Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add helm chart #139

Merged
merged 1 commit into from
Oct 25, 2024
Merged

feat: add helm chart #139

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
.tools/
website/site/
kyverno-envoy-plugin
/kyverno-envoy-plugin
18 changes: 16 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ mkdocs-serve: ## Generate and serve mkdocs website
@$(PIP) install -U mkdocs-material mkdocs-redirects mkdocs-minify-plugin mkdocs-include-markdown-plugin lunr mkdocs-rss-plugin mike
@mkdocs serve -f ./website/mkdocs.yaml

########
########
# KIND #
########

Expand All @@ -196,7 +196,7 @@ kind-load-taged-image: build-ko
docker tag $(KO_REGISTRY)/$(PACKAGE):$(GIT_SHA) $(KO_REGISTRY)/$(PACKAGE):latest
@$(KIND) load docker-image $(KO_REGISTRY)/$(PACKAGE):latest

#########
#########
# ISTIO #
#########

Expand All @@ -207,6 +207,20 @@ install-istio: $(HELM)
@$(HELM) upgrade --install istio-base --namespace istio-system --create-namespace --wait --repo https://istio-release.storage.googleapis.com/charts base
@$(HELM) upgrade --install istiod --namespace istio-system --create-namespace --wait --repo https://istio-release.storage.googleapis.com/charts istiod

########
# HELM #
########

.PHONY: chart-install
chart-install: ## Install chart
chart-install: kind-load-image
chart-install: $(HELM)
@echo Install helm chart... >&2
@$(HELM) upgrade --install kyverno-envoy-plugin --namespace kyverno --create-namespace --wait ./charts/kyverno-envoy-plugin \
--set sidecarInjector.containers.injector.image.registry=ko.local \
--set sidecarInjector.containers.injector.image.repository=github.com/kyverno/kyverno-envoy-plugin \
--set sidecarInjector.containers.injector.image.tag=$(GIT_SHA)

########
# HELP #
########
Expand Down
3 changes: 3 additions & 0 deletions charts/kyverno-envoy-plugin/.helmignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
.helmignore
ci/
README.md.gotmpl
22 changes: 22 additions & 0 deletions charts/kyverno-envoy-plugin/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: v2
type: application
name: kyverno-envoy-plugin
version: v0.0.0
appVersion: latest
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kyverno policies based authorization plugin for Envoy ❤️
keywords:
- kubernetes
- kyverno
- authz
- policy
- envoy
- istio
- security
home: https://kyverno.github.io/kyverno-envoy-plugin
sources:
- https://github.com/kyverno/kyverno-envoy-plugin
maintainers:
- name: Kyverno
url: https://kyverno.io/
kubeVersion: ">=1.25.0-0"
1 change: 1 addition & 0 deletions charts/kyverno-envoy-plugin/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Chart version: {{ .Chart.Version }}
9 changes: 9 additions & 0 deletions charts/kyverno-envoy-plugin/templates/_helpers/_chart.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{{/* vim: set filetype=mustache: */}}

{{- define "kyverno.chart.name" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{- define "kyverno.chart.version" -}}
{{- .Chart.Version | replace "+" "_" -}}
{{- end -}}
43 changes: 43 additions & 0 deletions charts/kyverno-envoy-plugin/templates/_helpers/_labels.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{{/* vim: set filetype=mustache: */}}

{{- define "kyverno.labels.merge" -}}
{{- $labels := dict -}}
{{- range . -}}
{{- $labels = merge $labels (fromYaml .) -}}
{{- end -}}
{{- with $labels -}}
{{- toYaml $labels -}}
{{- end -}}
{{- end -}}

{{- define "kyverno.labels.helm" -}}
{{- if not .Values.templating.enabled -}}
helm.sh/chart: {{ template "kyverno.chart.name" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{- end -}}

{{- define "kyverno.labels.version" -}}
app.kubernetes.io/version: {{ template "kyverno.chart.version" . }}
{{- end -}}

{{- define "kyverno.labels.common" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.helm" .)
(include "kyverno.labels.version" .)
(toYaml .Values.customLabels)
) -}}
{{- end -}}

{{- define "kyverno.labels.component" -}}
app.kubernetes.io/component: {{ . }}
{{- end -}}

{{- define "kyverno.labels.name" -}}
app.kubernetes.io/name: {{ . }}
{{- end -}}

{{- define "kyverno.labels.match.common" -}}
app.kubernetes.io/part-of: {{ template "kyverno.names.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
22 changes: 22 additions & 0 deletions charts/kyverno-envoy-plugin/templates/_helpers/_names.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{/* vim: set filetype=mustache: */}}

{{- define "kyverno.names.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{- define "kyverno.names.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{- define "kyverno.namespace" -}}
{{ default .Release.Namespace .Values.namespaceOverride }}
{{- end -}}
43 changes: 43 additions & 0 deletions charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{{/* vim: set filetype=mustache: */}}

{{- define "kyverno.sidecar-injector.name" -}}
{{ template "kyverno.names.name" . }}-sidecar-injector
{{- end -}}

{{- define "kyverno.sidecar-injector.labels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.sidecar-injector.labels.match" .)
) -}}
{{- end -}}

{{- define "kyverno.sidecar-injector.labels.match" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.match.common" .)
(include "kyverno.labels.component" "sidecar-injector")
) -}}
{{- end -}}

{{- define "kyverno.sidecar-injector.role.name" -}}
{{- include "kyverno.names.fullname" . -}}:sidecar-injector
{{- end -}}

{{- define "kyverno.sidecar-injector.service-account.name" -}}
{{- if .Values.sidecarInjector.rbac.create -}}
{{- default (include "kyverno.sidecar-injector.name" .) .Values.sidecarInjector.rbac.serviceAccount.name -}}
{{- else -}}
{{- required "A service account name is required when `rbac.create` is set to `false`" .Values.sidecarInjector.rbac.serviceAccount.name -}}
{{- end -}}
{{- end -}}

{{- define "kyverno.sidecar-injector.serviceName" -}}
{{- printf "%s-svc" (include "kyverno.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{- define "kyverno.sidecar-injector.caCertificatesConfigMapName" -}}
{{- printf "%s-ca-certificates" (include "kyverno.sidecar-injector.name" .) -}}
{{- end -}}

{{- define "kyverno.sidecar-injector.image" -}}
{{- printf "%s/%s:%s" .registry .repository (default "latest" .tag) -}}
{{- end -}}
32 changes: 32 additions & 0 deletions charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{- if .Values.sidecarInjector.enabled -}}
{{- if .Values.sidecarInjector.certificates.selfSigned -}}
{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
{{- $svcName := (printf "%s.%s.svc" (include "kyverno.sidecar-injector.name" .) (include "kyverno.namespace" .)) -}}
{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.sidecar-injector.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.key: {{ $ca.Key | b64enc }}
tls.crt: {{ $ca.Cert | b64enc }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.sidecar-injector.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
annotations:
self-signed-cert: "true"
type: kubernetes.io/tls
data:
tls.key: {{ $cert.Key | b64enc }}
tls.crt: {{ $cert.Cert | b64enc }}
{{- end -}}
{{- end -}}
111 changes: 111 additions & 0 deletions charts/kyverno-envoy-plugin/templates/sidecar-injector/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
{{- if .Values.sidecarInjector.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kyverno.sidecar-injector.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
{{- with .Values.sidecarInjector.deployment.annotations }}
annotations:
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
spec:
replicas: {{ template "kyverno.deployment.replicas" .Values.sidecarInjector.deployment.replicas }}
revisionHistoryLimit: {{ .Values.sidecarInjector.deployment.revisionHistoryLimit }}
{{- with .Values.sidecarInjector.deployment.updateStrategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "kyverno.sidecar-injector.labels.match" . | nindent 6 }}
template:
metadata:
labels:
{{- include "kyverno.sidecar-injector.labels" . | nindent 8 }}
{{- with .Values.sidecarInjector.pod.labels }}
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.sidecarInjector.pod.annotations }}
annotations: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
spec:
{{- with .Values.sidecarInjector.pod.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.sidecarInjector.pod.securityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.sidecarInjector.pod.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.sidecarInjector.pod.tolerations }}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.sidecarInjector.pod.topologySpreadConstraints }}
topologySpreadConstraints:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.sidecarInjector.pod.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.sidecarInjector.pod.hostNetwork }}
hostNetwork: {{ . }}
{{- end }}
{{- with .Values.sidecarInjector.pod.dnsPolicy }}
dnsPolicy: {{ . }}
{{- end }}
affinity:
{{- with .Values.sidecarInjector.pod.antiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.sidecarInjector.pod.affinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.sidecarInjector.pod.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
serviceAccountName: {{ template "kyverno.sidecar-injector.service-account.name" . }}
containers:
{{- with .Values.sidecarInjector.containers.injector }}
- name: injector
image: {{ include "kyverno.sidecar-injector.image" .image }}
imagePullPolicy: {{ .image.pullPolicy }}
{{- with .resources }}
resources:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .startupProbe }}
startupProbe:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .livenessProbe }}
livenessProbe:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .readinessProbe }}
readinessProbe:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .ports }}
ports:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .args }}
args:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- end }}
{{- end -}}
35 changes: 35 additions & 0 deletions charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
{{- if .Values.sidecarInjector.enabled -}}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ template "kyverno.sidecar-injector.name" . }}
labels:
{{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
webhooks:
- name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc
clientConfig:
service:
name: {{ template "kyverno.sidecar-injector.name" . }}
namespace: {{ template "kyverno.namespace" . }}
path: "/mutate"
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
rules:
- apiGroups:
- ''
apiVersions:
- v1
resources:
- pods
operations:
- CREATE
scope: '*'
objectSelector:
matchExpressions:
- key: kyverno-envoy-sidecar/injection
operator: In
values:
- enabled
{{- end -}}
Loading
Loading