kyverno · vishal-chdhry · Sep 18, 2024 · Sep 17, 2024 · Sep 17, 2024 · Sep 17, 2024
diff --git a/.github/workflows/migration-tests.yaml b/.github/workflows/migration-tests.yaml
@@ -92,12 +92,7 @@ jobs:
           set -e
           kubectl create ns reports-server
           export HELM=${{ steps.helm.outputs.helm-path }}
-          make kind-migrate
-      - name: Install api services
-        run: |
-          set -e
-          export HELM=${{ steps.helm.outputs.helm-path }}
-          make kind-apply-api-services
+          make kind-install
       - name: Wait for report server ready
         run: |
           set -e

diff --git a/Makefile b/Makefile
@@ -158,6 +158,7 @@ codegen-helm-docs: ## Generate helm docs
 codegen-install-manifest: $(HELM) ## Create install manifest
 	@echo Generate latest install manifest... >&2
 	@$(HELM) template reports-server --namespace reports-server ./charts/reports-server/ \
+		--set apiServicesManagement.installApiServices.enabled=true \
 		--set image.tag=latest \
 		--set templating.enabled=true \
  		| $(SED) -e '/^#.*/d' \
@@ -166,6 +167,7 @@ codegen-install-manifest: $(HELM) ## Create install manifest
 codegen-install-manifest-inmemory: $(HELM) ## Create install manifest without postgres
 	@echo Generate latest install manifest... >&2
 	@$(HELM) template reports-server --namespace reports-server ./charts/reports-server/ \
+		--set apiServicesManagement.installApiServices.enabled=true \
 		--set image.tag=latest \
 		--set config.debug=true \
 		--set postgresql.enabled=false \
@@ -244,7 +246,7 @@ kind-migrate: $(HELM) kind-load ## Build image, load it in kind cluster and depl
 		--set image.registry=$(KO_REGISTRY) \
 		--set image.repository=$(PACKAGE) \
 		--set image.tag=$(GIT_SHA) \
-		--set apiServices.enabled=false
+		--set apiServicesManagement.installApiServices.enabled=false
 
 .PHONY: kind-apply-api-services
 kind-apply-api-services: $(HELM) kind-load ## Build image, load it in kind cluster and deploy helm chart

diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md
@@ -25,8 +25,6 @@ helm install reports-server --namespace reports-server --create-namespace report
 | postgresql.enabled | bool | `true` | Deploy postgresql dependency chart |
 | postgresql.auth.postgresPassword | string | `"reports"` |  |
 | postgresql.auth.database | string | `"reportsdb"` |  |
-| apiServices.enabled | bool | `true` | Store reports in reports-server |
-| apiServices.installEphemeralReportsService | bool | `true` | Store ephemeral reports in reports-server |
 | nameOverride | string | `""` | Name override |
 | fullnameOverride | string | `""` | Full name override |
 | replicaCount | int | `1` | Number of pod replicas |
@@ -79,6 +77,24 @@ helm install reports-server --namespace reports-server --create-namespace report
 | config.db.sslrootcert | string | `""` | Database SSL root cert |
 | config.db.sslkey | string | `""` | Database SSL key |
 | config.db.sslcert | string | `""` | Database SSL cert |
+| apiServicesManagement.enabled | bool | `true` | Create a helm hooks to install and delete api services |
+| apiServicesManagement.installApiServices | object | `{"enabled":false,"installEphemeralReportsService":true}` | Install api services in manifest |
+| apiServicesManagement.installApiServices.enabled | bool | `false` | Store reports in reports-server |
+| apiServicesManagement.installApiServices.installEphemeralReportsService | bool | `true` | Store ephemeral reports in reports-server |
+| apiServicesManagement.image.registry | string | `"docker.io"` | Image registry |
+| apiServicesManagement.image.repository | string | `"bitnami/kubectl"` | Image repository |
+| apiServicesManagement.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted |
+| apiServicesManagement.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
+| apiServicesManagement.imagePullSecrets | list | `[]` | Image pull secrets |
+| apiServicesManagement.podSecurityContext | object | `{}` | Security context for the pod |
+| apiServicesManagement.nodeSelector | object | `{}` | Node labels for pod assignment |
+| apiServicesManagement.tolerations | list | `[]` | List of node taints to tolerate |
+| apiServicesManagement.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
+| apiServicesManagement.podAffinity | object | `{}` | Pod affinity constraints. |
+| apiServicesManagement.podLabels | object | `{}` | Pod labels. |
+| apiServicesManagement.podAnnotations | object | `{}` | Pod annotations. |
+| apiServicesManagement.nodeAffinity | object | `{}` | Node affinity constraints. |
+| apiServicesManagement.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
 
 ## Source Code
 

diff --git a/charts/reports-server/templates/api-service.yaml b/charts/reports-server/templates/api-service.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.apiServices.enabled }}
+{{- if .Values.apiServicesManagement.installApiServices.enabled }}
 ---
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
@@ -20,7 +20,7 @@ spec:
   version: v1alpha2
   versionPriority: 100
 
-{{- if .Values.apiServices.installEphemeralReportsService }}
+{{- if .Values.apiServicesManagement.installApiServices.installEphemeralReportsService }}
 ---
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
@@ -42,4 +42,5 @@ spec:
   version: v1
   versionPriority: 100
 {{- end }}
-{{- end }}
+{{- end }}
+
diff --git a/charts/reports-server/templates/cluster-roles.yaml b/charts/reports-server/templates/cluster-roles.yaml
@@ -22,6 +22,26 @@ rules:
     - update
     - watch
     - deletecollection
+{{- if .Values.apiServicesManagement.enabled }}
+- apiGroups:
+    - apiregistration.k8s.io
+  resources:
+    - apiservices
+  verbs:
+    - create
+- apiGroups:
+    - apiregistration.k8s.io
+  resources:
+    - apiservices
+  verbs:
+    - get
+    - delete
+    - update
+    - patch
+  resourceNames:
+    - v1.reports.kyverno.io
+    - v1alpha2.wgpolicyk8s.io
+{{- end }}
 - apiGroups:
     - wgpolicyk8s.io
   resources:

diff --git a/charts/reports-server/templates/hooks/post-install-api-services.yaml b/charts/reports-server/templates/hooks/post-install-api-services.yaml
@@ -0,0 +1,128 @@
+{{- if .Values.apiServicesManagement.enabled -}}
+{{- if not .Values.templating.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "reports-server.fullname" . }}-post-install-install-api-services
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "reports-server.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-install
+    helm.sh/hook-weight: "100"
+spec:
+  backoffLimit: 2
+  template:
+    metadata:
+      {{- with .Values.apiServicesManagement.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.apiServicesManagement.podLabels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccount: {{ include "reports-server.serviceAccountName" . }}
+      {{- with .Values.apiServicesManagement.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      {{- with .Values.apiServicesManagement.imagePullSecrets | default .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: kubectl
+          image: "{{ .Values.apiServicesManagement.image.registry }}/{{ .Values.apiServicesManagement.image.repository }}:{{ .Values.apiServicesManagement.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.apiServicesManagement.image.pullPolicy }}
+          command:
+            - /bin/bash
+            - '-c'
+            - |-
+              set -euo pipefail
+              kubectl wait -n {{ $.Release.Namespace }} pod --for=condition=ready -l app.kubernetes.io/name={{ include "reports-server.fullname" . }} --timeout=120s
+              kubectl apply -f - <<EOF
+              {
+                "apiVersion": "apiregistration.k8s.io/v1",
+                "kind": "APIService",
+                "metadata": {
+                  "name": "v1alpha2.wgpolicyk8s.io",
+                  "namespace": {{ $.Release.Namespace | quote }},
+                  "labels": {
+                    "kube-aggregator.kubernetes.io/automanaged": "false"
+                  },
+                  "annotations": {
+                    "helm.sh/hook": "post-install"
+                  }
+                },
+                "spec": {
+                  "group": "wgpolicyk8s.io",
+                  "groupPriorityMinimum": 100,
+                  "insecureSkipTLSVerify": true,
+                  "service": {
+                    "name": {{ include "reports-server.fullname" . | quote }},
+                    "namespace": {{ $.Release.Namespace | quote }}
+                  },
+                  "version": "v1alpha2",
+                  "versionPriority": 100
+                }
+              }
+              EOF
+              kubectl apply -f - <<EOF
+              {
+                "apiVersion": "apiregistration.k8s.io/v1",
+                "kind": "APIService",
+                "metadata": {
+                  "name": "v1.reports.kyverno.io",
+                  "namespace": {{ $.Release.Namespace | quote }},
+                  "labels": {
+                    "kube-aggregator.kubernetes.io/automanaged": "false"
+                  },
+                  "annotations": {
+                    "helm.sh/hook": "post-install"
+                  }
+                },
+                "spec": {
+                  "group": "reports.kyverno.io",
+                  "groupPriorityMinimum": 100,
+                  "insecureSkipTLSVerify": true,
+                  "service": {
+                    "name": {{ include "reports-server.fullname" . | quote }},
+                    "namespace": {{ $.Release.Namespace | quote }}
+                  },
+                  "version": "v1",
+                  "versionPriority": 100
+                }
+              }
+              EOF
+          {{- with .Values.apiServicesManagement.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.apiServicesManagement.tolerations | default .Values.tolerations}}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.apiServicesManagement.nodeSelector | default .Values.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.apiServicesManagement.podAntiAffinity .Values.apiServicesManagement.podAffinity .Values.apiServicesManagement.nodeAffinity }}
+      affinity:
+        {{- with .Values.apiServicesManagement.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.apiServicesManagement.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.apiServicesManagement.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml b/charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml
@@ -0,0 +1,76 @@
+{{- if .Values.apiServicesManagement.enabled -}}
+{{- if not .Values.templating.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "reports-server.fullname" . }}-pre-delete-api-services-cleanup
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "reports-server.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    helm.sh/hook-weight: "100"
+spec:
+  backoffLimit: 2
+  template:
+    metadata:
+      {{- with .Values.apiServicesManagement.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.apiServicesManagement.podLabels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccount: {{ include "reports-server.serviceAccountName" . }}
+      {{- with .Values.apiServicesManagement.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      {{- with .Values.apiServicesManagement.imagePullSecrets | default .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: kubectl
+          image: "{{ .Values.apiServicesManagement.image.registry }}/{{ .Values.apiServicesManagement.image.repository }}:{{ .Values.apiServicesManagement.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.apiServicesManagement.image.pullPolicy }}
+          command:
+            - /bin/bash
+            - '-c'
+            - |-
+              set -euo pipefail
+              kubectl wait -n {{ $.Release.Namespace }} pod --for=condition=ready -l app.kubernetes.io/name={{ include "reports-server.fullname" . }} --timeout=120s
+              kubectl delete apiservice v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io --ignore-not-found=true
+          {{- with .Values.apiServicesManagement.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.apiServicesManagement.tolerations | default .Values.tolerations}}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.apiServicesManagement.nodeSelector | default .Values.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.apiServicesManagement.podAntiAffinity .Values.apiServicesManagement.podAffinity .Values.apiServicesManagement.nodeAffinity }}
+      affinity:
+        {{- with .Values.apiServicesManagement.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.apiServicesManagement.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.apiServicesManagement.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/reports-server/templates/roles.yaml b/charts/reports-server/templates/roles.yaml
@@ -13,3 +13,35 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "reports-server.serviceAccountName" $ }}
   namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "reports-server.fullname" . }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "reports-server.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+    - ''
+  resources:
+    - pods
+  verbs:
+    - get
+    - list
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "reports-server.fullname" . }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "reports-server.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "reports-server.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "reports-server.serviceAccountName" $ }}
+  namespace: {{ $.Release.Namespace }}