diff --git a/charts/policy-reporter/Chart.yaml b/charts/policy-reporter/Chart.yaml index 6e24c77a..5bc74f8a 100644 --- a/charts/policy-reporter/Chart.yaml +++ b/charts/policy-reporter/Chart.yaml @@ -1,13 +1,15 @@ apiVersion: v2 name: policy-reporter -description: K8s PolicyReporter watches for wgpolicyk8s.io/v1alpha1.PolicyReport resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord +description: | + K8s PolicyReporter watches for wgpolicyk8s.io/v1alpha1.PolicyReport resources. + It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord type: application -version: 0.16.2 +version: 0.17.0 appVersion: 0.12.0 dependencies: - name: monitoring condition: monitoring.enabled - name: policy-reporter-ui - condition: ui.enabled \ No newline at end of file + condition: ui.enabled diff --git a/charts/policy-reporter/charts/policy-reporter-ui/Chart.yaml b/charts/policy-reporter/charts/policy-reporter-ui/Chart.yaml index 38d8448c..1dcdc783 100644 --- a/charts/policy-reporter/charts/policy-reporter-ui/Chart.yaml +++ b/charts/policy-reporter/charts/policy-reporter-ui/Chart.yaml @@ -3,5 +3,5 @@ name: policy-reporter-ui description: Policy Reporter UI type: application -version: 0.3.0 +version: 0.3.1 appVersion: 0.3.0 diff --git a/charts/policy-reporter/charts/policy-reporter-ui/templates/_helpers.tpl b/charts/policy-reporter/charts/policy-reporter-ui/templates/_helpers.tpl index 750a79e2..8530a1c0 100644 --- a/charts/policy-reporter/charts/policy-reporter-ui/templates/_helpers.tpl +++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/_helpers.tpl @@ -47,5 +47,9 @@ app.kubernetes.io/instance: {{ .Release.Name }} Create the name of the service account to use */}} {{- define "ui.serviceAccountName" -}} -{{ include "ui.fullname" . }}-sa +{{- if .Values.serviceAccount.create }} +{{- default (include "ui.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} {{- end }} diff --git a/charts/policy-reporter/charts/policy-reporter-ui/templates/deployment.yaml b/charts/policy-reporter/charts/policy-reporter-ui/templates/deployment.yaml index a161039c..d5fc48e2 100644 --- a/charts/policy-reporter/charts/policy-reporter-ui/templates/deployment.yaml +++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/deployment.yaml @@ -5,7 +5,11 @@ metadata: labels: {{- include "ui.labels" . | nindent 4 }} spec: - replicas: 1 + replicas: {{ .Values.replicaCount }} + {{- if .Values.deploymentStrategy }} + strategy: + {{- toYaml .Values.deploymentStrategy | nindent 4 }} + {{- end }} selector: matchLabels: {{- include "ui.selectorLabels" . | nindent 6 }} @@ -13,6 +17,15 @@ spec: metadata: labels: {{- include "ui.selectorLabels" . | nindent 8 }} +{{- range $key, $value := $.Values.podLabels }} + {{ $key }}: {{ $value | quote }} +{{- end }} + {{- if .Values.podAnnotations }} + annotations: +{{- range $key, $value := $.Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} + {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -24,8 +37,12 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} args: - - -backend={{ .Values.backend }} + - -backend=http://{{ .Values.global.backend }}:{{ .Values.global.port }} ports: - name: http containerPort: 8080 @@ -40,3 +57,15 @@ spec: port: http resources: {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/policy-reporter/charts/policy-reporter-ui/templates/ingress.yaml b/charts/policy-reporter/charts/policy-reporter-ui/templates/ingress.yaml new file mode 100644 index 00000000..340fa612 --- /dev/null +++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/ingress.yaml @@ -0,0 +1,44 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "ui.fullname" . -}} +{{- $servicePort := .Values.service.port -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ include "ui.fullname" . }} + labels: + {{- include "ui.selectorLabels" . | nindent 4 }} +{{- range $key, $value := $.Values.ingress.labels }} + {{ $key }}: {{ $value | quote }} +{{- end }} + annotations: +{{- range $key, $value := $.Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ . }} + backend: + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/policy-reporter/charts/policy-reporter-ui/templates/service.yaml b/charts/policy-reporter/charts/policy-reporter-ui/templates/service.yaml index 6675fa73..6e9747bb 100644 --- a/charts/policy-reporter/charts/policy-reporter-ui/templates/service.yaml +++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/service.yaml @@ -1,15 +1,24 @@ +{{- if .Values.service.enabled -}} apiVersion: v1 kind: Service metadata: name: {{ include "ui.fullname" . }} labels: {{- include "ui.labels" . | nindent 4 }} +{{- range $key, $value := $.Values.service.labels }} + {{ $key }}: {{ $value | quote }} +{{- end }} + annotations: +{{- range $key, $value := $.Values.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} spec: - type: ClusterIP + type: {{ .Values.service.type }} ports: - - port: 8080 + - port: {{ .Values.service.port }} targetPort: http protocol: TCP name: http selector: {{- include "ui.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/policy-reporter/charts/policy-reporter-ui/templates/serviceaccount.yaml b/charts/policy-reporter/charts/policy-reporter-ui/templates/serviceaccount.yaml index ed4f92ef..7ab0824e 100644 --- a/charts/policy-reporter/charts/policy-reporter-ui/templates/serviceaccount.yaml +++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/serviceaccount.yaml @@ -1,6 +1,12 @@ +{{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "ui.serviceAccountName" . }} labels: {{- include "ui.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/policy-reporter/charts/policy-reporter-ui/values.yaml b/charts/policy-reporter/charts/policy-reporter-ui/values.yaml index f2adbb5c..f9f794a0 100644 --- a/charts/policy-reporter/charts/policy-reporter-ui/values.yaml +++ b/charts/policy-reporter/charts/policy-reporter-ui/values.yaml @@ -7,12 +7,72 @@ image: imagePullSecrets: [] -backend: http://policy-reporter:8080 - -resources: - requests: - memory: 50Mi - cpu: 10m - limits: - memory: 100Mi - cpu: 50m \ No newline at end of file +replicaCount: 1 + +deploymentStrategy: {} + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + # type: RollingUpdate + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# Key/value pairs that are attached to pods. +podAnnotations: {} + +# Key/value pairs that are attached to pods. +podLabels: {} + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # memory: 100Mi + # cpu: 50m + # requests: + # memory: 50Mi + # cpu: 10m + +serviceAccount: + # Specifies whether a service account should be created + create: false + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +service: + enabled: true + ## configuration of service + # key/value + annotations: {} + # key/value + labels: {} + type: ClusterIP + # integer nubmer. This is port for service + port: 8080 + +## Set to true to enable ingress record generation +# ref to: https://kubernetes.io/docs/concepts/services-networking/ingress/ +ingress: + enabled: false + # key/value + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: [] + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local diff --git a/charts/policy-reporter/templates/_helpers.tpl b/charts/policy-reporter/templates/_helpers.tpl index f11859fe..7f397e3b 100644 --- a/charts/policy-reporter/templates/_helpers.tpl +++ b/charts/policy-reporter/templates/_helpers.tpl @@ -47,5 +47,9 @@ app.kubernetes.io/instance: {{ .Release.Name }} Create the name of the service account to use */}} {{- define "policyreporter.serviceAccountName" -}} -{{ include "policyreporter.fullname" . }}-sa +{{- if .Values.serviceAccount.create }} +{{- default (include "policyreporter.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} {{- end }} diff --git a/charts/policy-reporter/templates/clusterrole.yaml b/charts/policy-reporter/templates/clusterrole.yaml index af160399..3bec36ee 100644 --- a/charts/policy-reporter/templates/clusterrole.yaml +++ b/charts/policy-reporter/templates/clusterrole.yaml @@ -1,3 +1,4 @@ +{{- if .Values.serviceAccount.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -16,3 +17,4 @@ rules: - get - list - watch +{{- end -}} diff --git a/charts/policy-reporter/templates/clusterrolebinding.yaml b/charts/policy-reporter/templates/clusterrolebinding.yaml index e436a9ac..88d1e141 100644 --- a/charts/policy-reporter/templates/clusterrolebinding.yaml +++ b/charts/policy-reporter/templates/clusterrolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -10,3 +11,4 @@ subjects: - kind: "ServiceAccount" name: {{ include "policyreporter.serviceAccountName" . }} namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/policy-reporter/templates/deployment.yaml b/charts/policy-reporter/templates/deployment.yaml index 80fb1cf0..d5187dbd 100644 --- a/charts/policy-reporter/templates/deployment.yaml +++ b/charts/policy-reporter/templates/deployment.yaml @@ -4,12 +4,16 @@ metadata: name: {{ include "policyreporter.fullname" . }} labels: {{- include "policyreporter.labels" . | nindent 4 }} - {{- if .Values.deployment.annotations }} + {{- if .Values.annotations }} annotations: - {{- toYaml .Values.deployment.annotations | nindent 4 }} + {{- toYaml .Values.annotations | nindent 4 }} {{- end }} spec: - replicas: 1 + replicas: {{ .Values.replicaCount }} + {{- if .Values.deploymentStrategy }} + strategy: + {{- toYaml .Values.deploymentStrategy | nindent 4 }} + {{- end }} selector: matchLabels: {{- include "policyreporter.selectorLabels" . | nindent 6 }} @@ -17,8 +21,14 @@ spec: metadata: labels: {{- include "policyreporter.selectorLabels" . | nindent 8 }} +{{- range $key, $value := $.Values.podLabels }} + {{ $key }}: {{ $value | quote }} +{{- end }} annotations: - checksum/secret: {{ include (print $.Template.BasePath "/targetssecret.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/targetssecret.yaml") . | sha256sum | quote }} +{{- range $key, $value := $.Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -30,6 +40,10 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} args: - --config=/app/config.yaml {{- if or .Values.api.enabled .Values.ui.enabled }} @@ -66,3 +80,15 @@ spec: secret: secretName: {{ include "policyreporter.fullname" . }}-targets optional: true + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/policy-reporter/templates/role.yaml b/charts/policy-reporter/templates/role.yaml index 04b30416..37788853 100644 --- a/charts/policy-reporter/templates/role.yaml +++ b/charts/policy-reporter/templates/role.yaml @@ -1,3 +1,4 @@ +{{- if .Values.policyPriorities.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -11,3 +12,4 @@ rules: - get - list - watch +{{- end }} diff --git a/charts/policy-reporter/templates/rolebinding.yaml b/charts/policy-reporter/templates/rolebinding.yaml index 9a654ffc..d056d998 100644 --- a/charts/policy-reporter/templates/rolebinding.yaml +++ b/charts/policy-reporter/templates/rolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.policyPriorities.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -10,3 +11,4 @@ subjects: - kind: "ServiceAccount" name: {{ include "policyreporter.serviceAccountName" . }} namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/policy-reporter/templates/service.yaml b/charts/policy-reporter/templates/service.yaml index 3de55a98..7e3e8eb0 100644 --- a/charts/policy-reporter/templates/service.yaml +++ b/charts/policy-reporter/templates/service.yaml @@ -1,21 +1,32 @@ +{{- $apiEnabled := .Values.api.enabled -}} +{{- $uiEnabled := .Values.ui.enabled -}} +{{- if .Values.service.enabled -}} apiVersion: v1 kind: Service metadata: name: {{ include "policyreporter.fullname" . }} labels: {{- include "policyreporter.labels" . | nindent 4 }} +{{- range $key, $value := $.Values.service.labels }} + {{ $key }}: {{ $value | quote }} +{{- end }} + annotations: +{{- range $key, $value := $.Values.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} spec: - type: ClusterIP + type: {{ .Values.service.type }} ports: - - port: 2112 + - port: {{ .Values.service.port }} targetPort: http protocol: TCP name: http - {{- if or .Values.api.enabled .Values.ui.enabled }} - - port: 8080 + {{- if or $apiEnabled $uiEnabled }} + - port: {{ .Values.global.port }} targetPort: rest protocol: TCP name: rest {{- end }} selector: {{- include "policyreporter.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/policy-reporter/templates/serviceaccount.yaml b/charts/policy-reporter/templates/serviceaccount.yaml index e2c73f9a..9ddf4ed8 100644 --- a/charts/policy-reporter/templates/serviceaccount.yaml +++ b/charts/policy-reporter/templates/serviceaccount.yaml @@ -1,6 +1,12 @@ +{{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "policyreporter.serviceAccountName" . }} labels: {{- include "policyreporter.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/policy-reporter/values.yaml b/charts/policy-reporter/values.yaml index 3233059a..306ee6bf 100644 --- a/charts/policy-reporter/values.yaml +++ b/charts/policy-reporter/values.yaml @@ -5,16 +5,66 @@ image: imagePullSecrets: [] -deployment: +replicaCount: 1 + +deploymentStrategy: {} + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + # type: RollingUpdate + +# Key/value pairs that are attached to Deployment. +annotations: {} + +# Create cluster role policies +rbac: + enabled: true + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +service: + enabled: true + ## configuration of service + # key/value + annotations: {} + # key/value + labels: {} + type: ClusterIP + # integer nubmer. This is port for service + port: 2112 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# Key/value pairs that are attached to pods. +podAnnotations: {} + +# Key/value pairs that are attached to pods. +podLabels: {} -resources: - requests: - memory: 20Mi - cpu: 5m - limits: - memory: 30Mi - cpu: 10m +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # memory: 30Mi + # cpu: 10m + # requests: + # memory: 20Mi + # cpu: 5m monitoring: enabled: false @@ -24,9 +74,19 @@ monitoring: # labels to match the serviceMonitorSelector of the Prometheus Resource labels: {} +global: + # The name of service policy-report. If you changed ReleaseName you have to replace it + backend: policy-reporter + # Service Port number + port: 8080 + api: enabled: false +# Policy Priorities +policyPriorities: + enabled: false + loki: # loki host address host: "" @@ -63,3 +123,18 @@ discord: minimumPriority: "" # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true + +# Node labels for pod assignment +# ref: https://kubernetes.io/docs/user-guide/node-selection/ +nodeSelector: {} + +# Tolerations for pod assignment +# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +# Anti-affinity to disallow deploying client and master nodes on the same worker node +affinity: {} + +# enable policy-report-ui +ui: + enabled: false