From 123060a974176ce2ce1ca90a05822b358000e769 Mon Sep 17 00:00:00 2001 From: Frank Jogeleit Date: Wed, 17 Mar 2021 01:54:49 +0100 Subject: [PATCH] Helm Improvements (#16) * Helm Improvements * Update README --- .gitignore | 2 +- README.md | 154 ++++++++++++++---- charts/policy-reporter/Chart.yaml | 2 +- .../templates/deployment.yaml | 12 +- .../policy-reporter-ui/templates/ingress.yaml | 12 +- .../policy-reporter-ui/templates/service.yaml | 12 +- .../charts/policy-reporter-ui/values.yaml | 11 ++ charts/policy-reporter/config.yaml | 21 +++ .../policy-reporter/templates/deployment.yaml | 15 +- charts/policy-reporter/templates/service.yaml | 12 +- .../templates/targetssecret.yaml | 25 +-- charts/policy-reporter/values.yaml | 85 +++++----- 12 files changed, 231 insertions(+), 132 deletions(-) create mode 100644 charts/policy-reporter/config.yaml diff --git a/.gitignore b/.gitignore index e03b1cfc..6d1acca6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ .deploy -config.yaml +/config.yaml build \ No newline at end of file diff --git a/README.md b/README.md index 536dda16..c86847f8 100644 --- a/README.md +++ b/README.md @@ -42,18 +42,19 @@ helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter ### Installation with Loki ```bash -helm install policy-reporter policy-reporter/policy-reporter --set loki.host=http://loki:3100 -n policy-reporter --create-namespace +helm install policy-reporter policy-reporter/policy-reporter --set target.loki.host=http://loki:3100 -n policy-reporter --create-namespace ``` #### Additional configurations for Loki -* Configure `loki.minimumPriority` to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error) -* Configure `loki.skipExistingOnStartup` to skip all results who already existed before the PolicyReporter started (default: `true`). +* Configure `target.loki.minimumPriority` to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error) +* Configure `target.loki.skipExistingOnStartup` to skip all results who already existed before the PolicyReporter started (default: `true`). ```yaml -loki: - host: "" - minimumPriority: "" - skipExistingOnStartup: true +target: + loki: + host: "" + minimumPriority: "" + skipExistingOnStartup: true ``` #### Example @@ -63,23 +64,24 @@ loki: ### Installation with Elasticsearch ```bash -helm install policy-reporter policy-reporter/policy-reporter --set elasticsearch.host=http://elasticsearch:3100 -n policy-reporter --create-namespace +helm install policy-reporter policy-reporter/policy-reporter --set target.elasticsearch.host=http://elasticsearch:3100 -n policy-reporter --create-namespace ``` #### Additional configurations for Elasticsearch -* Configure `elasticsearch.index` to customize the elasticsearch index. -* Configure `elasticsearch.rotation` is added as suffix to the index. Possible values are `daily`, `monthly`, `annually` and `none`. -* Configure `elasticsearch.minimumPriority` to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error) -* Configure `elasticsearch.skipExistingOnStartup` to skip all results who already existed before the PolicyReporter started (default: `true`). +* Configure `target.elasticsearch.index` to customize the elasticsearch index. +* Configure `target.elasticsearch.rotation` is added as suffix to the index. Possible values are `daily`, `monthly`, `annually` and `none`. +* Configure `target.elasticsearch.minimumPriority` to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error) +* Configure `target.elasticsearch.skipExistingOnStartup` to skip all results who already existed before the PolicyReporter started (default: `true`). ```yaml -elasticsearch: - host: "" - index: "policy-reporter" - rotation: "daily" - minimumPriority: "" - skipExistingOnStartup: true +target: + elasticsearch: + host: "" + index: "policy-reporter" + rotation: "daily" + minimumPriority: "" + skipExistingOnStartup: true ``` #### Example @@ -89,19 +91,20 @@ elasticsearch: ### Installation with Slack ```bash -helm install policy-reporter policy-reporter/policy-reporter --set slack.webhook=http://hook.slack -n policy-reporter --create-namespace +helm install policy-reporter policy-reporter/policy-reporter --set target.slack.webhook=http://hook.slack -n policy-reporter --create-namespace ``` #### Additional configurations for Slack -* Configure `slack.minimumPriority` to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error) -* Configure `slack.skipExistingOnStartup` to skip all results who already existed before the PolicyReporter started (default: `true`). +* Configure `target.slack.minimumPriority` to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error) +* Configure `target.slack.skipExistingOnStartup` to skip all results who already existed before the PolicyReporter started (default: `true`). ```yaml -slack: - webhook: "" - minimumPriority: "" - skipExistingOnStartup: true +target: + slack: + webhook: "" + minimumPriority: "" + skipExistingOnStartup: true ``` #### Example @@ -111,19 +114,20 @@ slack: ### Installation with Discord ```bash -helm install policy-reporter policy-reporter/policy-reporter --set discord.webhook=http://hook.discord -n policy-reporter --create-namespace +helm install policy-reporter policy-reporter/policy-reporter --set target.discord.webhook=http://hook.discord -n policy-reporter --create-namespace ``` #### Additional configurations for Discord -* Configure `discord.minimumPriority` to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error) -* Configure `discord.skipExistingOnStartup` to skip all results who already existed before the PolicyReporter started (default: `true`). +* Configure `target.discord.minimumPriority` to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error) +* Configure `target.discord.skipExistingOnStartup` to skip all results who already existed before the PolicyReporter started (default: `true`). ```yaml -discord: - webhook: "" - minimumPriority: "" - skipExistingOnStartup: true +target: + discord: + webhook: "" + minimumPriority: "" + skipExistingOnStartup: true ``` #### Example @@ -136,11 +140,17 @@ You can combine multiple targets by setting the required `host` or `webhook` con ## Configure Policy Priorities -By default kyverno PolicyReports has no priority or severity for policies. So every passed rule validation will be processed as notice, a failed validation is processed as error. To customize this you can configure a mapping from policies to fail priorities. So you can send them as debug, info or warnings instead of errors. To configure the priorities create a ConfigMap in the `policy-reporter` namespace with the name `policy-reporter-priorities`. Configure each priority as value with the __Policyname__ as key and the __Priority__ as value. This Configuration is loaded and synchronized during runtime. Any change to this configmap will automaticly synchronized, no new deployment needed. +By default kyverno PolicyReports has no priority or severity for policies. So every passed rule validation will be processed as notice, a failed validation is processed as error. To customize this you can configure a mapping from policies to fail priorities. So you can send them as debug, info or warnings instead of errors. To configure the priorities enale the required `Role` and `RoleBinding` by setting `policyPriorities.enabled` to `true` and create a ConfigMap in the `policy-reporter` namespace with the name `policy-reporter-priorities`. Configure each priority as value with the __Policyname__ as key and the __Priority__ as value. This Configuration is loaded and synchronized during runtime. Any change to this configmap will automaticly synchronized, no new deployment needed. -A special Policyname `default` is supported. The `default` configuration can be used to set a global default priority instead of `error`. +A special Policyname `default` is supported. The `default` configuration can be used to set a global default priority instead of `error`. + +### Enable the required Role and RoleBinding -### +```bash +helm install policy-reporter policy-reporter/policy-reporter --set policyPriorities.enabled=true -n policy-reporter --create-namespace +``` + +### Create the ConfigMap ```bash kubectl create configmap policy-reporter-priorities --from-literal check-label-app=warning --from-literal require-ns-labels=warning -n policy-reporter ``` @@ -176,7 +186,7 @@ The Monitoring Subchart offers several values for changing the height or disabli To change a value of this subchart you have to prefix each option with `monitoring.` -Example +#### Example ```bash helm install policy-reporter policy-reporter/policy-reporter --set monitoring.enabled=true --set monitoring.policyReportDetails.secondStatusRow.enabled=false -n policy-reporter --create-namespace @@ -267,6 +277,78 @@ The UI is an optional application and provides three different views with inform ![ClusterPolicyReports](https://github.com/fjogeleit/policy-reporter-ui/blob/main/docs/images/cluster-policy-report.png?raw=true) +## Example Helm values.yaml + +Example Helm `values.yaml` with the integrated Policy Reporter UI, Loki as target and customized Grafana Dashboards enabled. + +```yaml +ui: + enabled: true + +policyPriorities: + enabled: true + +target: + loki: + host: "http://loki.loki-stack.svc.cluster.local:3100" + minimumPriority: "warning" + skipExistingOnStartup: true + +monitoring: + enabled: true + + policyReportDetails: + firstStatusRow: + height: 6 + secondStatusRow: + enabled: false + height: 2 + statusTimeline: + enabled: true + height: 8 + passTable: + enabled: true + height: 8 + failTable: + enabled: true + height: 8 + warningTable: + enabled: false + height: 4 + errorTable: + enabled: false + height: 4 + + clusterPolicyReportDetails: + statusRow: + height: 6 + statusTimeline: + enabled: true + height: 8 + passTable: + enabled: true + height: 8 + failTable: + enabled: true + height: 8 + warningTable: + enabled: false + height: 4 + errorTable: + enabled: false + height: 4 + + policyReportOverview: + failingSummaryRow: + height: 8 + failingTimeline: + height: 10 + failingPolicyRuleTable: + height: 10 + failingClusterPolicyRuleTable: + height: 10 +``` + # Todos * ~~Support for ClusterPolicyReports~~ * ~~Additional Targets~~ diff --git a/charts/policy-reporter/Chart.yaml b/charts/policy-reporter/Chart.yaml index 0d373b67..a5baedaf 100644 --- a/charts/policy-reporter/Chart.yaml +++ b/charts/policy-reporter/Chart.yaml @@ -5,7 +5,7 @@ description: | It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord type: application -version: 0.17.1 +version: 0.18.0 appVersion: 0.12.0 dependencies: diff --git a/charts/policy-reporter/charts/policy-reporter-ui/templates/deployment.yaml b/charts/policy-reporter/charts/policy-reporter-ui/templates/deployment.yaml index d5fc48e2..33a1c36c 100644 --- a/charts/policy-reporter/charts/policy-reporter-ui/templates/deployment.yaml +++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/deployment.yaml @@ -17,14 +17,14 @@ spec: metadata: labels: {{- include "ui.selectorLabels" . | nindent 8 }} -{{- range $key, $value := $.Values.podLabels }} - {{ $key }}: {{ $value | quote }} -{{- end }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- if .Values.podAnnotations }} annotations: -{{- range $key, $value := $.Values.podAnnotations }} - {{ $key }}: {{ $value | quote }} -{{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} spec: {{- with .Values.imagePullSecrets }} diff --git a/charts/policy-reporter/charts/policy-reporter-ui/templates/ingress.yaml b/charts/policy-reporter/charts/policy-reporter-ui/templates/ingress.yaml index 340fa612..b509b31b 100644 --- a/charts/policy-reporter/charts/policy-reporter-ui/templates/ingress.yaml +++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/ingress.yaml @@ -11,13 +11,13 @@ metadata: name: {{ include "ui.fullname" . }} labels: {{- include "ui.selectorLabels" . | nindent 4 }} -{{- range $key, $value := $.Values.ingress.labels }} - {{ $key }}: {{ $value | quote }} -{{- end }} + {{- with .Values.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ingress.annotations }} annotations: -{{- range $key, $value := $.Values.ingress.annotations }} - {{ $key }}: {{ $value | quote }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: {{- if .Values.ingress.tls }} tls: diff --git a/charts/policy-reporter/charts/policy-reporter-ui/templates/service.yaml b/charts/policy-reporter/charts/policy-reporter-ui/templates/service.yaml index 6e9747bb..f48468f9 100644 --- a/charts/policy-reporter/charts/policy-reporter-ui/templates/service.yaml +++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/service.yaml @@ -5,13 +5,13 @@ metadata: name: {{ include "ui.fullname" . }} labels: {{- include "ui.labels" . | nindent 4 }} -{{- range $key, $value := $.Values.service.labels }} - {{ $key }}: {{ $value | quote }} -{{- end }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.service.annotations }} annotations: -{{- range $key, $value := $.Values.service.annotations }} - {{ $key }}: {{ $value | quote }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.service.type }} ports: diff --git a/charts/policy-reporter/charts/policy-reporter-ui/values.yaml b/charts/policy-reporter/charts/policy-reporter-ui/values.yaml index f9f794a0..c6a388d9 100644 --- a/charts/policy-reporter/charts/policy-reporter-ui/values.yaml +++ b/charts/policy-reporter/charts/policy-reporter-ui/values.yaml @@ -76,3 +76,14 @@ ingress: # - secretName: chart-example-tls # hosts: # - chart-example.local + +# Node labels for pod assignment +# ref: https://kubernetes.io/docs/user-guide/node-selection/ +nodeSelector: {} + +# Tolerations for pod assignment +# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +# Anti-affinity to disallow deploying client and master nodes on the same worker node +affinity: {} diff --git a/charts/policy-reporter/config.yaml b/charts/policy-reporter/config.yaml new file mode 100644 index 00000000..e43958ce --- /dev/null +++ b/charts/policy-reporter/config.yaml @@ -0,0 +1,21 @@ +loki: + host: {{ .Values.target.loki.host | quote }} + minimumPriority: {{ .Values.target.loki.minimumPriority | quote }} + skipExistingOnStartup: {{ .Values.target.loki.skipExistingOnStartup }} + +elasticsearch: + host: {{ .Values.target.elasticsearch.host | quote }} + index: {{ .Values.target.elasticsearch.index | default "policy-reporter" | quote }} + rotation: {{ .Values.target.elasticsearch.rotation | default "dayli" | quote }} + minimumPriority: {{ .Values.target.elasticsearch.minimumPriority | quote }} + skipExistingOnStartup: {{ .Values.target.elasticsearch.skipExistingOnStartup }} + +slack: + webhook: {{ .Values.target.slack.webhook | quote }} + minimumPriority: {{ .Values.target.slack.minimumPriority | quote }} + skipExistingOnStartup: {{ .Values.target.slack.skipExistingOnStartup }} + +discord: + webhook: {{ .Values.target.discord.webhook | quote }} + minimumPriority: {{ .Values.target.discord.minimumPriority | quote }} + skipExistingOnStartup: {{ .Values.target.discord.skipExistingOnStartup }} \ No newline at end of file diff --git a/charts/policy-reporter/templates/deployment.yaml b/charts/policy-reporter/templates/deployment.yaml index d5187dbd..b53bb131 100644 --- a/charts/policy-reporter/templates/deployment.yaml +++ b/charts/policy-reporter/templates/deployment.yaml @@ -21,14 +21,15 @@ spec: metadata: labels: {{- include "policyreporter.selectorLabels" . | nindent 8 }} -{{- range $key, $value := $.Values.podLabels }} - {{ $key }}: {{ $value | quote }} -{{- end }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} annotations: - checksum/secret: {{ include (print $.Template.BasePath "/targetssecret.yaml") . | sha256sum | quote }} -{{- range $key, $value := $.Values.podAnnotations }} - {{ $key }}: {{ $value | quote }} -{{- end }} + checksum/secret: {{ include (print .Template.BasePath "/targetssecret.yaml") . | sha256sum | quote }} + policy-priorities/enabled: {{ .Values.policyPriorities.enabled | quote }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: diff --git a/charts/policy-reporter/templates/service.yaml b/charts/policy-reporter/templates/service.yaml index 7e3e8eb0..0b25ee9d 100644 --- a/charts/policy-reporter/templates/service.yaml +++ b/charts/policy-reporter/templates/service.yaml @@ -7,13 +7,13 @@ metadata: name: {{ include "policyreporter.fullname" . }} labels: {{- include "policyreporter.labels" . | nindent 4 }} -{{- range $key, $value := $.Values.service.labels }} - {{ $key }}: {{ $value | quote }} -{{- end }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.service.annotations }} annotations: -{{- range $key, $value := $.Values.service.annotations }} - {{ $key }}: {{ $value | quote }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.service.type }} ports: diff --git a/charts/policy-reporter/templates/targetssecret.yaml b/charts/policy-reporter/templates/targetssecret.yaml index fe202e81..ee3b7353 100644 --- a/charts/policy-reporter/templates/targetssecret.yaml +++ b/charts/policy-reporter/templates/targetssecret.yaml @@ -5,26 +5,5 @@ metadata: labels: {{- include "policyreporter.labels" . | nindent 4 }} type: Opaque -stringData: - config.yaml: |- - loki: - host: {{ .Values.loki.host | quote }} - minimumPriority: {{ .Values.loki.minimumPriority | quote }} - skipExistingOnStartup: {{ .Values.loki.skipExistingOnStartup }} - - elasticsearch: - host: {{ .Values.elasticsearch.host | quote }} - index: {{ .Values.elasticsearch.index | default "policy-reporter" | quote }} - rotation: {{ .Values.elasticsearch.rotation | default "dayli" | quote }} - minimumPriority: {{ .Values.elasticsearch.minimumPriority | quote }} - skipExistingOnStartup: {{ .Values.elasticsearch.skipExistingOnStartup }} - - slack: - webhook: {{ .Values.slack.webhook | quote }} - minimumPriority: {{ .Values.slack.minimumPriority | quote }} - skipExistingOnStartup: {{ .Values.slack.skipExistingOnStartup }} - - discord: - webhook: {{ .Values.discord.webhook | quote }} - minimumPriority: {{ .Values.discord.minimumPriority | quote }} - skipExistingOnStartup: {{ .Values.discord.skipExistingOnStartup }} +data: + config.yaml: {{ tpl (.Files.Get "config.yaml") . | b64enc }} \ No newline at end of file diff --git a/charts/policy-reporter/values.yaml b/charts/policy-reporter/values.yaml index 306ee6bf..67a3979d 100644 --- a/charts/policy-reporter/values.yaml +++ b/charts/policy-reporter/values.yaml @@ -5,6 +5,9 @@ image: imagePullSecrets: [] +# Deploy not more than one replica +# Policy Reporter doesn't scale yet. +# Each pod will report each change. replicaCount: 1 deploymentStrategy: {} @@ -66,6 +69,10 @@ resources: {} # memory: 20Mi # cpu: 5m +# enable policy-report-ui +ui: + enabled: false + monitoring: enabled: false namespace: cattle-dashboards @@ -87,42 +94,44 @@ api: policyPriorities: enabled: false -loki: - # loki host address - host: "" - # minimum priority "" < info < warning < error - minimumPriority: "" - # Skip already existing PolicyReportResults on startup - skipExistingOnStartup: true - -elasticsearch: - # elasticsearch host address - host: "" - # elasticsearch index (default: policy-reporter) - index: "" - # elasticsearch index rotation and index suffix - # possible values: dayli, monthly, annually, none (default: dayli) - rotation: "" - # minimum priority "" < info < warning < error - minimumPriority: "" - # Skip already existing PolicyReportResults on startup - skipExistingOnStartup: true - -slack: - # slack app webhook address - webhook: "" - # minimum priority "" < info < warning < error - minimumPriority: "" - # Skip already existing PolicyReportResults on startup - skipExistingOnStartup: true - -discord: - # discord app webhook address - webhook: "" - # minimum priority "" < info < warning < error - minimumPriority: "" - # Skip already existing PolicyReportResults on startup - skipExistingOnStartup: true +# Supported targets for new PolicyReport Results +target: + loki: + # loki host address + host: "" + # minimum priority "" < info < warning < error + minimumPriority: "" + # Skip already existing PolicyReportResults on startup + skipExistingOnStartup: true + + elasticsearch: + # elasticsearch host address + host: "" + # elasticsearch index (default: policy-reporter) + index: "" + # elasticsearch index rotation and index suffix + # possible values: dayli, monthly, annually, none (default: dayli) + rotation: "" + # minimum priority "" < info < warning < error + minimumPriority: "" + # Skip already existing PolicyReportResults on startup + skipExistingOnStartup: true + + slack: + # slack app webhook address + webhook: "" + # minimum priority "" < info < warning < error + minimumPriority: "" + # Skip already existing PolicyReportResults on startup + skipExistingOnStartup: true + + discord: + # discord app webhook address + webhook: "" + # minimum priority "" < info < warning < error + minimumPriority: "" + # Skip already existing PolicyReportResults on startup + skipExistingOnStartup: true # Node labels for pod assignment # ref: https://kubernetes.io/docs/user-guide/node-selection/ @@ -134,7 +143,3 @@ tolerations: [] # Anti-affinity to disallow deploying client and master nodes on the same worker node affinity: {} - -# enable policy-report-ui -ui: - enabled: false