feat: add helm chart

Signed-off-by: Charles-Edouard Brétéché <[email protected]>
kyverno · Oct 25, 2024 · 6b929ec · 6b929ec
1 parent 38425f4
commit 6b929ec
Show file tree

Hide file tree

Showing 14 changed files with 612 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,3 @@
 .tools/
 website/site/
-kyverno-envoy-plugin
+/kyverno-envoy-plugin
diff --git a/charts/kyverno-envoy-plugin/.helmignore b/charts/kyverno-envoy-plugin/.helmignore
@@ -0,0 +1,3 @@
+.helmignore
+ci/
+README.md.gotmpl
diff --git a/charts/kyverno-envoy-plugin/Chart.yaml b/charts/kyverno-envoy-plugin/Chart.yaml
@@ -0,0 +1,22 @@
+apiVersion: v2
+type: application
+name: kyverno-envoy-plugin
+version: v0.0.0
+appVersion: latest
+icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
+description: Kyverno policies based authorization plugin for Envoy ❤️
+keywords:
+  - kubernetes
+  - kyverno
+  - authz
+  - policy
+  - envoy
+  - istio
+  - security
+home: https://kyverno.github.io/kyverno-envoy-plugin
+sources:
+  - https://github.com/kyverno/kyverno-envoy-plugin
+maintainers:
+  - name: Kyverno
+    url: https://kyverno.io/
+kubeVersion: ">=1.25.0-0"
diff --git a/charts/kyverno-envoy-plugin/templates/NOTES.txt b/charts/kyverno-envoy-plugin/templates/NOTES.txt
@@ -0,0 +1 @@
+Chart version: {{ .Chart.Version }}
diff --git a/charts/kyverno-envoy-plugin/templates/_helpers/_chart.tpl b/charts/kyverno-envoy-plugin/templates/_helpers/_chart.tpl
@@ -0,0 +1,9 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.chart.name" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kyverno.chart.version" -}}
+  {{- .Chart.Version | replace "+" "_" -}}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/_helpers/_labels.tpl b/charts/kyverno-envoy-plugin/templates/_helpers/_labels.tpl
@@ -0,0 +1,43 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.labels.merge" -}}
+{{- $labels := dict -}}
+{{- range . -}}
+  {{- $labels = merge $labels (fromYaml .) -}}
+{{- end -}}
+{{- with $labels -}}
+  {{- toYaml $labels -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.labels.helm" -}}
+{{- if not .Values.templating.enabled -}}
+helm.sh/chart: {{ template "kyverno.chart.name" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.labels.version" -}}
+app.kubernetes.io/version: {{ template "kyverno.chart.version" . }}
+{{- end -}}
+
+{{- define "kyverno.labels.common" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.helm" .)
+  (include "kyverno.labels.version" .)
+  (toYaml .Values.customLabels)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.labels.component" -}}
+app.kubernetes.io/component: {{ . }}
+{{- end -}}
+
+{{- define "kyverno.labels.name" -}}
+app.kubernetes.io/name: {{ . }}
+{{- end -}}
+
+{{- define "kyverno.labels.match.common" -}}
+app.kubernetes.io/part-of: {{ template "kyverno.names.fullname" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/_helpers/_names.tpl b/charts/kyverno-envoy-plugin/templates/_helpers/_names.tpl
@@ -0,0 +1,22 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.names.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kyverno.names.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+  {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+  {{- $name := default .Chart.Name .Values.nameOverride -}}
+  {{- if contains $name .Release.Name -}}
+    {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.namespace" -}}
+{{ default .Release.Namespace .Values.namespaceOverride }}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl b/charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl
@@ -0,0 +1,39 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.sidecar-injector.name" -}}
+{{ template "kyverno.names.name" . }}-sidecar-injector
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.sidecar-injector.labels.match" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.labels.match" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.match.common" .)
+  (include "kyverno.labels.component" "sidecar-injector")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.role.name" -}}
+{{ include "kyverno.names.fullname" . }}:sidecar-injector
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.service-account.name" -}}
+{{- if .Values.sidecarInjector.rbac.create -}}
+    {{ default (include "kyverno.sidecar-injector.name" .) .Values.sidecarInjector.rbac.serviceAccount.name }}
+{{- else -}}
+    {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.sidecarInjector.rbac.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.serviceName" -}}
+{{- printf "%s-svc" (include "kyverno.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kyverno.sidecar-injector.caCertificatesConfigMapName" -}}
+{{ printf "%s-ca-certificates" (include "kyverno.sidecar-injector.name" .) }}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.sidecarInjector.enabled -}}
+{{- if .Values.sidecarInjector.certificates.selfSigned -}}
+{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
+{{- $svcName := (printf "%s.%s.svc" (include "kyverno.sidecar-injector.name" .) (include "kyverno.namespace" .)) -}}
+{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kyverno.sidecar-injector.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $ca.Key | b64enc }}
+  tls.crt: {{ $ca.Cert | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kyverno.sidecar-injector.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+  annotations:
+    self-signed-cert: "true"
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $cert.Key | b64enc }}
+  tls.crt: {{ $cert.Cert | b64enc }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/deployment.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/deployment.yaml
@@ -0,0 +1,103 @@
+{{- if .Values.sidecarInjector.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyverno.sidecar-injector.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+  {{- with .Values.sidecarInjector.deployment.annotations }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ template "kyverno.deployment.replicas" .Values.sidecarInjector.deployment.replicas }}
+  revisionHistoryLimit: {{ .Values.sidecarInjector.deployment.revisionHistoryLimit }}
+  {{- with .Values.sidecarInjector.deployment.updateStrategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.sidecar-injector.labels.match" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyverno.sidecar-injector.labels" . | nindent 8 }}
+        {{- with .Values.sidecarInjector.pod.labels }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
+        {{- end }}
+      {{- with .Values.sidecarInjector.pod.annotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.sidecarInjector.pod.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.securityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.tolerations }}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.hostNetwork }}
+      hostNetwork: {{ . }}
+      {{- end }}
+      {{- with .Values.sidecarInjector.pod.dnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      affinity:
+        {{- with .Values.sidecarInjector.pod.antiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.sidecarInjector.pod.affinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.sidecarInjector.pod.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      serviceAccountName: {{ template "kyverno.sidecar-injector.service-account.name" . }}
+      containers:
+        {{- range .Values.sidecarInjector.containers }}
+        - name: {{ .name }}
+          image: {{ .image.pullPolicy }}
+          imagePullPolicy: {{ .image.pullPolicy }}
+          {{- with .resources }}
+          resources:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .startupProbe }}
+          startupProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .livenessProbe }}
+          livenessProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .readinessProbe }}
+          readinessProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+        {{- end }}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.sidecarInjector.enabled -}}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ template "kyverno.sidecar-injector.name" . }}
+  labels:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+webhooks:
+  - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc
+    clientConfig:
+      service:
+        name: {{ template "kyverno.sidecar-injector.name" . }}
+        namespace: {{ template "kyverno.namespace" . }}
+        path: "/mutate"
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions:
+    - v1
+    rules:
+      - apiGroups:
+          - ''
+        apiVersions:
+          - v1
+        resources:
+          - pods
+        operations:
+          - CREATE
+        scope: '*'  
+    objectSelector:
+      matchExpressions:
+        - key: kyverno-envoy-sidecar/injection
+          operator: In
+          values:
+          - enabled
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/rbac.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/rbac.yaml
@@ -0,0 +1,45 @@
+{{- if .Values.sidecarInjector.enabled -}}
+{{- if .Values.sidecarInjector.rbac.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno.sidecar-injector.service-account.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+  {{- with .Values.sidecarInjector.rbac.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.sidecar-injector.role.name" . }}
+  labels:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "kyverno.sidecar-injector.role.name" . }}
+  labels:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.sidecar-injector.role.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.sidecar-injector.service-account.name" . }}
+    namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/service.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/service.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.sidecarInjector.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.sidecar-injector.service-account.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: https
+    protocol: TCP
+    port: 443
+    targetPort: 8443
+  selector:
+    {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+{{- end -}}