diff --git a/config/crds/envoy.kyverno.io_authorizationpolicies.yaml b/.crds/envoy.kyverno.io_authorizationpolicies.yaml similarity index 100% rename from config/crds/envoy.kyverno.io_authorizationpolicies.yaml rename to .crds/envoy.kyverno.io_authorizationpolicies.yaml diff --git a/Makefile b/Makefile index 218f1678..101717b3 100644 --- a/Makefile +++ b/Makefile @@ -10,6 +10,7 @@ PACKAGE_SHIM := $(GOPATH_SHIM)/src/$(PACKAGE) CLI_BIN := kyverno-envoy-plugin CGO_ENABLED ?= 0 GOOS ?= $(shell go env GOOS) +CRDS_PATH := .crds ifdef VERSION LD_FLAGS := "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(VERSION)" else @@ -96,7 +97,7 @@ codegen-crds: $(CONTROLLER_GEN) codegen-crds: $(REGISTER_GEN) @echo Generate CRDs... >&2 @$(CONTROLLER_GEN) paths=./apis/v1alpha1/... object - @$(CONTROLLER_GEN) paths=./apis/v1alpha1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=./config/crds + @$(CONTROLLER_GEN) paths=./apis/v1alpha1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH) @$(REGISTER_GEN) --input-dirs=./apis/v1alpha1 --go-header-file=./hack/boilerplate.go.txt --output-base=. .PHONY: codegen-mkdocs @@ -107,10 +108,27 @@ codegen-mkdocs: ## Generate mkdocs website @$(PIP) install -U mkdocs-material mkdocs-redirects mkdocs-minify-plugin mkdocs-include-markdown-plugin lunr mkdocs-rss-plugin mike @mkdocs build -f ./website/mkdocs.yaml +.PHONY: codegen-helm-crds +codegen-helm-crds: codegen-crds ## Generate helm CRDs + @echo Generate helm crds... >&2 + @cat $(CRDS_PATH)/* \ + | $(SED) -e '1i{{- if .Values.crds.install }}' \ + | $(SED) -e '$$a{{- end }}' \ + | $(SED) -e '/^ annotations:/a \ \ \ \ {{- end }}' \ + | $(SED) -e '/^ annotations:/a \ \ \ \ {{- toYaml . | nindent 4 }}' \ + | $(SED) -e '/^ annotations:/a \ \ \ \ {{- with .Values.crds.annotations }}' \ + | $(SED) -e '/^ annotations:/i \ \ labels:' \ + | $(SED) -e '/^ labels:/a \ \ \ \ {{- end }}' \ + | $(SED) -e '/^ labels:/a \ \ \ \ {{- toYaml . | nindent 4 }}' \ + | $(SED) -e '/^ labels:/a \ \ \ \ {{- with .Values.crds.labels }}' \ + | $(SED) -e '/^ labels:/a \ \ \ \ {{- include "kyverno-authz-server.labels" . | nindent 4 }}' \ + > ./charts/kyverno-authz-server/templates/crds.yaml + .PHONY: codegen codegen: ## Rebuild all generated code and docs codegen: codegen-mkdocs codegen: codegen-crds +codegen: codegen-helm-crds .PHONY: verify-codegen verify-codegen: ## Verify all generated code and docs are up to date @@ -290,7 +308,7 @@ install-kyverno-authz-server: kind-load-image install-kyverno-authz-server: codegen-crds install-kyverno-authz-server: $(HELM) @echo Install CRDs... >&2 - @kubectl apply -f config/crds + @kubectl apply -f $(CRDS_PATH) @echo Build kyverno-authz-server dependecy... >&2 @$(HELM) dependency build --skip-refresh ./charts/kyverno-authz-server @echo Install kyverno-authz-server chart... >&2 diff --git a/charts/kyverno-authz-server/templates/crds.yaml b/charts/kyverno-authz-server/templates/crds.yaml new file mode 100644 index 00000000..53bd6480 --- /dev/null +++ b/charts/kyverno-authz-server/templates/crds.yaml @@ -0,0 +1,118 @@ +{{- if .Values.crds.install }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + {{- include "kyverno-authz-server.labels" . | nindent 4 }} + {{- with .Values.crds.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + controller-gen.kubebuilder.io/version: v0.16.5 + name: authorizationpolicies.envoy.kyverno.io +spec: + group: envoy.kyverno.io + names: + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + authorizations: + description: Authorizations contain CEL expressions which is used + to apply the authorization. + items: + properties: + expression: + description: |- + Expression represents the expression which will be evaluated by CEL. + ref: https://github.com/google/cel-spec + CEL expressions have access to CEL variables as well as some other useful variables: + + - 'object' - The object from the incoming request. (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#service-auth-v3-checkrequest) + + CEL expressions are expected to return an envoy CheckResponse (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#service-auth-v3-checkresponse). + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic + failurePolicy: + description: |- + FailurePolicy defines how to handle failures for the policy. Failures can + occur from CEL expression parse errors, type check errors, runtime errors and invalid + or mis-configured policy definitions. + + FailurePolicy does not define how validations that evaluate to false are handled. + + Allowed values are Ignore or Fail. Defaults to Fail. + type: string + variables: + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under `variables` in other expressions of the policy + except MatchConditions because MatchConditions are evaluated before the rest of the policy. + + The expression of a variable can refer to other variables defined earlier in the list but not those after. + Thus, Variables must be sorted by the order of first appearance and acyclic. + items: + description: Variable is the definition of a variable that is used + for composition. A variable is defined as a named expression. + properties: + expression: + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. + type: string + name: + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true +{{- end }} diff --git a/charts/kyverno-authz-server/values.yaml b/charts/kyverno-authz-server/values.yaml index 0de9a8a4..f192d466 100644 --- a/charts/kyverno-authz-server/values.yaml +++ b/charts/kyverno-authz-server/values.yaml @@ -11,6 +11,19 @@ nameOverride: ~ # -- (string) Override the expanded name of the chart fullnameOverride: ~ +crds: + + # -- Whether to have Helm install the CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created + install: true + + # -- Additional CRDs annotations + annotations: {} + # argocd.argoproj.io/sync-options: Replace=true + # strategy.spinnaker.io/replace: 'true' + + # -- Additional CRDs labels + labels: {} + rbac: # -- Create RBAC resources