switching logic to use vars as suggested

Makefile.vars.mk

@@ -46,7 +46,7 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
-test_instances = tests/defaults.yml tests/vshn-cloud.yml tests/vshn-managed.yml tests/control-plane.yml tests/service-cluster.yml tests/dev.yml
+test_instances = tests/defaults.yml tests/vshn-cloud.yml tests/vshn-managed.yml tests/control-plane.yml tests/service-cluster.yml tests/dev.yml tests/exodev.yaml
 
 YAMLLINT_ARGS   ?= --no-warnings
 YAMLLINT_CONFIG ?= .yamllint.yml

tests/exodev.yml

@@ -0,0 +1,187 @@
+parameters:
+  kapitan:
+    dependencies:
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-crossplane/v2.3.0/lib/crossplane.libsonnet
+        output_path: vendor/lib/crossplane.libsonnet
+      - type: https
+        source: https://raw.githubusercontent.com/appuio/component-openshift4-operators/v1.4.0/lib/openshift4-operators.libsonnet
+        output_path: vendor/lib/openshift4-operators.libsonnet
+
+  facts:
+    cloud: exoscale #important, do not change, to test cloudscale use dev.yaml instead
+    sales_order: "10431"
+    appcat_dev: true
+    service_level: "zero"
+    #service_level: "guaranteed_availability"
+
+  global:
+    appuio_metered_billing_zone_label_map:
+      c-green-test-1234: 'Kind - Local Test 0'
+
+  crossplane:
+    namespace: syn-crossplane
+
+  appcat:
+    grpcEndpoint: host.docker.internal:9443
+    proxyFunction: false
+
+    quotasEnabled: false
+    appuioManaged: false
+    billing:
+      salesOrder: ST10120
+      vshn:
+        enableCronjobs: false
+        meteringRules: true
+      enableMockOrgInfo: true
+      instanceUOM: uom_uom_45_1e112771
+      network_policies:
+        target_namespaces:
+          vshn-appuio-mimir: false
+      prometheus:
+        url: http://prometheus-operated.prometheus-system:9090/prometheus
+      cloudZone: ${global:appuio_metered_billing_zone_label_map:${cluster:name}}
+
+    slos:
+      enabled: true
+      alertsEnabled: true
+      sli_exporter:
+        enableMaintenceObserver: false
+      sla_reporter:
+        enabled: true
+        slo_mimir_svc: kube-prometheus-kube-prome-prometheus
+        slo_mimir_namespace: prometheus-system
+    controller:
+      enabled: true
+      postgres:
+        enabled: true
+    providers:
+      exoscale:
+        enabled: true
+      cloudscale:
+        enabled: false
+      kubernetes:
+        enabled: true
+      helm:
+        enabled: true
+      minio:
+        enabled: true
+        defaultProviderConfig:
+          minioURL: http://minio-server.minio.svc:9000/
+          credentials:
+            apiSecretRef:
+              name: minio-secret
+              namespace: syn-crossplane
+
+    apiserver:
+      enabled: true
+      env:
+        APPCAT_HANDLER_ENABLED: "true"
+        VSHN_POSTGRES_BACKUP_HANDLER_ENABLED: "true"
+        VSHN_REDIS_BACKUP_HANDLER_ENABLED: "true"
+
+    services:
+      emailAlerting:
+        enabled: true
+        smtpPassword: "?{vaultkv:__shared__/__shared__/mailgun/smtp_password}"
+      vshn:
+        enabled: false
+        externalDatabaseConnectionsEnabled: true
+        mariadb:
+          enabled: true
+        keycloak:
+          enabled: true
+          additionalInputs:
+            # https://vault-prod.syn.vshn.net/ui/vault/secrets/clusters%2Fkv/kv/__shared__%2F__shared__%2Fappcat/details?version=1
+            registry_username: ""
+            registry_password: ""
+            ingress_annotations: |
+              nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+              cert-manager.io/cluster-issuer: letsencrypt-staging
+        nextcloud:
+          enabled: true
+          additionalInputs:
+            collaboraCPULimit: "1"
+            collaboraCPURequests: 250m
+            collaboraMemoryLimit: 1Gi # during my tests I was able to force collabora to use ~800Mi
+            collaboraMemoryRequests: 256Mi
+            ingress_annotations: |
+              cert-manager.io/cluster-issuer: letsencrypt-staging
+
+        postgres:
+          sgNamespace: stackgres
+          bucket_region: 'ch-gva-2'
+          bucket_endpoint: 'http://minio-server.minio:9000'
+          additionalInputs:
+            loadbalancerAnnotations: |
+                foo: bar
+          plans:
+            standard-8:
+              enabled: false
+            plus-2:
+              size: ${appcat:services:vshn:postgres:plans:standard-2:size}
+              scheduling:
+                nodeSelector:
+                  appuio.io/node-class: "plus"
+              note: "Will be scheduled on APPUiO Cloud plus nodes"
+            plus-4:
+              size: ${appcat:services:vshn:postgres:plans:standard-4:size}
+              scheduling:
+                nodeSelector:
+                  appuio.io/node-class: "plus"
+              note: "Will be scheduled on APPUiO Cloud plus nodes"
+        redis:
+          enabled: true
+          plans:
+            standard-8:
+              enabled: false
+            plus-512m:
+              size: ${appcat:services:vshn:redis:plans:standard-512m:size}
+              scheduling:
+                nodeSelector:
+                  appuio.io/node-class: "plus"
+              note: "Will be scheduled on APPUiO Cloud plus nodes"
+            plus-1:
+              size: ${appcat:services:vshn:redis:plans:standard-1:size}
+              scheduling:
+                nodeSelector:
+                  appuio.io/node-class: "plus"
+              note: "Will be scheduled on APPUiO Cloud plus nodes"
+            plus-4:
+              size: ${appcat:services:vshn:redis:plans:standard-4:size}
+              scheduling:
+                nodeSelector:
+                  appuio.io/node-class: "plus"
+              note: "Will be scheduled on APPUiO Cloud plus nodes"
+            plus-2:
+              size: ${appcat:services:vshn:redis:plans:standard-2:size}
+              scheduling:
+                nodeSelector:
+                  appuio.io/node-class: "plus"
+              note: "Will be scheduled on APPUiO Cloud plus nodes"
+        minio:
+          enabled: false
+          instances:
+            - name: minio
+              namespace: syn-appcat
+              spec:
+                parameters:
+                  service:
+                    mode: standalone
+                  size:
+                    disk: 20Gi
+                writeConnectionSecretToRef:
+                  name: minio-cluster-credentials
+
+      generic:
+        objectstorage:
+          enabled: true
+
+          defaultComposition: minio
+          compositions:
+            exoscale:
+              enabled: false
+            cloudscale:
+              enabled: false
+            minio:
+              enabled: true

tests/golden/exodev/appcat/appcat/10_appcat_backup_monitoring.yaml

@@ -0,0 +1,23 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: appcat-backup
+  namespace: syn-appcat
+spec:
+  groups:
+    - name: appcat-backup
+      rules:
+        - alert: AppCatBackupJobError
+          annotations:
+            description: The backup job {{ $labels.job_name }} in namespace {{ $labels.namespace
+              }} has failed.
+            runbook_url: https://kb.vshn.ch/app-catalog/how-tos/appcat/AppCatBackupJobError.html
+            summary: AppCat service backup failed.
+          expr: kube_job_failed{job_name=~".*backup.*", namespace=~"vshn-(keycloak|mariadb|nextcloud|postgresql|redis)-.*"}
+            > 0
+          for: 1m
+          labels:
+            severity: warning
+            syn: 'true'
+            syn_component: appcat
+            syn_team: schedar

tests/golden/exodev/appcat/appcat/10_appcat_ha_monitoring.yaml

@@ -0,0 +1,37 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: appcat-ha
+  namespace: syn-appcat
+spec:
+  groups:
+    - name: appcat-ha
+      rules:
+        - alert: AppCatHighAvailableDeploymentWarning
+          annotations:
+            description: The deployment {{ $labels.deployment }} in namespace {{ $labels.namespace
+              }} has less replicas than expected.
+            runbook_url: https://kb.vshn.ch/app-catalog/how-tos/appcat/vshn/AppCatHighAvailableDeploymentWarning.html
+            summary: AppCat service instance has unavailable pods.
+          expr: kube_deployment_status_replicas{namespace=~"vshn-(keycloak|mariadb|nextcloud|postgresql|redis)-.*"}
+            > 1 AND kube_deployment_status_replicas{namespace=~"vshn-(keycloak|mariadb|nextcloud|postgresql|redis)-.*"}
+            - kube_deployment_status_replicas_ready{namespace=~"vshn-(keycloak|mariadb|nextcloud|postgresql|redis)-.*"}
+            > 0
+          for: 1m
+          labels:
+            severity: warning
+            syn_team: schedar
+        - alert: AppCatHighAvailableStatefulsetWarning
+          annotations:
+            description: The statefulset {{ $labels.statefulset }} in namespace {{
+              $labels.namespace }} has less replicas than expected.
+            runbook_url: https://kb.vshn.ch/app-catalog/how-tos/appcat/vshn/AppCatHighAvailableStatefulsetWarning.html
+            summary: AppCat service instance has unavailable pods.
+          expr: kube_statefulset_status_replicas{namespace=~"vshn-(keycloak|mariadb|nextcloud|postgresql|redis)-.*"}
+            > 1 AND kube_statefulset_status_replicas{namespace=~"vshn-(keycloak|mariadb|nextcloud|postgresql|redis)-.*"}
+            - kube_statefulset_status_replicas_ready{namespace=~"vshn-(keycloak|mariadb|nextcloud|postgresql|redis)-.*"}
+            > 0
+          for: 1m
+          labels:
+            severity: warning
+            syn_team: schedar

tests/golden/exodev/appcat/appcat/10_appcat_namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '-100'
+    openshift.io/node-selector: node-role.kubernetes.io/infra=
+    resourcequota.appuio.io/organization-objects.jobs: '300'
+  labels:
+    name: syn-appcat
+    openshift.io/cluster-monitoring: 'true'
+  name: syn-appcat

tests/golden/exodev/appcat/appcat/10_clusterrole_services_read.yaml

@@ -0,0 +1,45 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '-100'
+  labels:
+    name: appcat-services-read
+  name: appcat:services:read
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - pods/log
+      - pods/status
+      - events
+      - services
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - pods/portforward
+    verbs:
+      - get
+      - list
+      - create
+  - apiGroups:
+      - ''
+      - project.openshift.io
+    resources:
+      - projects
+    verbs:
+      - get

tests/golden/exodev/appcat/appcat/10_clusterrole_view.yaml

@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '-100'
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+    rbac.authorization.k8s.io/aggregate-to-edit: 'true'
+    rbac.authorization.k8s.io/aggregate-to-view: 'true'
+  name: appcat:browse
+rules:
+  - apiGroups:
+      - apiextensions.crossplane.io
+    resources:
+      - compositions
+      - compositionrevisions
+      - compositeresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch

tests/golden/exodev/appcat/appcat/10_function_appcat.yaml

@@ -0,0 +1,11 @@
+apiVersion: pkg.crossplane.io/v1beta1
+kind: Function
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: '-40'
+  name: function-appcat
+spec:
+  package: ghcr.io/vshn/appcat:v4.118.2-func
+  runtimeConfigRef:
+    name: function-appcat

tests/golden/exodev/appcat/appcat/10_function_patch_and_transform.yaml

@@ -0,0 +1,11 @@
+apiVersion: pkg.crossplane.io/v1beta1
+kind: Function
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: '-40'
+  name: function-patch-and-transform
+spec:
+  package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.1.4
+  runtimeConfigRef:
+    name: function-patch-and-transform

tests/golden/exodev/appcat/appcat/10_mock_org_info.yaml

@@ -0,0 +1,22 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  annotations: {}
+  labels:
+    name: mock-org-info
+  name: mock-org-info
+  namespace: syn-appcat
+spec:
+  groups:
+    - name: mock-org-info
+      rules:
+        - expr: '1'
+          labels:
+            organization: awesomekorp
+            sales_order: ST10120
+          record: appuio_control_organization_info
+        - expr: '1'
+          labels:
+            organization: notvshn
+            sales_order: invalid
+          record: appuio_control_organization_info

tests/golden/exodev/appcat/appcat/10_namespace_vshn_control.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '-100'
+  labels:
+    name: syn-appcat-control
+  name: syn-appcat-control