Skip to content

Commit

Permalink
Merge branch 'main' into dependabot/github_actions/azure/setup-helm-4
Browse files Browse the repository at this point in the history
  • Loading branch information
vishal-chdhry authored Sep 18, 2024
2 parents 0beebf0 + 34c1d7c commit e79f1a6
Show file tree
Hide file tree
Showing 14 changed files with 466 additions and 49 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/codeql.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
exit-code: '0'
vuln-type: os,library
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
with:
sarif_file: trivy-results.sarif
category: code
7 changes: 1 addition & 6 deletions .github/workflows/migration-tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -92,12 +92,7 @@ jobs:
set -e
kubectl create ns reports-server
export HELM=${{ steps.helm.outputs.helm-path }}
make kind-migrate
- name: Install api services
run: |
set -e
export HELM=${{ steps.helm.outputs.helm-path }}
make kind-apply-api-services
make kind-install
- name: Wait for report server ready
run: |
set -e
Expand Down
4 changes: 3 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,7 @@ codegen-helm-docs: ## Generate helm docs
codegen-install-manifest: $(HELM) ## Create install manifest
@echo Generate latest install manifest... >&2
@$(HELM) template reports-server --namespace reports-server ./charts/reports-server/ \
--set apiServicesManagement.installApiServices.enabled=true \
--set image.tag=latest \
--set templating.enabled=true \
| $(SED) -e '/^#.*/d' \
Expand All @@ -166,6 +167,7 @@ codegen-install-manifest: $(HELM) ## Create install manifest
codegen-install-manifest-inmemory: $(HELM) ## Create install manifest without postgres
@echo Generate latest install manifest... >&2
@$(HELM) template reports-server --namespace reports-server ./charts/reports-server/ \
--set apiServicesManagement.installApiServices.enabled=true \
--set image.tag=latest \
--set config.debug=true \
--set postgresql.enabled=false \
Expand Down Expand Up @@ -244,7 +246,7 @@ kind-migrate: $(HELM) kind-load ## Build image, load it in kind cluster and depl
--set image.registry=$(KO_REGISTRY) \
--set image.repository=$(PACKAGE) \
--set image.tag=$(GIT_SHA) \
--set apiServices.enabled=false
--set apiServicesManagement.installApiServices.enabled=false

.PHONY: kind-apply-api-services
kind-apply-api-services: $(HELM) kind-load ## Build image, load it in kind cluster and deploy helm chart
Expand Down
20 changes: 18 additions & 2 deletions charts/reports-server/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,6 @@ helm install reports-server --namespace reports-server --create-namespace report
| postgresql.enabled | bool | `true` | Deploy postgresql dependency chart |
| postgresql.auth.postgresPassword | string | `"reports"` | |
| postgresql.auth.database | string | `"reportsdb"` | |
| apiServices.enabled | bool | `true` | Store reports in reports-server |
| apiServices.installEphemeralReportsService | bool | `true` | Store ephemeral reports in reports-server |
| nameOverride | string | `""` | Name override |
| fullnameOverride | string | `""` | Full name override |
| replicaCount | int | `1` | Number of pod replicas |
Expand Down Expand Up @@ -79,6 +77,24 @@ helm install reports-server --namespace reports-server --create-namespace report
| config.db.sslrootcert | string | `""` | Database SSL root cert |
| config.db.sslkey | string | `""` | Database SSL key |
| config.db.sslcert | string | `""` | Database SSL cert |
| apiServicesManagement.enabled | bool | `true` | Create a helm hooks to install and delete api services |
| apiServicesManagement.installApiServices | object | `{"enabled":false,"installEphemeralReportsService":true}` | Install api services in manifest |
| apiServicesManagement.installApiServices.enabled | bool | `false` | Store reports in reports-server |
| apiServicesManagement.installApiServices.installEphemeralReportsService | bool | `true` | Store ephemeral reports in reports-server |
| apiServicesManagement.image.registry | string | `"docker.io"` | Image registry |
| apiServicesManagement.image.repository | string | `"bitnami/kubectl"` | Image repository |
| apiServicesManagement.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted |
| apiServicesManagement.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| apiServicesManagement.imagePullSecrets | list | `[]` | Image pull secrets |
| apiServicesManagement.podSecurityContext | object | `{}` | Security context for the pod |
| apiServicesManagement.nodeSelector | object | `{}` | Node labels for pod assignment |
| apiServicesManagement.tolerations | list | `[]` | List of node taints to tolerate |
| apiServicesManagement.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| apiServicesManagement.podAffinity | object | `{}` | Pod affinity constraints. |
| apiServicesManagement.podLabels | object | `{}` | Pod labels. |
| apiServicesManagement.podAnnotations | object | `{}` | Pod annotations. |
| apiServicesManagement.nodeAffinity | object | `{}` | Node affinity constraints. |
| apiServicesManagement.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |

## Source Code

Expand Down
7 changes: 4 additions & 3 deletions charts/reports-server/templates/api-service.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.apiServices.enabled }}
{{- if .Values.apiServicesManagement.installApiServices.enabled }}
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
Expand All @@ -20,7 +20,7 @@ spec:
version: v1alpha2
versionPriority: 100

{{- if .Values.apiServices.installEphemeralReportsService }}
{{- if .Values.apiServicesManagement.installApiServices.installEphemeralReportsService }}
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
Expand All @@ -42,4 +42,5 @@ spec:
version: v1
versionPriority: 100
{{- end }}
{{- end }}
{{- end }}
20 changes: 20 additions & 0 deletions charts/reports-server/templates/cluster-roles.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,26 @@ rules:
- update
- watch
- deletecollection
{{- if .Values.apiServicesManagement.enabled }}
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- create
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- delete
- update
- patch
resourceNames:
- v1.reports.kyverno.io
- v1alpha2.wgpolicyk8s.io
{{- end }}
- apiGroups:
- wgpolicyk8s.io
resources:
Expand Down
128 changes: 128 additions & 0 deletions charts/reports-server/templates/hooks/post-install-api-services.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
{{- if .Values.apiServicesManagement.enabled -}}
{{- if not .Values.templating.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "reports-server.fullname" . }}-post-install-install-api-services
namespace: {{ $.Release.Namespace }}
labels:
{{- include "reports-server.labels" . | nindent 4 }}
annotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "100"
spec:
backoffLimit: 2
template:
metadata:
{{- with .Values.apiServicesManagement.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.apiServicesManagement.podLabels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccount: {{ include "reports-server.serviceAccountName" . }}
{{- with .Values.apiServicesManagement.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
restartPolicy: Never
{{- with .Values.apiServicesManagement.imagePullSecrets | default .Values.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
containers:
- name: kubectl
image: "{{ .Values.apiServicesManagement.image.registry }}/{{ .Values.apiServicesManagement.image.repository }}:{{ .Values.apiServicesManagement.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.apiServicesManagement.image.pullPolicy }}
command:
- /bin/bash
- '-c'
- |-
set -euo pipefail
kubectl wait -n {{ $.Release.Namespace }} pod --for=condition=ready -l app.kubernetes.io/name={{ include "reports-server.fullname" . }} --timeout=120s
kubectl apply -f - <<EOF
{
"apiVersion": "apiregistration.k8s.io/v1",
"kind": "APIService",
"metadata": {
"name": "v1alpha2.wgpolicyk8s.io",
"namespace": {{ $.Release.Namespace | quote }},
"labels": {
"kube-aggregator.kubernetes.io/automanaged": "false"
},
"annotations": {
"helm.sh/hook": "post-install"
}
},
"spec": {
"group": "wgpolicyk8s.io",
"groupPriorityMinimum": 100,
"insecureSkipTLSVerify": true,
"service": {
"name": {{ include "reports-server.fullname" . | quote }},
"namespace": {{ $.Release.Namespace | quote }}
},
"version": "v1alpha2",
"versionPriority": 100
}
}
EOF
kubectl apply -f - <<EOF
{
"apiVersion": "apiregistration.k8s.io/v1",
"kind": "APIService",
"metadata": {
"name": "v1.reports.kyverno.io",
"namespace": {{ $.Release.Namespace | quote }},
"labels": {
"kube-aggregator.kubernetes.io/automanaged": "false"
},
"annotations": {
"helm.sh/hook": "post-install"
}
},
"spec": {
"group": "reports.kyverno.io",
"groupPriorityMinimum": 100,
"insecureSkipTLSVerify": true,
"service": {
"name": {{ include "reports-server.fullname" . | quote }},
"namespace": {{ $.Release.Namespace | quote }}
},
"version": "v1",
"versionPriority": 100
}
}
EOF
{{- with .Values.apiServicesManagement.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.apiServicesManagement.tolerations | default .Values.tolerations}}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.apiServicesManagement.nodeSelector | default .Values.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if or .Values.apiServicesManagement.podAntiAffinity .Values.apiServicesManagement.podAffinity .Values.apiServicesManagement.nodeAffinity }}
affinity:
{{- with .Values.apiServicesManagement.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.apiServicesManagement.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.apiServicesManagement.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
{{- if .Values.apiServicesManagement.enabled -}}
{{- if not .Values.templating.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "reports-server.fullname" . }}-pre-delete-api-services-cleanup
namespace: {{ $.Release.Namespace }}
labels:
{{- include "reports-server.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
spec:
backoffLimit: 2
template:
metadata:
{{- with .Values.apiServicesManagement.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.apiServicesManagement.podLabels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccount: {{ include "reports-server.serviceAccountName" . }}
{{- with .Values.apiServicesManagement.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
restartPolicy: Never
{{- with .Values.apiServicesManagement.imagePullSecrets | default .Values.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
containers:
- name: kubectl
image: "{{ .Values.apiServicesManagement.image.registry }}/{{ .Values.apiServicesManagement.image.repository }}:{{ .Values.apiServicesManagement.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.apiServicesManagement.image.pullPolicy }}
command:
- /bin/bash
- '-c'
- |-
set -euo pipefail
kubectl wait -n {{ $.Release.Namespace }} pod --for=condition=ready -l app.kubernetes.io/name={{ include "reports-server.fullname" . }} --timeout=120s
kubectl delete apiservice v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io --ignore-not-found=true
{{- with .Values.apiServicesManagement.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.apiServicesManagement.tolerations | default .Values.tolerations}}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.apiServicesManagement.nodeSelector | default .Values.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if or .Values.apiServicesManagement.podAntiAffinity .Values.apiServicesManagement.podAffinity .Values.apiServicesManagement.nodeAffinity }}
affinity:
{{- with .Values.apiServicesManagement.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.apiServicesManagement.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.apiServicesManagement.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}
32 changes: 32 additions & 0 deletions charts/reports-server/templates/roles.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,35 @@ subjects:
- kind: ServiceAccount
name: {{ include "reports-server.serviceAccountName" $ }}
namespace: {{ $.Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "reports-server.fullname" . }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "reports-server.labels" . | nindent 4 }}
rules:
- apiGroups:
- ''
resources:
- pods
verbs:
- get
- list
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "reports-server.fullname" . }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "reports-server.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "reports-server.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "reports-server.serviceAccountName" $ }}
namespace: {{ $.Release.Namespace }}
Loading

0 comments on commit e79f1a6

Please sign in to comment.