Fix variable injection, add common labels to all resources, fix requi… (

#256) * Fix variable injection, add common labels to all resources, fix required options not being passed when etcd is enabled, fix apiservice management always required in clusterrole Signed-off-by: Rafael da Fonseca <[email protected]> Fix: allow env variable injection to work for database secrets Fix: Add missing labels to pdb Fix: apiservice management permissions should always be required due to automatic migration code Fix: some required command line options were not being added when using etcd as a database Feat: Add commonLabels input variable, which allows adding arbitrary labels to all resources managed by the chart
kyverno · Feb 13, 2025 · 8d4956b · 8d4956b
1 parent 59faa76
commit 8d4956b
Show file tree

Hide file tree

Showing 11 changed files with 77 additions and 27 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -5,12 +5,12 @@ linters:
     - bidichk
     - bodyclose
     - containedctx
+    - copyloopvar
     - decorder
     - dogsled
     - durationcheck
     - errcheck
     - errname
-    - exportloopref
     - gci
     # - gochecknoinits
     - gofmt
@@ -30,20 +30,23 @@ linters:
     - nosprintfhostport
     # - paralleltest
     - staticcheck
-    - tenv
     - thelper
     - tparallel
     - typecheck
     - unconvert
     - unused
+    - usetesting
     - wastedassign
     - whitespace
 
 run:
   timeout: 15m
-  skip-files:
+
+issues:
+  exclude-files:
     - ".+\\.generated.go"
 
 output:
-  format: colored-line-number
-  sort-results: true
+  formats:
+    - format: colored-line-number
+  sort-results: true
diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md
@@ -39,6 +39,7 @@ helm install reports-server --namespace reports-server --create-namespace report
 | serviceAccount.annotations | object | `{}` | Service account annotations |
 | serviceAccount.name | string | `""` | Service account name (required if `serviceAccount.create` is `false`) |
 | podAnnotations | object | `{}` | Pod annotations |
+| commonLabels | object | `{}` | Labels to add to resources managed by the chart |
 | podSecurityContext | object | `{"fsGroup":2000}` | Pod security context |
 | podEnv | object | `{}` | Provide additional environment variables to the pods. Map with the same format as kubernetes deployment spec's env. |
 | securityContext | object | See [values.yaml](values.yaml) | Container security context |
@@ -85,7 +86,7 @@ helm install reports-server --namespace reports-server --create-namespace report
 | config.db.sslrootcert | string | `""` | Database SSL root cert |
 | config.db.sslkey | string | `""` | Database SSL key |
 | config.db.sslcert | string | `""` | Database SSL cert |
-| apiServicesManagement.enabled | bool | `true` | Create a helm hooks delete api services on uninstall |
+| apiServicesManagement.enabled | bool | `true` | Create a helm hooks to delete api services on uninstall |
 | apiServicesManagement.installApiServices | object | `{"enabled":true,"installEphemeralReportsService":true}` | Install api services in manifest |
 | apiServicesManagement.installApiServices.enabled | bool | `true` | Store reports in reports-server |
 | apiServicesManagement.installApiServices.installEphemeralReportsService | bool | `true` | Store ephemeral reports in reports-server |

diff --git a/charts/reports-server/templates/_helpers.tpl b/charts/reports-server/templates/_helpers.tpl
@@ -35,6 +35,9 @@ Common labels
 */}}
 {{- define "reports-server.labels" -}}
 helm.sh/chart: {{ include "reports-server.chart" . }}
+{{- if .Values.commonLabels }}
+{{ include "reports-server.commonLabels" . }}
+{{- end }}
 {{ include "reports-server.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
@@ -50,6 +53,15 @@ app.kubernetes.io/name: {{ include "reports-server.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Common labels
+*/}}
+{{- define "reports-server.commonLabels" -}}
+{{- with .Values.commonLabels }}
+{{- toYaml . }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create the name of the service account to use
 */}}

diff --git a/charts/reports-server/templates/cluster-roles.yaml b/charts/reports-server/templates/cluster-roles.yaml
@@ -28,7 +28,6 @@ rules:
     - namespaces
   verbs:
     - get
-{{- if .Values.apiServicesManagement.enabled }}
 - apiGroups:
     - apiregistration.k8s.io
   resources:
@@ -47,7 +46,6 @@ rules:
   resourceNames:
     - v1.reports.kyverno.io
     - v1alpha2.wgpolicyk8s.io
-{{- end }}
 - apiGroups:
     - wgpolicyk8s.io
   resources:

diff --git a/charts/reports-server/templates/deployment.yaml b/charts/reports-server/templates/deployment.yaml
@@ -23,7 +23,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        {{- include "reports-server.selectorLabels" . | nindent 8 }}
+        {{- include "reports-server.labels" . | nindent 8 }}
     spec:
       {{- with .Values.priorityClassName }}
       priorityClassName: {{ . }}
@@ -45,20 +45,15 @@ spec:
             {{- end }}
             - --etcdEndpoints=https://etcd-0.etcd.{{ $.Release.Namespace }}:2379,https://etcd-1.etcd.{{ $.Release.Namespace }}:2379,https://etcd-2.etcd.{{ $.Release.Namespace }}:2379
             {{- else }}
-            - --dbhost=$(DB_HOST)
-            - --dbport=$(DB_PORT)
-            - --dbuser=$(DB_USER)
-            - --dbpassword=$(DB_PASSWORD)
-            - --dbname=$(DB_DATABASE)
             - --dbsslmode={{ .Values.config.db.sslmode }}
             - --dbsslrootcert={{ .Values.config.db.sslrootcert }}
             - --dbsslkey={{ .Values.config.db.sslkey }}
             - --dbsslcert={{ .Values.config.db.sslcert }}
+            {{- end }}
             - --servicename={{ include "reports-server.fullname" . }}
             - --servicens={{ $.Release.Namespace }}
             - --storereports={{ .Values.apiServicesManagement.installApiServices.enabled }}
             - --storeephemeralreports={{ .Values.apiServicesManagement.installApiServices.installEphemeralReportsService }}
-            {{- end }}
             - --cert-dir=/tmp
             - --secure-port=4443
             {{- if .Values.metrics.enabled }}

diff --git a/charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml b/charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml
@@ -19,10 +19,11 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.apiServicesManagement.podLabels }}
       labels:
+      {{- with .Values.apiServicesManagement.podLabels }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "reports-server.labels" . | nindent 8 }}
     spec:
       serviceAccount: {{ include "reports-server.serviceAccountName" . }}
       {{- with .Values.apiServicesManagement.podSecurityContext }}

diff --git a/charts/reports-server/templates/pod-disruption-budget.yaml b/charts/reports-server/templates/pod-disruption-budget.yaml
@@ -4,6 +4,8 @@ kind: PodDisruptionBudget
 metadata:
   name: {{ include "reports-server.fullname" . }}
   namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "reports-server.labels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:

diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml
@@ -55,6 +55,9 @@ serviceAccount:
 # -- Pod annotations
 podAnnotations: {}
 
+# -- Labels to add to resources managed by the chart
+commonLabels: {}
+
 # -- Pod security context
 podSecurityContext:
   fsGroup: 2000
@@ -227,7 +230,7 @@ config:
     sslcert: ""
 
 apiServicesManagement:
-  # -- Create a helm hooks delete api services on uninstall
+  # -- Create a helm hooks to delete api services on uninstall
   enabled: true
 
   # -- Install api services in manifest

diff --git a/config/install-etcd.yaml b/config/install-etcd.yaml
@@ -9,6 +9,12 @@ kind: PodDisruptionBudget
 metadata:
   name: reports-server
   namespace: reports-server
+  labels:
+    helm.sh/chart: reports-server-0.1.3
+    app.kubernetes.io/name: reports-server
+    app.kubernetes.io/instance: reports-server
+    app.kubernetes.io/version: "v0.1.3"
+    app.kubernetes.io/managed-by: Helm
 spec:
   selector:
     matchLabels:
@@ -260,8 +266,11 @@ spec:
   template:
     metadata:
       labels:
+        helm.sh/chart: reports-server-0.1.3
         app.kubernetes.io/name: reports-server
         app.kubernetes.io/instance: reports-server
+        app.kubernetes.io/version: "v0.1.3"
+        app.kubernetes.io/managed-by: Helm
     spec:
       priorityClassName: system-cluster-critical
       serviceAccountName: reports-server
@@ -273,6 +282,10 @@ spec:
             - --etcd
             - --etcdSkipTLS
             - --etcdEndpoints=https://etcd-0.etcd.reports-server:2379,https://etcd-1.etcd.reports-server:2379,https://etcd-2.etcd.reports-server:2379
+            - --servicename=reports-server
+            - --servicens=reports-server
+            - --storereports=true
+            - --storeephemeralreports=true
             - --cert-dir=/tmp
             - --secure-port=4443
             - --authorization-always-allow-paths=/metrics

diff --git a/config/install.yaml b/config/install.yaml
@@ -9,6 +9,12 @@ kind: PodDisruptionBudget
 metadata:
   name: reports-server
   namespace: reports-server
+  labels:
+    helm.sh/chart: reports-server-0.1.3
+    app.kubernetes.io/name: reports-server
+    app.kubernetes.io/instance: reports-server
+    app.kubernetes.io/version: "v0.1.3"
+    app.kubernetes.io/managed-by: Helm
 spec:
   selector:
     matchLabels:
@@ -322,8 +328,11 @@ spec:
   template:
     metadata:
       labels:
+        helm.sh/chart: reports-server-0.1.3
         app.kubernetes.io/name: reports-server
         app.kubernetes.io/instance: reports-server
+        app.kubernetes.io/version: "v0.1.3"
+        app.kubernetes.io/managed-by: Helm
     spec:
       priorityClassName: system-cluster-critical
       serviceAccountName: reports-server
@@ -332,11 +341,6 @@ spec:
       containers:
         - name: reports-server
           args:
-            - --dbhost=$(DB_HOST)
-            - --dbport=$(DB_PORT)
-            - --dbuser=$(DB_USER)
-            - --dbpassword=$(DB_PASSWORD)
-            - --dbname=$(DB_DATABASE)
             - --dbsslmode=disable
             - --dbsslrootcert=
             - --dbsslkey=

diff --git a/pkg/app/opts/options.go b/pkg/app/opts/options.go
@@ -3,6 +3,8 @@ package opts
 import (
 	"fmt"
 	"net"
+	"os"
+	"strconv"
 	"strings"
 
 	"github.com/kyverno/reports-server/pkg/api"
@@ -81,11 +83,6 @@ func (o *Options) Flags() (fs flag.NamedFlagSets) {
 	msfs.BoolVar(&o.EtcdConfig.Insecure, "etcdSkipTLS", true, "Skip TLS verification when connecting to etcd")
 	msfs.BoolVar(&o.ShowVersion, "version", false, "Show version")
 	msfs.StringVar(&o.Kubeconfig, "kubeconfig", o.Kubeconfig, "The path to the kubeconfig used to connect to the Kubernetes API server and the Kubelets (defaults to in-cluster config)")
-	msfs.StringVar(&o.DBHost, "dbhost", "reportsdb.kyverno", "Host url of postgres instance")
-	msfs.IntVar(&o.DBPort, "dbport", 5432, "Port of the postgres instance")
-	msfs.StringVar(&o.DBUser, "dbuser", "postgres", "Username to login into postgres")
-	msfs.StringVar(&o.DBPassword, "dbpassword", "password", "Password to login into postgres")
-	msfs.StringVar(&o.DBName, "dbname", "reportsdb", "Name of the database to store policy reports in")
 	msfs.StringVar(&o.DBSSLMode, "dbsslmode", "disable", "SSL mode of the postgres database.")
 	msfs.StringVar(&o.DBSSLRootCert, "dbsslrootcert", "", "Path to database root cert.")
 	msfs.StringVar(&o.DBSSLKey, "dbsslkey", "", "Path to database ssl key.")
@@ -126,6 +123,10 @@ func (o Options) ServerConfig() (*server.Config, error) {
 	if err != nil {
 		return nil, err
 	}
+	err = o.dbConfig()
+	if err != nil {
+		return nil, err
+	}
 
 	dbconfig := &db.PostgresConfig{
 		Host:        o.DBHost,
@@ -214,3 +215,20 @@ func (o Options) restConfig() (*rest.Config, error) {
 	}
 	return config, nil
 }
+
+// dbConfig reads the database configuration directly from environment variables
+// because these configurations contain sensitive data, this is not read directly from command line input,
+// to enable usecases of env variable injection, such as using vault-env
+func (o *Options) dbConfig() error {
+	o.DBHost = os.Getenv("DB_HOST")
+	o.DBName = os.Getenv("DB_DATABASE")
+	o.DBUser = os.Getenv("DB_USER")
+	o.DBPassword = os.Getenv("DB_PASSWORD")
+	dbPort, err := strconv.Atoi(os.Getenv("DB_PORT"))
+	if err != nil {
+		return err
+	} else {
+		o.DBPort = dbPort
+	}
+	return nil
+}