feat: add helm chart (#139)

Signed-off-by: Charles-Edouard Brétéché <[email protected]>
kyverno · Oct 25, 2024 · 5a72331 · 5a72331
1 parent 38425f4
commit 5a72331
Show file tree

Hide file tree

Showing 15 changed files with 634 additions and 3 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,3 @@
 .tools/
 website/site/
-kyverno-envoy-plugin
+/kyverno-envoy-plugin
diff --git a/Makefile b/Makefile
@@ -171,7 +171,7 @@ mkdocs-serve: ## Generate and serve mkdocs website
 	@$(PIP) install -U mkdocs-material mkdocs-redirects mkdocs-minify-plugin mkdocs-include-markdown-plugin lunr mkdocs-rss-plugin mike
 	@mkdocs serve -f ./website/mkdocs.yaml
 
-########	
+########
 # KIND #
 ########
 
@@ -196,7 +196,7 @@ kind-load-taged-image: build-ko
 	docker tag $(KO_REGISTRY)/$(PACKAGE):$(GIT_SHA) $(KO_REGISTRY)/$(PACKAGE):latest
 	@$(KIND) load docker-image $(KO_REGISTRY)/$(PACKAGE):latest
 
-#########	
+#########
 # ISTIO #
 #########
 
@@ -207,6 +207,20 @@ install-istio: $(HELM)
 	@$(HELM) upgrade --install istio-base --namespace istio-system --create-namespace --wait --repo https://istio-release.storage.googleapis.com/charts base
 	@$(HELM) upgrade --install istiod --namespace istio-system --create-namespace --wait --repo https://istio-release.storage.googleapis.com/charts istiod
 
+########
+# HELM #
+########
+
+.PHONY: chart-install
+chart-install: ## Install chart
+chart-install: kind-load-image
+chart-install: $(HELM)
+	@echo Install helm chart... >&2
+	@$(HELM) upgrade --install kyverno-envoy-plugin --namespace kyverno --create-namespace --wait ./charts/kyverno-envoy-plugin \
+		--set sidecarInjector.containers.injector.image.registry=ko.local \
+		--set sidecarInjector.containers.injector.image.repository=github.com/kyverno/kyverno-envoy-plugin \
+		--set sidecarInjector.containers.injector.image.tag=$(GIT_SHA)
+
 ########
 # HELP #
 ########

diff --git a/charts/kyverno-envoy-plugin/.helmignore b/charts/kyverno-envoy-plugin/.helmignore
@@ -0,0 +1,3 @@
+.helmignore
+ci/
+README.md.gotmpl
diff --git a/charts/kyverno-envoy-plugin/Chart.yaml b/charts/kyverno-envoy-plugin/Chart.yaml
@@ -0,0 +1,22 @@
+apiVersion: v2
+type: application
+name: kyverno-envoy-plugin
+version: v0.0.0
+appVersion: latest
+icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
+description: Kyverno policies based authorization plugin for Envoy ❤️
+keywords:
+  - kubernetes
+  - kyverno
+  - authz
+  - policy
+  - envoy
+  - istio
+  - security
+home: https://kyverno.github.io/kyverno-envoy-plugin
+sources:
+  - https://github.com/kyverno/kyverno-envoy-plugin
+maintainers:
+  - name: Kyverno
+    url: https://kyverno.io/
+kubeVersion: ">=1.25.0-0"
diff --git a/charts/kyverno-envoy-plugin/templates/NOTES.txt b/charts/kyverno-envoy-plugin/templates/NOTES.txt
@@ -0,0 +1 @@
+Chart version: {{ .Chart.Version }}
diff --git a/charts/kyverno-envoy-plugin/templates/_helpers/_chart.tpl b/charts/kyverno-envoy-plugin/templates/_helpers/_chart.tpl
@@ -0,0 +1,9 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.chart.name" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kyverno.chart.version" -}}
+  {{- .Chart.Version | replace "+" "_" -}}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/_helpers/_labels.tpl b/charts/kyverno-envoy-plugin/templates/_helpers/_labels.tpl
@@ -0,0 +1,43 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.labels.merge" -}}
+{{- $labels := dict -}}
+{{- range . -}}
+  {{- $labels = merge $labels (fromYaml .) -}}
+{{- end -}}
+{{- with $labels -}}
+  {{- toYaml $labels -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.labels.helm" -}}
+{{- if not .Values.templating.enabled -}}
+helm.sh/chart: {{ template "kyverno.chart.name" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.labels.version" -}}
+app.kubernetes.io/version: {{ template "kyverno.chart.version" . }}
+{{- end -}}
+
+{{- define "kyverno.labels.common" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.helm" .)
+  (include "kyverno.labels.version" .)
+  (toYaml .Values.customLabels)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.labels.component" -}}
+app.kubernetes.io/component: {{ . }}
+{{- end -}}
+
+{{- define "kyverno.labels.name" -}}
+app.kubernetes.io/name: {{ . }}
+{{- end -}}
+
+{{- define "kyverno.labels.match.common" -}}
+app.kubernetes.io/part-of: {{ template "kyverno.names.fullname" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/_helpers/_names.tpl b/charts/kyverno-envoy-plugin/templates/_helpers/_names.tpl
@@ -0,0 +1,22 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.names.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kyverno.names.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+  {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+  {{- $name := default .Chart.Name .Values.nameOverride -}}
+  {{- if contains $name .Release.Name -}}
+    {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.namespace" -}}
+{{ default .Release.Namespace .Values.namespaceOverride }}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl b/charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl
@@ -0,0 +1,43 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.sidecar-injector.name" -}}
+{{ template "kyverno.names.name" . }}-sidecar-injector
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.sidecar-injector.labels.match" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.labels.match" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.match.common" .)
+  (include "kyverno.labels.component" "sidecar-injector")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.role.name" -}}
+{{- include "kyverno.names.fullname" . -}}:sidecar-injector
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.service-account.name" -}}
+{{- if .Values.sidecarInjector.rbac.create -}}
+    {{- default (include "kyverno.sidecar-injector.name" .) .Values.sidecarInjector.rbac.serviceAccount.name -}}
+{{- else -}}
+    {{- required "A service account name is required when `rbac.create` is set to `false`" .Values.sidecarInjector.rbac.serviceAccount.name -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.serviceName" -}}
+{{- printf "%s-svc" (include "kyverno.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.caCertificatesConfigMapName" -}}
+{{- printf "%s-ca-certificates" (include "kyverno.sidecar-injector.name" .) -}}
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.image" -}}
+{{- printf "%s/%s:%s" .registry .repository (default "latest" .tag) -}}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.sidecarInjector.enabled -}}
+{{- if .Values.sidecarInjector.certificates.selfSigned -}}
+{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
+{{- $svcName := (printf "%s.%s.svc" (include "kyverno.sidecar-injector.name" .) (include "kyverno.namespace" .)) -}}
+{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kyverno.sidecar-injector.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $ca.Key | b64enc }}
+  tls.crt: {{ $ca.Cert | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kyverno.sidecar-injector.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+  annotations:
+    self-signed-cert: "true"
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $cert.Key | b64enc }}
+  tls.crt: {{ $cert.Cert | b64enc }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/deployment.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/deployment.yaml
@@ -0,0 +1,111 @@
+{{- if .Values.sidecarInjector.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyverno.sidecar-injector.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+  {{- with .Values.sidecarInjector.deployment.annotations }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ template "kyverno.deployment.replicas" .Values.sidecarInjector.deployment.replicas }}
+  revisionHistoryLimit: {{ .Values.sidecarInjector.deployment.revisionHistoryLimit }}
+  {{- with .Values.sidecarInjector.deployment.updateStrategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.sidecar-injector.labels.match" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyverno.sidecar-injector.labels" . | nindent 8 }}
+        {{- with .Values.sidecarInjector.pod.labels }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
+        {{- end }}
+      {{- with .Values.sidecarInjector.pod.annotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.sidecarInjector.pod.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.securityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.tolerations }}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.hostNetwork }}
+      hostNetwork: {{ . }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.dnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      affinity:
+        {{- with .Values.sidecarInjector.pod.antiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.sidecarInjector.pod.affinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.sidecarInjector.pod.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      serviceAccountName: {{ template "kyverno.sidecar-injector.service-account.name" . }}
+      containers:
+        {{- with .Values.sidecarInjector.containers.injector }}
+        - name: injector
+          image: {{ include "kyverno.sidecar-injector.image" .image }}
+          imagePullPolicy: {{ .image.pullPolicy }}
+          {{- with .resources }}
+          resources:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .startupProbe }}
+          startupProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .livenessProbe }}
+          livenessProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .readinessProbe }}
+          readinessProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .ports }}
+          ports:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .args }}
+          args:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+        {{- end }}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.sidecarInjector.enabled -}}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ template "kyverno.sidecar-injector.name" . }}
+  labels:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+webhooks:
+  - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc
+    clientConfig:
+      service:
+        name: {{ template "kyverno.sidecar-injector.name" . }}
+        namespace: {{ template "kyverno.namespace" . }}
+        path: "/mutate"
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions:
+    - v1
+    rules:
+      - apiGroups:
+          - ''
+        apiVersions:
+          - v1
+        resources:
+          - pods
+        operations:
+          - CREATE
+        scope: '*'  
+    objectSelector:
+      matchExpressions:
+        - key: kyverno-envoy-sidecar/injection
+          operator: In
+          values:
+          - enabled
+{{- end -}}