Chart update

Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>

charts/policy-reporter/Chart.lock

@@ -2,11 +2,5 @@ dependencies:
 - name: monitoring
   repository: ""
   version: 2.8.1
-- name: kyverno-plugin
-  repository: oci://ghcr.io/kyverno/charts/policy-reporter
-  version: 0.0.3
-- name: trivy-plugin
-  repository: oci://ghcr.io/kyverno/charts/policy-reporter
-  version: 0.0.5
-digest: sha256:f8bb48e0c01a7f14a0e3f3c0a0ac52ea5ff9779923a625e17df003ee228b25ff
-generated: "2024-03-09T14:53:18.179185+01:00"
+digest: sha256:73e264c0a498e04aeba2468bb5389cff595ce3e2f8b167c0ce6ef19d420e9ea3
+generated: "2024-03-10T09:33:21.891864+01:00"

charts/policy-reporter/Chart.yaml

@@ -18,12 +18,4 @@ maintainers:
 dependencies:
   - name: monitoring
     condition: monitoring.enabled
-    version: "2.8.1"
-  - name: kyverno-plugin
-    version: "0.0.3"
-    repository: "oci://ghcr.io/kyverno/charts/policy-reporter"
-    condition: kyverno-plugin.enabled
-  - name: trivy-plugin
-    version: "0.0.5"
-    repository: "oci://ghcr.io/kyverno/charts/policy-reporter"
-    condition: trivy-plugin.enabled
+    version: "2.8.1"

charts/policy-reporter/configs/kyverno-plugin.tmpl

@@ -0,0 +1,23 @@
+leaderElection:
+  enabled: {{ or .Values.plugin.kyverno.leaderElection.enabled (gt (int .Values.plugin.kyverno.replicaCount) 1) }}
+  releaseOnCancel: {{ .Values.plugin.kyverno.leaderElection.releaseOnCancel }}
+  leaseDuration: {{ .Values.plugin.kyverno.leaderElection.leaseDuration }}
+  renewDeadline: {{ .Values.plugin.kyverno.leaderElection.renewDeadline }}
+  retryPeriod: {{ .Values.plugin.kyverno.leaderElection.retryPeriod }}
+  lockName: {{ .Values.plugin.kyverno.leaderElection.lockName }}
+
+logging:
+  encoding: {{ .Values.plugin.kyverno.logging.encoding }}
+  logLevel: {{ .Values.plugin.kyverno.logging.logLevel }}
+
+server:
+  logging: {{ .Values.plugin.kyverno.server.logging }}
+  basicAuth:
+    username: {{ .Values.plugin.kyverno.server.basicAuth.username }}
+    password: {{ .Values.plugin.kyverno.server.basicAuth.password }}
+    secretRef: {{ .Values.plugin.kyverno.server.basicAuth.secretRef }}
+
+{{- with .Values.plugin.kyverno.blockReports }}
+blockReports:
+  {{- toYaml . | nindent 4 }}
+{{- end }}

charts/policy-reporter/configs/trivy-plugin.tmpl

@@ -0,0 +1,19 @@
+logging:
+  encoding: {{ .Values.plugin.trivy.logging.encoding }}
+  logLevel: {{ .Values.plugin.trivy.logging.logLevel }}
+
+server:
+  logging: {{ .Values.plugin.trivy.server.logging }}
+  basicAuth:
+    username: {{ .Values.plugin.trivy.server.basicAuth.username }}
+    password: {{ .Values.plugin.trivy.server.basicAuth.password }}
+    secretRef: {{ .Values.plugin.trivy.server.basicAuth.secretRef }}
+
+core:
+  host: {{ printf "http://%s:%d" (include "policyreporter.fullname" .) (.Values.service.port | int) }}
+  skipTLS: {{ .Values.plugin.trivy.policyReporter.skipTLS }}
+  certificate: {{ .Values.plugin.trivy.policyReporter.certificate }}
+  secretRef: {{ .Values.plugin.trivy.policyReporter.secretRef }}
+  basicAuth:
+    username: {{ .Values.global.basicAuth.username }}
+    password: {{ .Values.global.basicAuth.password }}

charts/policy-reporter/templates/cluster-secret.yaml

@@ -13,12 +13,16 @@ metadata:
 type: Opaque
 data:
   host: {{ printf "http://%s:%d" (include "policyreporter.fullname" .) (.Values.service.port | int) | b64enc }}
-  {{- if index .Values "kyverno-plugin" "enabled" }}
-  {{- $host := printf "http://%s-kyverno-plugin:%d/api" .Release.Name ((index .Values "kyverno-plugin" "service" "port") | int) }}
-  plugin.kyverno: {{ (printf "{\"host\":\"%s\", \"name\":\"kyverno\"}" $host) | b64enc }}
+  {{- if .Values.plugin.kyverno.enabled }}
+  {{- $host := printf "http://%s:%d/api" (include "kyverno-plugin.fullname" .) (.Values.plugin.kyverno.service.port | int) }}
+  {{- $username := .Values.plugin.kyverno.server.basicAuth.username }}
+  {{- $password := .Values.plugin.kyverno.server.basicAuth.password }}
+  plugin.kyverno: {{ (printf "{\"host\":\"%s\", \"name\":\"kyverno\", \"username\":\"%s\", \"password\":\"%s\"}" $host $username $password) | b64enc }}
   {{- end }}
-  {{- if index .Values "trivy-plugin" "enabled" }}
-  {{- $host := printf "http://%s-trivy-plugin:%d/api/vulnr" .Release.Name ((index .Values "trivy-plugin" "service" "port") | int) }}
-  plugin.trivy: {{ (printf "{\"host\":\"%s\", \"name\":\"Trivy Vulnerability\"}" $host) | b64enc }}
+  {{- if .Values.plugin.trivy.enabled }}
+  {{- $username := .Values.plugin.trivy.server.basicAuth.username }}
+  {{- $password := .Values.plugin.trivy.server.basicAuth.password }}
+  {{- $host := printf "http://%s:%d/api/vulnr" (include "trivy-plugin.fullname" .) (.Values.plugin.trivy.service.port | int) }}
+  plugin.trivy: {{ (printf "{\"host\":\"%s\", \"name\":\"Trivy Vulnerability\", \"username\":\"%s\", \"password\":\"%s\"}" $host $username $password) | b64enc }}
   {{- end }}
 {{- end }}

charts/policy-reporter/templates/config-email-reports-secret.yaml

@@ -12,5 +12,5 @@ metadata:
     {{- include "policyreporter.labels" . | nindent 4 }}
 type: Opaque
 data:
-  config.yaml: {{ tpl (.Files.Get "config-email-reports.yaml") . | b64enc }}
+  config.yaml: {{ tpl (.Files.Get "configs/email-reports.tmpl") . | b64enc }}
 {{- end }}  

charts/policy-reporter/templates/config-secret.yaml

@@ -12,5 +12,5 @@ metadata:
     {{- include "policyreporter.labels" . | nindent 4 }}
 type: Opaque
 data:
-  config.yaml: {{ tpl (.Files.Get "config.tpl") . | b64enc }}
+  config.yaml: {{ tpl (.Files.Get "configs/core.tmpl") . | b64enc }}
 {{- end }}

charts/policy-reporter/templates/cronjob-summary-report.yaml

@@ -51,7 +51,7 @@ spec:
           {{- end }}
           restartPolicy: {{ .Values.emailReports.summary.restartPolicy }}
           containers:
-            - name: {{ default .Chart.Name .Values.nameOverride }}
+            - name: policy-reporter
               image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
               imagePullPolicy: {{ .Values.image.pullPolicy }}
               {{- if .Values.securityContext }}

charts/policy-reporter/templates/cronjob-violations-report.yaml

@@ -51,7 +51,7 @@ spec:
           {{- end }}
           restartPolicy: {{ .Values.emailReports.violations.restartPolicy }}
           containers:
-            - name: {{ default .Chart.Name .Values.nameOverride }}
+            - name: policy-reporter
               image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
               imagePullPolicy: {{ .Values.image.pullPolicy }}
               {{- if .Values.securityContext }}

charts/policy-reporter/templates/deployment.yaml

@@ -53,7 +53,7 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       {{- end }}
       containers:
-        - name: {{ default .Chart.Name .Values.nameOverride }}
+        - name: policy-reporter
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- if .Values.securityContext }}

charts/policy-reporter/templates/plugins/kyverno/_helpers.tpl

@@ -0,0 +1,65 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kyverno-plugin.name" -}}
+{{ template "policyreporter.name" . }}-kyverno-plugin
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kyverno-plugin.fullname" -}}
+{{ template "policyreporter.fullname" . }}-kyverno-plugin
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kyverno-plugin.chart" -}}
+{{ template "policyreporter.chart" . }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "kyverno-plugin.labels" -}}
+helm.sh/chart: {{ include "kyverno-plugin.chart" . }}
+{{ include "kyverno-plugin.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kyverno-plugin.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kyverno-plugin.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kyverno-plugin.serviceAccountName" -}}
+{{- if .Values.plugin.kyverno.serviceAccount.create }}
+{{- default (include "kyverno-plugin.fullname" .) .Values.plugin.kyverno.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.plugin.kyverno.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "kyverno-plugin.podDisruptionBudget" -}}
+{{- if and .Values.plugin.kyverno.podDisruptionBudget.minAvailable .Values.plugin.kyverno.podDisruptionBudget.maxUnavailable }}
+{{- fail "Cannot set both" -}}
+{{- end }}
+{{- if not .Values.plugin.kyverno.podDisruptionBudget.maxUnavailable }}
+minAvailable: {{ default 1 .Values.plugin.kyverno.podDisruptionBudget.minAvailable }}
+{{- end }}
+{{- if .Values.plugin.kyverno.podDisruptionBudget.maxUnavailable }}
+maxUnavailable: {{ .Values.plugin.kyverno.podDisruptionBudget.maxUnavailable }}
+{{- end }}
+{{- end }}

charts/policy-reporter/templates/plugins/kyverno/clusterrole.yaml

@@ -0,0 +1,45 @@
+{{- if .Values.plugin.kyverno.enabled -}}
+{{- if .Values.plugin.kyverno.rbac.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "kyverno-plugin.labels" . | nindent 4 }}
+  name: {{ include "kyverno-plugin.fullname" . }}
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - policies
+  - policies/status
+  - clusterpolicies
+  - clusterpolicies/status
+  verbs:
+  - get
+  - list
+{{- if .Values.plugin.kyverno.blockReports.enabled }}
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - '*'
+  resources:
+  - policyreports
+  - policyreports/status
+  - clusterpolicyreports
+  - clusterpolicyreports/status
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+{{- end }}
+{{- end }}
+{{- end }}

charts/policy-reporter/templates/plugins/kyverno/clusterrolebinding.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.plugin.kyverno.enabled -}}
+{{- if and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kyverno-plugin.fullname" . }}
+  labels:
+    {{- include "kyverno-plugin.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "kyverno-plugin.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: "ServiceAccount"
+  name: {{ include "kyverno-plugin.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}

charts/policy-reporter/templates/plugins/kyverno/config-secret.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.plugin.kyverno.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "kyverno-plugin.fullname" . }}-config
+  namespace: {{ include "policyreporter.namespace" . }}
+  labels:
+    {{- include "kyverno-plugin.labels" . | nindent 4 }}
+type: Opaque
+data:
+  config.yaml: {{ tpl (.Files.Get "kyverno-plugin.tmpl") . | b64enc }}
+{{- end }}

charts/policy-reporter/templates/plugins/kyverno/deployment.yaml

@@ -0,0 +1,103 @@
+{{- if .Values.plugin.kyverno.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "kyverno-plugin.fullname" . }}
+  namespace: {{ include "policyreporter.namespace" . }}
+  labels:
+    {{- include "kyverno-plugin.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.plugin.kyverno.replicaCount }}
+  revisionHistoryLimit: {{ .Values.plugin.kyverno.revisionHistoryLimit }}
+  {{- with .Values.plugin.kyverno.updateStrategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kyverno-plugin.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/secret: {{ include (print .Template.BasePath "/config-secret.yaml") . | sha256sum | quote }}
+        {{- with .Values.plugin.kyverno.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "kyverno-plugin.labels" . | nindent 8 }}
+	{{- with .Values.plugin.kyverno.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.plugin.kyverno.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "kyverno-plugin.serviceAccountName" . }}
+      {{- if .Values.plugin.kyverno.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.plugin.kyverno.podSecurityContext | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: policy-reporter-kyverno-plugin
+          {{- if .Values.plugin.kyverno.securityContext }}
+          securityContext:
+            {{- toYaml .Values.plugin.kyverno.securityContext | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.plugin.kyverno.image.registry }}/{{ .Values.plugin.kyverno.image.repository }}:{{ .Values.plugin.kyverno.image.tag }}"
+          imagePullPolicy: {{ .Values.plugin.kyverno.image.pullPolicy }}
+          args:
+            - run
+            - --config=/app/config.yaml
+            - --port={{ .Values.plugin.kyverno.server.port }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.plugin.kyverno.server.port }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /api/v1/policies
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /api/v1/policies
+              port: http
+          resources:
+            {{- toYaml .Values.plugin.kyverno.resources | nindent 12 }}
+          volumeMounts:
+          - name: config-file
+            mountPath: /app/config.yaml
+            subPath: config.yaml
+            readOnly: true
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          {{- if or .Values.plugin.kyverno.leaderElection.enabled (gt (int .Values.plugin.kyverno.replicaCount) 1) }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          {{- end }}
+          {{- with .Values.plugin.kyverno.envVars }}
+          {{- . | toYaml | trim | nindent 10 }}
+          {{- end }}
+      volumes:
+      - name: config-file
+        secret:
+          secretName: {{ include "kyverno-plugin.fullname" . }}-config
+          optional: true
+      {{- with .Values.plugin.kyverno.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.plugin.kyverno.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.plugin.kyverno.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}