c855399..b1d89f4 100644 --- a/tests/golden/withcronjob/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml +++ b/tests/golden/withcronjob/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml @@ -8,7 +8,6 @@ spec: caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZUekNDQXplZ0F3SUJBZ0lVZC9BTlZkbWVodHBORU5lSEYxZm91dU15TW5zd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0pERWlNQ0FHQTFVRUF3d1pZWEJwYzJWeWRtVnlMbU52Ym5SeWIyd3RZWEJwTG5OMll6QWVGdzB5TWpBeApNVEF4TXpJd05URmFGdzB6TWpBeE1EZ3hNekl3TlRGYU1DUXhJakFnQmdOVkJBTU1HV0Z3YVhObGNuWmxjaTVqCmIyNTBjbTlzTFdGd2FTNXpkbU13Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRREYKaGxrVU9pd3FMK1FSQ2N4YjR0UlpDaDJhYVZRMXdqa2wyQ0gzTm1DQmt6N3A2UUhPaHFxa1huc2lERmJtM1F4cgp1b3N0bkcyRzhISnR2b0IyVndRNW9FVGg3Z0NDZy93UmlJVXNhUWdBZVBtb1N0ZmhNVVArSWE1cnF2eXI3dEtMCnNZWHZrVllpRXVJWWFZeGIwdnQ3RVpOa29ad1lZanVaaHYrejdPSTc2STR1QkgzTjNPK3d6VWl3MTZVeDZjSXYKcitBT0tGaVlrOEhRekxCOCtLMEswSndTTVQzL2lCOVpsQ3ZrK28rRHYreG9VWGNueVcvT05zOVM2NGdzcTdSawpEY3hNQWFCZWplNG55dklzY0RjQjdHdDY1d2MzTE16bW9hT000ZGdkVnIzSGVFbWQwMWMzK3BvUFRUVDZySkZnCk8ySGhKbjlieFVpV3dtcnNHa2Z5Z2hmb3dhM1NDNkNpMTN4RWh0QVF3UjE1RzVrK3htclBHZGd0R294aXM4R0MKTzE4NGpoVnBLM2xEN0I2TDlTbnlueTh4ano5b2Z2NVBaM2p6MTJvOE5BaVNmWHNmRCtSZzUvZW1ONS95K0JnQQp1UTZWUStlSzJmSEttTFpOeXJTUTByOGVGbXlCMVhMRzdyQ2FVVG9ISnpPaG9kVEI3ZStQNEh3OWszVjVsR01QClBUeXpGRlhUTjRSRVM2eHpabXR6QVJ6cm4yZ1EzS3JoSDlMRkh0elBsK25YejVjUGdhSXd0SDJhN21XTUhIbGwKdXpaTDBuTU5DQndDc0svM3h6OG9DSUp3dCtITU1KcmxUMHlKRXVla2VIVDRTWTR0YVpkcTlkc0k3eHZoWml0YQowUDBVZ1p6cUFjR3E3eDc3TDV4elpMaTNEUnFQZXZ6U1RHTkV4QTY5eVFJREFRQUJvM2t3ZHpBZEJnTlZIUTRFCkZnUVVwVEE5Mi95M21xcS9lT3ZPaTlqUUF0RGJncW93SHdZRFZSMGpCQmd3Rm9BVXBUQTkyL3kzbXFxL2VPdk8KaTlqUUF0RGJncW93RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFrQmdOVkhSRUVIVEFiZ2hsaGNHbHpaWEoyWlhJdQpZMjl1ZEhKdmJDMWhjR2t1YzNaak1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQmpMSGJRVEp0eEE0K3FIc040Cm1hMjNxL2dTTlZXbW5DYlJYUk54aER3SkxXME1XR2RsamhuUVVZUGNWK0RuSzNUQjNIckxHb2QzTG9ETThZYXUKaW14ZXppd21EVjVLMmlIRWVnczNOUitiV2d4aE13L0xDU0hMWk10clFsNUJXY084aFh3bHBZa2h6UEdrUnBzYQpMWFllS3I5cDVTY0MvaEpYRDMxbXd0MEQwU0FTWkczaGdZbG55RS8rNWxDZERYWkZyOE1Ma2dUODBoRGhkRDVoCnJ2aG5lTCtzT2lTVUJIZ1FhTm9ISWlVakllcTNRb1drdFAwd2pneG8vZTIxYmpPcVR2RXNrSVNzbFdvYmh3RnMKMkY2ZmprQTFRa2Faam4vRENJL3preXRHaEo5ZFpkc25iTjlpSmtMcjdxdGZYeFgrWUJ6TnY3Zk5GOG9RYTdRLwozSm5hZDNiVjRLK0Foek9XT3R0bTkydEcvczRwWUZqT05zY0tNeWhCRWdTczNLZnJZOEQxRWd5SHFVNnY4LzYwCnkwYkVPSE5OWWxwbGZBbURncVRXTkVsTDlhclBDVnJkdnlkcFJJdHRVQi90NFpRSkJiR2tRR0pub3I1WC9vMVMKRUNVaVFObzBhZ1hicGU0ekZQVnRFcHVrdmNIaVdRWVlPQmUrUzZzNCtuOFVZaFhsSml1N09KR3c3bWlDcXF4bgpjZXVhcGhxdVB4bzhoWTFnYkZrMHNlYlh4aVQxWHl0YSt4dkg5UDRVWmlqL1hWVjlMREhCSHNQL3c1czJFOGk0Cit5L0c3dnZxRTBBMWdxNDhCVGxybDh5MDlQMnRydmdpaExWcnhYamxlbjIrS1RBeXh2bDFLb3JaSnMrVWZNWXgKNlB0N1ZDNE0vOWt2LzJHdmR0S1Z6YmlSanc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t group: user.appuio.io groupPriorityMinimum: 1000 - insecureSkipTLSVerify: false service: name: control-api-apiserver namespace: appuio-control-api From a2021fc43d778d6535bf1242208dd7c566e40276 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Tue, 10 Mar 2026 15:21:32 +0100 Subject: [PATCH 3/5] Use `std.manifestJsonMinified` instead of `std.format()` to render JSON patches --- component/control-api.jsonnet | 225 ++++++++++++++++++---------------- component/patches.libsonnet | 20 +-- 2 files changed, 132 insertions(+), 113 deletions(-) diff --git a/component/control-api.jsonnet b/component/control-api.jsonnet index fdbc78f..b89d1a2 100644 --- a/component/control-api.jsonnet +++ b/component/control-api.jsonnet @@ -57,11 +57,11 @@ local apiserverDeploymentArgs = local apiserverDeploymentArgsPatch = { patches+: [ { - patch: std.format(||| - - op: add - path: "/spec/template/spec/containers/0/args/-" - value: "%s" - |||, arg), + patch: std.manifestJsonMinified([ { + op: 'add', + path: '/spec/template/spec/containers/0/args/-', + value: arg, + } ]), target: { kind: 'Deployment', name: 'control-api-apiserver', @@ -74,25 +74,35 @@ local apiserverDeploymentArgsPatch = { local apiserverOdooConfigPatch = if hasCountriesConfig then { patches+: [ { - patch: std.format(||| - - op: add - path: /spec/template/spec/containers/0/volumeMounts/- - value: - mountPath: /config/billing_entity_odoo8_country_list.yaml - name: countries-config - readOnly: true - subPath: billing_entity_odoo8_country_list.yaml - - op: add - path: /spec/template/spec/volumes/- - value: - name: countries-config - configMap: - name: billing-entity-odoo8-country-list - - op: add - path: /spec/template/metadata/annotations - value: - 'checksum/countries': %s - |||, std.md5(countries_yaml)), + patch: std.manifestJsonMinified([ + { + op: 'add', + path: '/spec/template/spec/containers/0/volumeMounts/-', + value: { + mountPath: '/config/billing_entity_odoo8_country_list.yaml', + name: 'countries-config', + readOnly: true, + subPath: 'billing_entity_odoo8_country_list.yaml', + }, + }, + { + op: 'add', + path: '/spec/template/spec/volumes/-', + value: { + name: 'countries-config', + configMap: { + name: 'billing-entity-odoo8-country-list', + }, + }, + }, + { + op: 'add', + path: '/spec/template/metadata/annotations', + value: { + 'checksum/countries': std.md5(countries_yaml), + }, + }, + ]), target: { kind: 'Deployment', name: 'control-api-apiserver', @@ -105,11 +115,11 @@ local apiserverExtraEnvList = com.envList(params.apiserver.extraEnv); local apiserverDeploymentEnvPatch = if std.length(apiserverExtraEnvList) > 0 then { patches+: [ { - patch: ||| - - op: add - path: /spec/template/spec/containers/0/env - value: [] - |||, + patch: std.manifestJsonMinified([ { + op: 'add', + path: '/spec/template/spec/containers/0/env', + value: [], + } ]), target: { kind: 'Deployment', name: 'control-api-apiserver', @@ -117,11 +127,11 @@ local apiserverDeploymentEnvPatch = if std.length(apiserverExtraEnvList) > 0 the }, ] + [ { - patch: std.format(||| - - op: add - path: /spec/template/spec/containers/0/env/- - value: %(value)s - |||, { value: env }), + patch: std.manifestJsonMinified([ { + op: 'add', + path: '/spec/template/spec/containers/0/env/-', + value: env, + } ]), target: { kind: 'Deployment', name: 'control-api-apiserver', @@ -145,12 +155,11 @@ local apiserverDeploymentResources = std.mergePatch({ local apiserverDeploymentResourcesPatch = { patches+: [ { - patch: std.format(||| - - op: add - path: /spec/template/spec/containers/0/resources - value: - %s - |||, std.manifestJson(apiserverDeploymentResources)), + patch: std.manifestJsonMinified([ { + op: 'add', + path: '/spec/template/spec/containers/0/resources', + value: apiserverDeploymentResources, + } ]), target: { kind: 'Deployment', name: 'control-api-apiserver', @@ -162,14 +171,16 @@ local apiserverDeploymentResourcesPatch = { local apiserverDeploymentVolumesPatch = if validCertSecret then { patches+: [ { - patch: std.format(||| - - op: replace - path: /spec/template/spec/volumes/0 - value: - name: apiserver-certs - secret: - secretName: %s - |||, params.apiserver.tls.certSecretName), + patch: std.manifestJsonMinified([ { + op: 'replace', + path: '/spec/template/spec/volumes/0', + value: { + name: 'apiserver-certs', + secret: { + secretName: params.apiserver.tls.certSecretName, + }, + }, + } ]), target: { kind: 'Deployment', name: 'control-api-apiserver', @@ -185,13 +196,13 @@ local apiserverDeploymentPatch = + apiserverOdooConfigPatch + apiserverDeploymentVolumesPatch; -local apiserverRoleBindingPatch = patches.LabelPatch('Service', 'control-api-apiserver', std.toString({ +local apiserverRoleBindingPatch = patches.LabelPatch('Service', 'control-api-apiserver', { name: 'control-api-apiserver', -})); +}); -local apiserverServicePatch = patches.LabelPatch('Service', 'control-api-apiserver', std.toString({ +local apiserverServicePatch = patches.LabelPatch('Service', 'control-api-apiserver', { name: 'control-api-apiserver', -})); +}); ///////////////// // Controller @@ -218,11 +229,11 @@ local controllerDeploymentArgs = local controllerDeploymentArgPatches = { patches+: [ { - patch: std.format(||| - - op: add - path: "/spec/template/spec/containers/0/args/-" - value: "%s" - |||, arg), + patch: std.manifestJsonMinified([ { + op: 'add', + path: '/spec/template/spec/containers/0/args/-', + value: arg, + } ]), target: { kind: 'Deployment', name: 'control-api-controller', @@ -236,11 +247,11 @@ local controllerExtraEnvList = com.envList(params.controller.extraEnv); local controllerDeploymentEnvPatch = if std.length(controllerExtraEnvList) > 0 then { patches+: [ { - patch: ||| - - op: add - path: /spec/template/spec/containers/0/env - value: [] - |||, + patch: std.manifestJsonMinified([ { + op: 'add', + path: '/spec/template/spec/containers/0/env', + value: [], + } ]), target: { kind: 'Deployment', name: 'control-api-controller', @@ -248,11 +259,11 @@ local controllerDeploymentEnvPatch = if std.length(controllerExtraEnvList) > 0 t }, ] + [ { - patch: std.format(||| - - op: add - path: /spec/template/spec/containers/0/env/- - value: %(value)s - |||, { value: env }), + patch: std.manifestJsonMinified([ { + op: 'add', + path: '/spec/template/spec/containers/0/env/-', + value: env, + } ]), target: { kind: 'Deployment', name: 'control-api-controller', @@ -265,17 +276,20 @@ local controllerDeploymentEnvPatch = if std.length(controllerExtraEnvList) > 0 t local controllerDeploymentVolumePatch = { patches+: [ { - patch: ||| - - op: add - path: "/spec/template/spec/volumes" - value: [] - - op: add - path: "/spec/template/spec/volumes/-" - value: - name: webhook-service-tls - secret: - secretName: webhook-service-tls - |||, + patch: std.manifestJsonMinified([ { + op: 'add', + path: '/spec/template/spec/volumes', + value: [], + }, { + op: 'add', + path: '/spec/template/spec/volumes/-', + value: { + name: 'webhook-service-tls', + secret: { + secretName: 'webhook-service-tls', + }, + }, + } ]), target: { kind: 'Deployment', name: 'control-api-controller', @@ -297,11 +311,11 @@ local controllerDeploymentResources = std.mergePatch({ local controllerDeploymentResourcesPatch = { patches+: [ { - patch: std.format(||| - - op: add - path: "/spec/template/spec/containers/0/resources" - value: %s - |||, std.manifestJson(controllerDeploymentResources)), + patch: std.manifestJsonMinified([ { + op: 'add', + path: '/spec/template/spec/containers/0/resources', + value: controllerDeploymentResources, + } ]), target: { kind: 'Deployment', name: 'control-api-controller', @@ -313,17 +327,22 @@ local controllerDeploymentResourcesPatch = { local controllerDeploymentVolumeMountsPatch = { patches+: [ { - patch: ||| - - op: add - path: "/spec/template/spec/containers/0/volumeMounts" - value: [] - - op: add - path: "/spec/template/spec/containers/0/volumeMounts/-" - value: - mountPath: /var/run/webhook-service-tls - name: webhook-service-tls - readOnly: true - |||, + patch: std.manifestJsonMinified([ + { + op: 'add', + path: '/spec/template/spec/containers/0/volumeMounts', + value: [], + }, + { + op: 'add', + path: '/spec/template/spec/containers/0/volumeMounts/-', + value: { + mountPath: '/var/run/webhook-service-tls', + name: 'webhook-service-tls', + readOnly: true, + }, + }, + ]), target: { kind: 'Deployment', name: 'control-api-controller', @@ -338,22 +357,22 @@ local controllerDeploymentPatch = controllerDeploymentArgPatches + controllerDeploymentVolumeMountsPatch + controllerDeploymentVolumePatch; -local controllerRoleBindingPatch = patches.LabelPatch('ClusterRoleBinding', 'control-api-controller', std.toString({ +local controllerRoleBindingPatch = patches.LabelPatch('ClusterRoleBinding', 'control-api-controller', { name: 'control-api-controller', -})); +}); -local controllerServicePatch = patches.LabelPatch('Service', 'control-api-controller-metrics', std.toString({ +local controllerServicePatch = patches.LabelPatch('Service', 'control-api-controller-metrics', { app: 'control-api-controller', name: 'control-api-controller', -})) { +}) { patches+: [ { - patch: ||| - - op: add - path: /spec/ports/0/name - value: metrics - |||, + patch: std.manifestJsonMinified([ { + op: 'add', + path: '/spec/ports/0/name', + value: 'metrics', + } ]), target: { kind: 'Service', name: 'control-api-controller-metrics', diff --git a/component/patches.libsonnet b/component/patches.libsonnet index 7432d35..e098233 100644 --- a/component/patches.libsonnet +++ b/component/patches.libsonnet @@ -19,11 +19,11 @@ }, }, if caCert != null then { - patch: std.format(||| - - op: add - path: /spec/caBundle - value: %s - |||, std.base64(caCert)), + patch: std.manifestJsonMinified([ { + op: 'add', + path: '/spec/caBundle', + value: std.base64(caCert), + } ]), target: { kind: 'APIService', name: name, @@ -34,11 +34,11 @@ LabelPatch(kind, name, labels): { patches+: [ { - patch: std.format(||| - - op: add - path: /metadata/labels - value: %s - |||, labels), + patch: std.manifestJsonMinified([ { + op: 'add', + path: '/metadata/labels', + value: labels, + } ]), target: { kind: kind, name: name, From 5f66db5a2501a4c4c27a5f10645ba2660d67d4b0 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Tue, 10 Mar 2026 15:21:55 +0100 Subject: [PATCH 4/5] Prune list of ApiService patches --- component/patches.libsonnet | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/component/patches.libsonnet b/component/patches.libsonnet index e098233..1522a87 100644 --- a/component/patches.libsonnet +++ b/component/patches.libsonnet @@ -1,6 +1,6 @@ { ApiServicePatch(name, insecureSkipTLSVerify, caCert=null): { - patches+: [ + patches+: std.prune([ { patch: std.manifestJsonMinified([ { @@ -29,7 +29,7 @@ name: name, }, }, - ], + ]), }, LabelPatch(kind, name, labels): { patches+: [ From fa37139d7a27d991899a2c2802e89de152126c52 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Tue, 10 Mar 2026 15:55:39 +0100 Subject: [PATCH 5/5] Fix handling of empty apiserver CA certificate --- component/patches.libsonnet | 4 ++-- ...egistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml | 1 - ...ration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml | 1 - ...piregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml | 1 - 4 files changed, 2 insertions(+), 5 deletions(-) diff --git a/component/patches.libsonnet b/component/patches.libsonnet index 1522a87..ee18331 100644 --- a/component/patches.libsonnet +++ b/component/patches.libsonnet @@ -1,5 +1,5 @@ { - ApiServicePatch(name, insecureSkipTLSVerify, caCert=null): { + ApiServicePatch(name, insecureSkipTLSVerify, caCert=''): { patches+: std.prune([ { patch: std.manifestJsonMinified([ @@ -18,7 +18,7 @@ name: name, }, }, - if caCert != null then { + if std.length(caCert) > 0 then { patch: std.manifestJsonMinified([ { op: 'add', path: '/spec/caBundle', diff --git a/tests/golden/insecure/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml b/tests/golden/insecure/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml index d081026..1007996 100644 --- a/tests/golden/insecure/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml +++ b/tests/golden/insecure/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.billing.appuio.io.yaml @@ -5,7 +5,6 @@ metadata: app.kubernetes.io/managed-by: commodore name: v1.billing.appuio.io spec: - caBundle: null group: billing.appuio.io groupPriorityMinimum: 1000 insecureSkipTLSVerify: true diff --git a/tests/golden/insecure/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml b/tests/golden/insecure/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml index 3233b29..3420c25 100644 --- a/tests/golden/insecure/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml +++ b/tests/golden/insecure/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.organization.appuio.io.yaml @@ -5,7 +5,6 @@ metadata: app.kubernetes.io/managed-by: commodore name: v1.organization.appuio.io spec: - caBundle: null group: organization.appuio.io groupPriorityMinimum: 1000 insecureSkipTLSVerify: true diff --git a/tests/golden/insecure/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml b/tests/golden/insecure/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml index 7fdac4f..0d096b5 100644 --- a/tests/golden/insecure/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml +++ b/tests/golden/insecure/control-api/control-api/20_kustomize/apiregistration.k8s.io_v1_apiservice_v1.user.appuio.io.yaml @@ -5,7 +5,6 @@ metadata: app.kubernetes.io/managed-by: commodore name: v1.user.appuio.io spec: - caBundle: null group: user.appuio.io groupPriorityMinimum: 1000 insecureSkipTLSVerify: true