From 306a2e47d9b27ce2d4e7da9aab7fe49bea2da37e Mon Sep 17 00:00:00 2001
From: raffis <raffael.sahli@doodle.com>
Date: Thu, 9 Jan 2025 10:03:23 +0100
Subject: [PATCH] fix(reports-controller): add a flag to disable reports sanity
 checks (#11867)

* fix(reports-controller): remove crd sanity check

Signed-off-by: Raffael Sahli <raffael.sahli@doodle.com>

* feat: add a flag to disable reports sanity checks

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: add changelog

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Raffael Sahli <raffael.sahli@doodle.com>
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
---
 charts/kyverno/Chart.yaml                                   | 2 ++
 charts/kyverno/README.md                                    | 1 +
 charts/kyverno/templates/reports-controller/deployment.yaml | 5 ++++-
 charts/kyverno/values.yaml                                  | 3 +++
 cmd/reports-controller/main.go                              | 6 +++++-
 config/install-latest-testing.yaml                          | 1 -
 6 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml
index 9f6ea405fb..359ac5e674 100644
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@@ -37,6 +37,8 @@ annotations:
       description: fix validation error in validate.yaml
     - kind: fixed
       description: fixed global image registry config by introducing *.image.defaultRegistry.
+    - kind: added
+      description: added a new option .reportsController.sanityChecks to disable checks for policy reports crds
 dependencies:
   - name: grafana
     version: v0.0.0
diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index 9a77abac13..659c68c9d4 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -702,6 +702,7 @@ The chart values are organised per component.
 | reportsController.profiling.port | int | `6060` | Profiling endpoint port |
 | reportsController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
 | reportsController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
+| reportsController.sanityChecks | bool | `true` | Enable sanity check for reports CRDs |
 
 ### Grafana
 
diff --git a/charts/kyverno/templates/reports-controller/deployment.yaml b/charts/kyverno/templates/reports-controller/deployment.yaml
index 3498072493..e62d0e9f35 100644
--- a/charts/kyverno/templates/reports-controller/deployment.yaml
+++ b/charts/kyverno/templates/reports-controller/deployment.yaml
@@ -140,10 +140,13 @@ spec:
             - --{{ $key }}={{ $value }}
             {{- end }}
             {{- end }}
-            {{ if .Values.reportsController.profiling.enabled }}
+            {{- if .Values.reportsController.profiling.enabled }}
             - --profile=true
             - --profilePort={{ .Values.reportsController.profiling.port }}
             {{- end }}
+            {{- if not .Values.reportsController.sanityChecks }}
+            - --reportsCRDsSanityChecks=false
+            {{- end }}
           env:
           - name: KYVERNO_SERVICEACCOUNT_NAME
             value: {{ template "kyverno.reports-controller.serviceAccountName" . }}
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index f26c97371a..8ebbb63e79 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -2061,3 +2061,6 @@ reportsController:
     # -- Service node port.
     # Only used if `type` is `NodePort`.
     nodePort:
+
+  # -- Enable sanity check for reports CRDs
+  sanityChecks: true
diff --git a/cmd/reports-controller/main.go b/cmd/reports-controller/main.go
index 3e5cbdd5c3..9242cb36fa 100644
--- a/cmd/reports-controller/main.go
+++ b/cmd/reports-controller/main.go
@@ -196,6 +196,7 @@ func main() {
 		aggregateReports                 bool
 		policyReports                    bool
 		validatingAdmissionPolicyReports bool
+		reportsCRDsSanityChecks          bool
 		backgroundScanWorkers            int
 		backgroundScanInterval           time.Duration
 		aggregationWorkers               int
@@ -219,6 +220,7 @@ func main() {
 	flagset.BoolVar(&skipResourceFilters, "skipResourceFilters", true, "If true, resource filters wont be considered.")
 	flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 2*1000*1000, "Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended).")
 	flagset.IntVar(&maxBackgroundReports, "maxBackgroundReports", 10000, "Maximum number of ephemeralreports created for the background policies before we stop creating new ones")
+	flagset.BoolVar(&reportsCRDsSanityChecks, "reportsCRDsSanityChecks", true, "Enable or disable sanity checks for policy reports and ephemeral reports CRDs.")
 	// config
 	appConfig := internal.NewConfiguration(
 		internal.WithProfiling(),
@@ -257,7 +259,9 @@ func main() {
 		kyamlopenapi.Schema()
 		if err := sanityChecks(setup.ApiServerClient); err != nil {
 			setup.Logger.Error(err, "sanity checks failed")
-			os.Exit(1)
+			if reportsCRDsSanityChecks {
+				os.Exit(1)
+			}
 		}
 		setup.Logger.Info("background scan interval", "duration", backgroundScanInterval.String())
 		// check if validating admission policies are registered in the API server
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index 19492a9893..8498aa6ee5 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -52241,7 +52241,6 @@ spec:
             - --allowInsecureRegistry=false
             - --registryCredentialHelpers=default,google,amazon,azure,github
             - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
-            
           env:
           - name: KYVERNO_SERVICEACCOUNT_NAME
             value: kyverno-reports-controller