diff --git a/.github/workflows/ah-lint.yaml b/.github/workflows/ah-lint.yaml new file mode 100644 index 0000000..7ca39b7 --- /dev/null +++ b/.github/workflows/ah-lint.yaml @@ -0,0 +1,29 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: ArtifactHub Lint + +# permissions: {} + +on: + pull_request: + branches: + - '*' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + required: + runs-on: ubuntu-latest + container: + image: artifacthub/ah + options: --user root + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Run ah lint + working-directory: ./charts/ + run: | + set -e + ah lint diff --git a/.github/workflows/ct-lint.yaml b/.github/workflows/ct-lint.yaml new file mode 100644 index 0000000..a24d5a9 --- /dev/null +++ b/.github/workflows/ct-lint.yaml @@ -0,0 +1,35 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: CT Lint + +# permissions: {} + +on: + pull_request: + branches: + - '*' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + required: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: Set up Helm + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 + - name: Setup python + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + with: + python-version: 3.7 + - name: Set up chart-testing + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 + - name: Run chart-testing (lint) + run: | + set -e + ct lint --target-branch=main --check-version-increment=false diff --git a/.github/workflows/helm-install.yaml b/.github/workflows/helm-install.yaml new file mode 100644 index 0000000..65a3bc0 --- /dev/null +++ b/.github/workflows/helm-install.yaml @@ -0,0 +1,34 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Helm install + +# permissions: {} + +on: + pull_request: + branches: + - '*' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + required: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Set up Go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version-file: go.mod + cache-dependency-path: go.sum + - name: Create cluster + run: | + set -e + make kind-create + - name: Install chart + run: | + set -e + make kind-install diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 832e634..7187f0c 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -13,8 +13,8 @@ builds: binary: policy-reports flags: - -trimpath - # ldflags: - # - -s -w -X github.com/kyverno/policy-reports/pkg/version.BuildVersion={{ .Version }} + ldflags: + - -s -w kos: - build: policy-reports diff --git a/Makefile b/Makefile index aa63ca8..b5ad157 100644 --- a/Makefile +++ b/Makefile @@ -1,339 +1,16 @@ -# Common User-Settable Flags -# -------------------------- -REGISTRY?=ghcr.io/vishal-chdhry/policy-reports -ARCH?=a64 -OS?=linux -BINARY_NAME?=policy-reports-$(OS)-$(ARCH) +.DEFAULT_GOAL := build -ifeq ($(OS),windows) -BINARY_NAME:=$(BINARY_NAME).exe -endif +########## +# CONFIG # +########## -OUTPUT_DIR?=_output - -# Release variables -# ------------------ -GIT_COMMIT?=$(shell git rev-parse "HEAD^{commit}" 2>/dev/null) -GIT_TAG?=$(shell git describe --abbrev=0 --tags 2>/dev/null) -BUILD_DATE:=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ') - -# Consts -# ------ -ALL_ARCHITECTURES=amd64 arm arm64 ppc64le s390x -export DOCKER_CLI_EXPERIMENTAL=enabled - -ALL_BINARIES_PLATFORMS= $(addprefix linux/,$(ALL_ARCHITECTURES)) \ - darwin/amd64 \ - darwin/arm64 \ - windows/amd64 \ - windows/arm64 - -# Tools versions -# -------------- -GOLANGCI_VERSION:=1.55.2 - -# Computed variables -# ------------------ -GOPATH:=$(shell go env GOPATH) -REPO_DIR:=$(shell pwd) - -.PHONY: all -all: policy-reports - -# Build Rules -# ----------- - -SRC_DEPS=$(shell find pkg cmd -type f -name "*.go") go.mod go.sum -CHECKSUM=$(shell md5sum $(SRC_DEPS) | md5sum | awk '{print $$1}') -PKG:=k8s.io/client-go/pkg -VERSION_LDFLAGS:=-X $(PKG)/version.gitVersion=$(GIT_TAG) -X $(PKG)/version.gitCommit=$(GIT_COMMIT) -X $(PKG)/version.buildDate=$(BUILD_DATE) -LDFLAGS:=-w $(VERSION_LDFLAGS) - -policy-reports: - OUTPUT_DIR=. BINARY_NAME=$@ $(MAKE) build - -.PHONY: build -build: $(SRC_DEPS) - @mkdir -p $(OUTPUT_DIR) - GOARCH=$(ARCH) GOOS=$(OS) CGO_ENABLED=0 go build -mod=readonly -trimpath -ldflags "$(LDFLAGS)" -o "$(OUTPUT_DIR)/$(BINARY_NAME)" . - -.PHONY: build-all -build-all: - @for platform in $(ALL_BINARIES_PLATFORMS); do \ - OS="$${platform%/*}" ARCH="$${platform#*/}" $(MAKE) build; \ - done - -# Image Rules -# ----------- - -CONTAINER_ARCH_TARGETS=$(addprefix container-,$(ALL_ARCHITECTURES)) - -.PHONY: container -container: - # Pull base image explicitly. Keep in sync with Dockerfile, otherwise - # GCB builds will start failing. - docker pull golang:1.21.4 - docker build -t $(REGISTRY)/policy-reports-$(ARCH):$(CHECKSUM) --build-arg ARCH=$(ARCH) --build-arg GIT_TAG=$(GIT_TAG) --build-arg GIT_COMMIT=$(GIT_COMMIT) . - -.PHONY: container-all -container-all: $(CONTAINER_ARCH_TARGETS); - -.PHONY: $(CONTAINER_ARCH_TARGETS) -$(CONTAINER_ARCH_TARGETS): container-%: - ARCH=$* $(MAKE) container - -# Official Container Push Rules -# ----------------------------- - -PUSH_ARCH_TARGETS=$(addprefix push-,$(ALL_ARCHITECTURES)) - -.PHONY: push -push: container - docker tag $(REGISTRY)/policy-reports-$(ARCH):$(CHECKSUM) $(REGISTRY)/policy-reports-$(ARCH):$(GIT_TAG) - docker push $(REGISTRY)/policy-reports-$(ARCH):$(GIT_TAG) - -.PHONY: push-all -push-all: $(PUSH_ARCH_TARGETS) push-multi-arch; - -.PHONY: $(PUSH_ARCH_TARGETS) -$(PUSH_ARCH_TARGETS): push-%: - ARCH=$* $(MAKE) push - -.PHONY: push-multi-arch -push-multi-arch: - docker manifest create --amend $(REGISTRY)/policy-reports:$(GIT_TAG) $(shell echo $(ALL_ARCHITECTURES) | sed -e "s~[^ ]*~$(REGISTRY)/policy-reports\-&:$(GIT_TAG)~g") - @for arch in $(ALL_ARCHITECTURES); do docker manifest annotate --arch $${arch} $(REGISTRY)/policy-reports:$(GIT_TAG) $(REGISTRY)/policy-reports-$${arch}:${GIT_TAG}; done - docker manifest push --purge $(REGISTRY)/policy-reports:$(GIT_TAG) - -# Release rules -# ------------- - -.PHONY: release-tag -release-tag: - git tag $(GIT_TAG) - git push origin $(GIT_TAG) - -.PHONY: release-manifests -release-manifests: - mkdir -p $(OUTPUT_DIR) - kubectl kustomize manifests/overlays/release > $(OUTPUT_DIR)/components.yaml - kubectl kustomize manifests/overlays/release-ha > $(OUTPUT_DIR)/high-availability.yaml - kubectl kustomize manifests/overlays/release-ha-1.21+ > $(OUTPUT_DIR)/high-availability-1.21+.yaml - - -# fuzz tests -# ---------- - -.PHONY: test-fuzz -test-fuzz: - GO111MODULE=on GOARCH=$(ARCH) go test --test.short -race -fuzz=Fuzz_decodeBatchPrometheusFormat -fuzztime 900s -timeout 10s ./pkg/scraper/client/resource/ - GO111MODULE=on GOARCH=$(ARCH) go test --test.short -race -fuzz=Fuzz_decodeBatchRandom -fuzztime 900s -timeout 10s ./pkg/scraper/client/resource/ -# Unit tests -# ---------- -.PHONY: test-unit -test-unit: - GO111MODULE=on GOARCH=$(ARCH) go test --test.short -race ./pkg/... ./cmd/... - -# Benchmarks -# ---------- - -HAS_BENCH_STORAGE=$(wildcard ./$(OUTPUT_DIR)/bench_storage.txt) - -.PHONY: bench-storage -bench-storage: benchstat - @mkdir -p $(OUTPUT_DIR) -ifneq ("$(HAS_BENCH_STORAGE)","") - @mv $(OUTPUT_DIR)/bench_storage.txt $(OUTPUT_DIR)/bench_storage.old.txt -endif - @go test ./pkg/storage/ -bench=. -run=^$ -benchmem -count 5 -timeout 1h | tee $(OUTPUT_DIR)/bench_storage.txt -ifeq ("$(HAS_BENCH_STORAGE)","") - @cp $(OUTPUT_DIR)/bench_storage.txt $(OUTPUT_DIR)/bench_storage.old.txt -endif - @echo - @echo 'Comparing versus previous run. When optimizing copy everything below this line and include in PR description.' - @echo - @benchstat $(OUTPUT_DIR)/bench_storage.old.txt $(OUTPUT_DIR)/bench_storage.txt - -HAS_BENCHSTAT:=$(shell command -v benchstat) -.PHONY: benchstat -benchstat: -ifndef HAS_BENCHSTAT - @go install -mod=readonly -modfile=scripts/go.mod golang.org/x/perf/cmd/benchstat -endif - -# Image tests -# ------------ - -.PHONY: test-image -test-image: container - IMAGE=$(REGISTRY)/policy-reports-$(ARCH):$(CHECKSUM) EXPECTED_ARCH=$(ARCH) EXPECTED_VERSION=$(GIT_TAG) ./test/test-image.sh - -.PHONY: test-image-all -test-image-all: - @for arch in $(ALL_ARCHITECTURES); do ARCH=$${arch} $(MAKE) test-image; done - -# E2e tests -# ----------- - -.PHONY: test-e2e -test-e2e: test-e2e-1.28 - -.PHONY: test-e2e-all -test-e2e-all: test-e2e-1.28 test-e2e-1.27 test-e2e-1.26 - -.PHONY: test-e2e-1.28 -test-e2e-1.28: - NODE_IMAGE=kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31 KIND_CONFIG="${PWD}/test/kind-config-with-sidecar-containers.yaml" ./test/test-e2e.sh - -.PHONY: test-e2e-1.27 -test-e2e-1.27: - NODE_IMAGE=kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72 ./test/test-e2e.sh - -.PHONY: test-e2e-1.26 -test-e2e-1.26: - NODE_IMAGE=kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb ./test/test-e2e.sh - -.PHONY: test-e2e-ha -test-e2e-ha: - SKAFFOLD_PROFILE="test-ha" $(MAKE) test-e2e - -.PHONY: test-e2e-ha-all -test-e2e-ha-all: - SKAFFOLD_PROFILE="test-ha" $(MAKE) test-e2e-all - -.PHONY: test-e2e-helm -test-e2e-helm: - SKAFFOLD_PROFILE="helm" $(MAKE) test-e2e - -.PHONY: test-e2e-helm-all -test-e2e-helm-all: - SKAFFOLD_PROFILE="helm" $(MAKE) test-e2e-all - -# Static analysis -# --------------- - -.PHONY: verify -verify: verify-licenses verify-lint verify-toc verify-deps verify-scripts-deps verify-generated verify-structured-logging - -.PHONY: update -update: update-licenses update-lint update-toc update-deps update-generated - -# License -# ------- - -HAS_ADDLICENSE:=$(shell command -v addlicense) -.PHONY: verify-licenses -verify-licenses:addlicense - find -type f -name "*.go" ! -path "*/vendor/*" | xargs $(GOPATH)/bin/addlicense -check || (echo 'Run "make update"' && exit 1) - -.PHONY: update-licenses -update-licenses: addlicense - find -type f -name "*.go" ! -path "*/vendor/*" | xargs $(GOPATH)/bin/addlicense -c "The Kubernetes Authors." - -.PHONY: addlicense -addlicense: -ifndef HAS_ADDLICENSE - go install -mod=readonly -modfile=scripts/go.mod github.com/google/addlicense -endif - -# Lint -# ---- - -.PHONY: verify-lint -verify-lint: golangci - $(GOPATH)/bin/golangci-lint run --timeout 10m || (echo 'Run "make update"' && exit 1) - -.PHONY: update-lint -update-lint: golangci - $(GOPATH)/bin/golangci-lint run --fix - -HAS_GOLANGCI_VERSION:=$(shell $(GOPATH)/bin/golangci-lint version --format=short > /dev/null 2>&1) -.PHONY: golangci -golangci: -ifneq ($(HAS_GOLANGCI_VERSION), $(GOLANGCI_VERSION)) - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOPATH)/bin v$(GOLANGCI_VERSION) -endif - -# Table of Contents -# ----------------- - -docs_with_toc=FAQ.md KNOWN_ISSUES.md - -.PHONY: verify-toc -verify-toc: mdtoc $(docs_with_toc) - $(GOPATH)/bin/mdtoc --inplace --dryrun $(docs_with_toc) - -.PHONY: update-toc -update-toc: mdtoc $(docs_with_toc) - $(GOPATH)/bin/mdtoc --inplace $(docs_with_toc) - -HAS_MDTOC:=$(shell command -v mdtoc) -.PHONY: mdtoc -mdtoc: -ifndef HAS_MDTOC - go install -mod=readonly -modfile=scripts/go.mod sigs.k8s.io/mdtoc -endif - -# Structured Logging -# ----------------- - -.PHONY: verify-structured-logging -verify-structured-logging: logcheck - $(GOPATH)/bin/logcheck ./... || (echo 'Fix structured logging' && exit 1) - -HAS_LOGCHECK:=$(shell command -v logcheck) -.PHONY: logcheck -logcheck: -ifndef HAS_LOGCHECK - go install -mod=readonly -modfile=scripts/go.mod sigs.k8s.io/logtools/logcheck -endif - -# Dependencies -# ------------ - -.PHONY: update-deps -update-deps: - go mod tidy - cd scripts && go mod tidy - -.PHONY: verify-deps -verify-deps: - go mod verify - go mod tidy - @git diff --exit-code -- go.mod go.sum - -.PHONY: verify-scripts-deps -verify-scripts-deps: - make -C scripts -f ../Makefile verify-deps - -# Generated -# --------- - -generated_files=pkg/api/generated/openapi/zz_generated.openapi.go - -.PHONY: verify-generated -verify-generated: update-generated - @git diff --exit-code -- $(generated_files) - -.PHONY: update-generated -update-generated: - # pkg/api/generated/openapi/zz_generated.openapi.go - go install -mod=readonly -modfile=scripts/go.mod k8s.io/kube-openapi/cmd/openapi-gen - $(GOPATH)/bin/openapi-gen -i sigs.k8s.io/wg-policy-prototypes/policy-report/pkg/api/wgpolicyk8s.io/v1alpha2,k8s.io/apimachinery/pkg/runtime,k8s.io/apimachinery/pkg/apis/meta/v1,k8s.io/apimachinery/pkg/api/resource,k8s.io/apimachinery/pkg/version,k8s.io/api/core/v1.ObjectReference -p pkg/api/generated/openapi/ -O zz_generated.openapi -o $(REPO_DIR) -h $(REPO_DIR)/scripts/boilerplate.go.txt -r /dev/null - -# Deprecated -# ---------- - -# Remove when CI is migrated -lint: verify -test-version: test-image-all - -# Clean -# ----- - -.PHONY: clean -clean: - rm -rf $(OUTPUT_DIR) +ORG ?= kyverno +PACKAGE ?= github.com/$(ORG)/policy-reports +GIT_SHA := $(shell git rev-parse HEAD) +GOOS ?= $(shell go env GOOS) +GOARCH ?= $(shell go env GOARCH) +REGISTRY ?= ghcr.io +REPO ?= policy-reports ######### # TOOLS # @@ -342,12 +19,24 @@ clean: TOOLS_DIR := $(PWD)/.tools KIND := $(TOOLS_DIR)/kind KIND_VERSION := v0.20.0 -TOOLS := $(KIND) +KO := $(TOOLS_DIR)/ko +KO_VERSION := v0.14.1 +HELM := $(TOOLS_DIR)/helm +HELM_VERSION := v3.10.1 +TOOLS := $(KIND) $(KO) $(HELM) $(KIND): @echo Install kind... >&2 @GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/kind@$(KIND_VERSION) +$(KO): + @echo Install ko... >&2 + @GOBIN=$(TOOLS_DIR) go install github.com/google/ko@$(KO_VERSION) + +$(HELM): + @echo Install helm... >&2 + @GOBIN=$(TOOLS_DIR) go install helm.sh/helm/v3/cmd/helm@$(HELM_VERSION) + .PHONY: install-tools install-tools: $(TOOLS) ## Install tools @@ -356,16 +45,70 @@ clean-tools: ## Remove installed tools @echo Clean tools... >&2 @rm -rf $(TOOLS_DIR) +######### +# BUILD # +######### + +CGO_ENABLED ?= 0 +LD_FLAGS := "-s -w" +LOCAL_PLATFORM := linux/$(GOARCH) +KO_REGISTRY := ko.local +KO_TAGS := $(GIT_SHA) +KO_CACHE ?= /tmp/ko-cache +BIN := policy-reports + +.PHONY: fmt +fmt: ## Run go fmt + @echo Go fmt... >&2 + @go fmt ./... + +.PHONY: vet +vet: ## Run go vet + @echo Go vet... >&2 + @go vet ./... + +$(BIN): fmt vet + @echo Build cli binary... >&2 + @CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) go build -o ./$(BIN) -ldflags=$(LD_FLAGS) . + +.PHONY: build +build: $(BIN) ## Build + +.PHONY: ko-build +ko-build: $(KO) ## Build image (with ko) + @echo Build image with ko... >&2 + @LDFLAGS=$(LD_FLAGS) KOCACHE=$(KO_CACHE) KO_DOCKER_REPO=$(KO_REGISTRY) \ + $(KO) build . --preserve-import-paths --tags=$(KO_TAGS) --platform=$(LOCAL_PLATFORM) + ######## # KIND # ######## KIND_IMAGE ?= kindest/node:v1.28.0 +KIND_NAME ?= kind -.PHONY: kind-cluster -kind-cluster: $(KIND) ## Create kind cluster +.PHONY: kind-create +kind-create: $(KIND) ## Create kind cluster @echo Create kind cluster... >&2 - @$(KIND) create cluster --image $(KIND_IMAGE) --wait 1m + @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --wait 1m + +.PHONY: kind-delete +kind-delete: $(KIND) ## Delete kind cluster + @echo Delete kind cluster... >&2 + @$(KIND) delete cluster --name $(KIND_NAME) + +.PHONY: kind-load +kind-load: $(KIND) ko-build ## Build image and load in kind cluster + @echo Load image... >&2 + @$(KIND) load docker-image --name $(KIND_NAME) $(KO_REGISTRY)/$(PACKAGE):$(GIT_SHA) + +.PHONY: kind-install +kind-install: $(HELM) kind-load ## Build image, load it in kind cluster and deploy helm chart + @echo Install chart... >&2 + @$(HELM) upgrade --install policy-reports --namespace policy-reports --create-namespace --wait ./charts/policy-reports \ + --set image.registry=$(KO_REGISTRY) \ + --set image.repository=$(PACKAGE) \ + --set image.tag=$(GIT_SHA) ######## # HELP # diff --git a/charts/policy-reports/.helmignore b/charts/policy-reports/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/policy-reports/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/policy-reports/Chart.lock b/charts/policy-reports/Chart.lock new file mode 100644 index 0000000..36f6164 --- /dev/null +++ b/charts/policy-reports/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: postgresql + repository: oci://registry-1.docker.io/bitnamicharts + version: 13.4.1 +digest: sha256:ac38b83c061b6851340ec78ea88bc2ac4a24d705235ebeeab2edc69ceb18f598 +generated: "2024-01-23T21:13:53.879046+01:00" diff --git a/charts/policy-reports/Chart.yaml b/charts/policy-reports/Chart.yaml new file mode 100644 index 0000000..945a5f5 --- /dev/null +++ b/charts/policy-reports/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: policy-reports +type: application +version: 0.0.1 +appVersion: v0.0.1 +keywords: + - kubernetes + - policy reports storage + - postgresql +sources: + - https://github.com/kyverno/policy-reports +maintainers: + - name: Nirmata + url: https://kyverno.io/ + email: cncf-kyverno-maintainers@lists.cncf.io +kubeVersion: ">=1.16.0-0" +dependencies: +- condition: postgresql.enabled + name: postgresql + version: 13.4.1 + repository: oci://registry-1.docker.io/bitnamicharts diff --git a/charts/policy-reports/charts/postgresql-13.4.1.tgz b/charts/policy-reports/charts/postgresql-13.4.1.tgz new file mode 100644 index 0000000..065459f Binary files /dev/null and b/charts/policy-reports/charts/postgresql-13.4.1.tgz differ diff --git a/charts/policy-reports/templates/_helpers.tpl b/charts/policy-reports/templates/_helpers.tpl new file mode 100644 index 0000000..6695cc7 --- /dev/null +++ b/charts/policy-reports/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "policy-reports.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "policy-reports.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "policy-reports.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "policy-reports.labels" -}} +helm.sh/chart: {{ include "policy-reports.chart" . }} +{{ include "policy-reports.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "policy-reports.selectorLabels" -}} +app.kubernetes.io/name: {{ include "policy-reports.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "policy-reports.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "policy-reports.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/policy-reports/templates/api-service.yaml b/charts/policy-reports/templates/api-service.yaml new file mode 100644 index 0000000..1e7e1d2 --- /dev/null +++ b/charts/policy-reports/templates/api-service.yaml @@ -0,0 +1,16 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha2.wgpolicyk8s.io + namespace: {{ $.Release.Namespace }} + labels: + {{- include "policy-reports.labels" . | nindent 4 }} +spec: + group: wgpolicyk8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: {{ include "policy-reports.fullname" . }} + namespace: {{ $.Release.Namespace }} + version: v1alpha2 + versionPriority: 100 diff --git a/charts/policy-reports/templates/cluster-roles.yaml b/charts/policy-reports/templates/cluster-roles.yaml new file mode 100644 index 0000000..b7e5d72 --- /dev/null +++ b/charts/policy-reports/templates/cluster-roles.yaml @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: +metadata: + name: {{ include "policy-reports.fullname" . }} + labels: + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + rbac.authorization.k8s.io/aggregate-to-view: 'true' + {{- include "policy-reports.labels" . | nindent 4 }} +rules: +- apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - clusterpolicyreports + verbs: + - get + - list + - watch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "policy-reports.fullname" . }} + labels: + {{- include "policy-reports.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "policy-reports.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "policy-reports.serviceAccountName" $ }} + namespace: {{ $.Release.Namespace }} diff --git a/charts/policy-reports/templates/deployment.yaml b/charts/policy-reports/templates/deployment.yaml new file mode 100644 index 0000000..4a4772d --- /dev/null +++ b/charts/policy-reports/templates/deployment.yaml @@ -0,0 +1,84 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "policy-reports.fullname" . }} + labels: + {{- include "policy-reports.labels" . | nindent 4 }} +spec: + strategy: + rollingUpdate: + maxUnavailable: 0 + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "policy-reports.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "policy-reports.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "policy-reports.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: reports-server + args: + {{- if .Values.config.debug }} + - --debug + {{- else }} + - --dbhost={{ .Values.config.db.host }} + - --dbname={{ .Values.config.db.name }} + - --dbuser={{ .Values.config.db.user }} + - --dbpassword={{ .Values.config.db.password }} + {{- end }} + - --cert-dir=/tmp + - --secure-port=4443 + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: https + containerPort: 4443 + protocol: TCP + volumeMounts: + - mountPath: /tmp + name: tmp-dir + {{- with .Values.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - emptyDir: {} + name: tmp-dir diff --git a/charts/policy-reports/templates/roles.yaml b/charts/policy-reports/templates/roles.yaml new file mode 100644 index 0000000..f31762b --- /dev/null +++ b/charts/policy-reports/templates/roles.yaml @@ -0,0 +1,15 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "policy-reports.fullname" . }} + namespace: kube-system + labels: + {{- include "policy-reports.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: {{ include "policy-reports.serviceAccountName" $ }} + namespace: {{ $.Release.Namespace }} diff --git a/charts/policy-reports/templates/service-account.yaml b/charts/policy-reports/templates/service-account.yaml new file mode 100644 index 0000000..29158c8 --- /dev/null +++ b/charts/policy-reports/templates/service-account.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "policy-reports.serviceAccountName" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "policy-reports.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/policy-reports/templates/service.yaml b/charts/policy-reports/templates/service.yaml new file mode 100644 index 0000000..80c3e9c --- /dev/null +++ b/charts/policy-reports/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "policy-reports.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "policy-reports.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - name: https + port: {{ .Values.service.port }} + protocol: TCP + targetPort: https + selector: + {{- include "policy-reports.selectorLabels" . | nindent 4 }} diff --git a/charts/policy-reports/values.yaml b/charts/policy-reports/values.yaml new file mode 100644 index 0000000..c5a661e --- /dev/null +++ b/charts/policy-reports/values.yaml @@ -0,0 +1,151 @@ +postgresql: + + # -- Deploy postgresql dependency chart + enabled: true + + auth: + + postgresPassword: reports + + database: reportsdb + +# -- Name override +nameOverride: "" + +# -- Full name override +fullnameOverride: "" + +# -- Number of pod replicas +replicaCount: 1 + +image: + # -- Image registry + registry: ghcr.io + # -- Image repository + repository: kyverno/policy-reports + # -- Image pull policy + pullPolicy: IfNotPresent + # -- Image tag (will default to app version if not set) + tag: ~ + +# -- Image pull secrets +imagePullSecrets: [] + +# -- Priority class name +priorityClassName: system-cluster-critical + +serviceAccount: + # -- Create service account + create: true + + # -- Service account annotations + annotations: {} + + # -- Service account name (required if `serviceAccount.create` is `false`) + name: "" + +# -- Pod annotations +podAnnotations: {} + +# -- Pod security context +podSecurityContext: + fsGroup: 2000 + +# -- Container security context +# @default -- See [values.yaml](values.yaml) +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + +# -- Liveness probe +livenessProbe: + failureThreshold: 3 + periodSeconds: 10 + httpGet: + path: /livez + port: https + scheme: HTTPS + +# -- Readiness probe +readinessProbe: + initialDelaySeconds: 20 + failureThreshold: 3 + periodSeconds: 10 + httpGet: + path: /readyz + port: https + scheme: HTTPS + +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +resources: + # -- Container resource limits + limits: + # cpu: 100m + # memory: 128Mi + + # -- Container resource requests + requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + # -- Enable autoscaling + enabled: false + + # -- Min number of replicas + minReplicas: 1 + + # -- Max number of replicas + maxReplicas: 100 + + # -- Target CPU utilisation + targetCPUUtilizationPercentage: 80 + + # -- Target Memory utilisation + targetMemoryUtilizationPercentage: ~ + +# -- Node selector +nodeSelector: {} + +# -- Tolerations +tolerations: [] + +# -- Affinity +affinity: {} + +service: + # -- Service type + type: ClusterIP + + # -- Service port + port: 443 + +config: + + # -- Enable debug (to use inmemorydatabase) + debug: false + + db: + + # -- Database host + host: policy-reports-postgresql + + # -- Database name + name: reportsdb + + # -- Database user + user: postgres + + # -- Database password + password: reports