Improve Helm Charts (#13)

* Refactoring helm chart policy-report * fix variable * refactoring policy-report-ui * fixed spaces * fixed service account * moved backend to global variable * added policyPriorities Co-authored-by: yuriydzobak <yurii.dzobak@lotusflare.com>
2024-12-14 11:57:32 +00:00 · 2021-03-17 01:05:13 +02:00 · 2021-03-17 01:05:13 +02:00 · 8c30dfdb17
commit 8c30dfdb17
parent b71128448d
17 changed files with 319 additions and 35 deletions
--- a/charts/policy-reporter/Chart.yaml
+++ b/charts/policy-reporter/Chart.yaml
@ -1,13 +1,15 @@
 apiVersion: v2
 name: policy-reporter
-description: K8s PolicyReporter watches for wgpolicyk8s.io/v1alpha1.PolicyReport resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord
+description: |
+  K8s PolicyReporter watches for wgpolicyk8s.io/v1alpha1.PolicyReport resources.
+  It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord

 type: application
-version: 0.16.2
+version: 0.17.0
 appVersion: 0.12.0

 dependencies:
  - name: monitoring
    condition: monitoring.enabled
  - name: policy-reporter-ui
-    condition: ui.enabled
+    condition: ui.enabled
--- a/charts/policy-reporter/charts/policy-reporter-ui/Chart.yaml
+++ b/charts/policy-reporter/charts/policy-reporter-ui/Chart.yaml
@ -3,5 +3,5 @@ name: policy-reporter-ui
 description: Policy Reporter UI

 type: application
-version: 0.3.0
+version: 0.3.1
 appVersion: 0.3.0
--- a/charts/policy-reporter/charts/policy-reporter-ui/templates/_helpers.tpl
+++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/_helpers.tpl
@ -47,5 +47,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "ui.serviceAccountName" -}}
-{{ include "ui.fullname" . }}-sa
+{{- if .Values.serviceAccount.create }}
+{{- default (include "ui.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
 {{- end }}
--- a/charts/policy-reporter/charts/policy-reporter-ui/templates/deployment.yaml
+++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/deployment.yaml
@ -5,7 +5,11 @@ metadata:
  labels:
    {{- include "ui.labels" . | nindent 4 }}
 spec:
-  replicas: 1
+  replicas: {{ .Values.replicaCount }}
+  {{- if .Values.deploymentStrategy }}
+  strategy:
+    {{- toYaml .Values.deploymentStrategy | nindent 4 }}
+  {{- end }}
  selector:
    matchLabels:
      {{- include "ui.selectorLabels" . | nindent 6 }}
@ -13,6 +17,15 @@ spec:
    metadata:
      labels:
        {{- include "ui.selectorLabels" . | nindent 8 }}
+{{- range $key, $value := $.Values.podLabels }}
+        {{ $key }}: {{ $value | quote }}
+{{- end }}
+      {{- if .Values.podAnnotations }}
+      annotations:
+{{- range $key, $value := $.Values.podAnnotations }}
+        {{ $key }}: {{ $value | quote }}
+{{- end }}
+      {{- end }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
@ -24,8 +37,12 @@ spec:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.securityContext }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- end }}
          args:
-            - -backend={{ .Values.backend }}
+            - -backend=http://{{ .Values.global.backend }}:{{ .Values.global.port }}
          ports:
            - name: http
              containerPort: 8080
@ -40,3 +57,15 @@ spec:
              port: http
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
--- a/charts/policy-reporter/charts/policy-reporter-ui/templates/ingress.yaml
+++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/ingress.yaml
@ -0,0 +1,44 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "ui.fullname" . -}}
+{{- $servicePort := .Values.service.port -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ include "ui.fullname" . }}
+  labels:
+    {{- include "ui.selectorLabels" . | nindent 4 }}
+{{- range $key, $value := $.Values.ingress.labels }}
+    {{ $key }}: {{ $value | quote }}
+{{- end }}
+  annotations:
+{{- range $key, $value := $.Values.ingress.annotations }}
+    {{ $key }}: {{ $value | quote }}
+{{- end }}
+spec:
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ . }}
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: {{ $servicePort }}
+          {{- end }}
+    {{- end }}
+  {{- end }}
--- a/charts/policy-reporter/charts/policy-reporter-ui/templates/service.yaml
+++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/service.yaml
@ -1,15 +1,24 @@
+{{- if .Values.service.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "ui.fullname" . }}
  labels:
    {{- include "ui.labels" . | nindent 4 }}
+{{- range $key, $value := $.Values.service.labels }}
+    {{ $key }}: {{ $value | quote }}
+{{- end }}
+  annotations:
+{{- range $key, $value := $.Values.service.annotations }}
+    {{ $key }}: {{ $value | quote }}
+{{- end }}
 spec:
-  type: ClusterIP
+  type: {{ .Values.service.type }}
  ports:
-    - port: 8080
+    - port: {{ .Values.service.port }}
      targetPort: http
      protocol: TCP
      name: http
  selector:
    {{- include "ui.selectorLabels" . | nindent 4 }}
+{{- end }}
--- a/charts/policy-reporter/charts/policy-reporter-ui/templates/serviceaccount.yaml
+++ b/charts/policy-reporter/charts/policy-reporter-ui/templates/serviceaccount.yaml
@ -1,6 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "ui.serviceAccountName" . }}
  labels:
    {{- include "ui.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/charts/policy-reporter/charts/policy-reporter-ui/values.yaml
+++ b/charts/policy-reporter/charts/policy-reporter-ui/values.yaml
@ -7,12 +7,72 @@ image:

 imagePullSecrets: []

-backend: http://policy-reporter:8080
+replicaCount: 1

-resources:
-  requests:
-    memory: 50Mi
-    cpu: 10m
-  limits:
-    memory: 100Mi
-    cpu: 50m
+deploymentStrategy: {}
+  # rollingUpdate:
+  #  maxSurge: 25%
+  #  maxUnavailable: 25%
+  # type: RollingUpdate
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+# Key/value pairs that are attached to pods.
+podAnnotations: {}
+
+# Key/value pairs that are attached to pods.
+podLabels: {}
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   memory: 100Mi
+  #   cpu: 50m
+  # requests:
+  #   memory: 50Mi
+  #   cpu: 10m
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: false
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+service:
+  enabled: true
+  ## configuration of service
+  # key/value
+  annotations: {}
+  # key/value
+  labels: {}
+  type: ClusterIP
+  # integer nubmer. This is port for service
+  port: 8080
+
+## Set to true to enable ingress record generation
+# ref to: https://kubernetes.io/docs/concepts/services-networking/ingress/
+ingress:
+  enabled: false
+  # key/value
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths: []
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
--- a/charts/policy-reporter/templates/_helpers.tpl
+++ b/charts/policy-reporter/templates/_helpers.tpl
@ -47,5 +47,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "policyreporter.serviceAccountName" -}}
-{{ include "policyreporter.fullname" . }}-sa
+{{- if .Values.serviceAccount.create }}
+{{- default (include "policyreporter.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
 {{- end }}
--- a/charts/policy-reporter/templates/clusterrole.yaml
+++ b/charts/policy-reporter/templates/clusterrole.yaml
@ -1,3 +1,4 @@
+{{- if .Values.serviceAccount.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -16,3 +17,4 @@ rules:
  - get
  - list
  - watch
+{{- end -}}
--- a/charts/policy-reporter/templates/clusterrolebinding.yaml
+++ b/charts/policy-reporter/templates/clusterrolebinding.yaml
@ -1,3 +1,4 @@
+{{- if .Values.rbac.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@ -10,3 +11,4 @@ subjects:
 - kind: "ServiceAccount"
  name: {{ include "policyreporter.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
+{{- end -}}
--- a/charts/policy-reporter/templates/deployment.yaml
+++ b/charts/policy-reporter/templates/deployment.yaml
@ -4,12 +4,16 @@ metadata:
  name: {{ include "policyreporter.fullname" . }}
  labels:
    {{- include "policyreporter.labels" . | nindent 4 }}
-  {{- if .Values.deployment.annotations }}
+  {{- if .Values.annotations }}
  annotations:
-    {{- toYaml .Values.deployment.annotations | nindent 4 }} 
+    {{- toYaml .Values.annotations | nindent 4 }}
  {{- end }}
 spec:
-  replicas: 1
+  replicas: {{ .Values.replicaCount }}
+  {{- if .Values.deploymentStrategy }}
+  strategy:
+    {{- toYaml .Values.deploymentStrategy | nindent 4 }}
+  {{- end }}
  selector:
    matchLabels:
      {{- include "policyreporter.selectorLabels" . | nindent 6 }}
@ -17,8 +21,14 @@ spec:
    metadata:
      labels:
        {{- include "policyreporter.selectorLabels" . | nindent 8 }}
+{{- range $key, $value := $.Values.podLabels }}
+        {{ $key }}: {{ $value | quote }}
+{{- end }}
      annotations:
-        checksum/secret: {{ include (print $.Template.BasePath "/targetssecret.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/targetssecret.yaml") . | sha256sum | quote }}
+{{- range $key, $value := $.Values.podAnnotations }}
+        {{ $key }}: {{ $value | quote }}
+{{- end }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
@ -30,6 +40,10 @@ spec:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.securityContext }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- end }}
          args:
            - --config=/app/config.yaml
            {{- if or .Values.api.enabled .Values.ui.enabled }}
@ -66,3 +80,15 @@ spec:
        secret:
          secretName: {{ include "policyreporter.fullname" . }}-targets
          optional: true
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
--- a/charts/policy-reporter/templates/role.yaml
+++ b/charts/policy-reporter/templates/role.yaml
@ -1,3 +1,4 @@
+{{- if .Values.policyPriorities.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@ -11,3 +12,4 @@ rules:
  - get
  - list
  - watch
+{{- end }}
--- a/charts/policy-reporter/templates/rolebinding.yaml
+++ b/charts/policy-reporter/templates/rolebinding.yaml
@ -1,3 +1,4 @@
+{{- if .Values.policyPriorities.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@ -10,3 +11,4 @@ subjects:
 - kind: "ServiceAccount"
  name: {{ include "policyreporter.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
+{{- end }}
--- a/charts/policy-reporter/templates/service.yaml
+++ b/charts/policy-reporter/templates/service.yaml
@ -1,21 +1,32 @@
+{{- $apiEnabled := .Values.api.enabled -}}
+{{- $uiEnabled := .Values.ui.enabled -}}
+{{- if .Values.service.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "policyreporter.fullname" . }}
  labels:
    {{- include "policyreporter.labels" . | nindent 4 }}
+{{- range $key, $value := $.Values.service.labels }}
+    {{ $key }}: {{ $value | quote }}
+{{- end }}
+  annotations:
+{{- range $key, $value := $.Values.service.annotations }}
+    {{ $key }}: {{ $value | quote }}
+{{- end }}
 spec:
-  type: ClusterIP
+  type: {{ .Values.service.type }}
  ports:
-    - port: 2112
+    - port: {{ .Values.service.port }}
      targetPort: http
      protocol: TCP
      name: http
-    {{- if or .Values.api.enabled .Values.ui.enabled }}
-    - port: 8080
+    {{- if or $apiEnabled $uiEnabled }}
+    - port: {{ .Values.global.port }}
      targetPort: rest
      protocol: TCP
      name: rest
    {{- end }}
  selector:
    {{- include "policyreporter.selectorLabels" . | nindent 4 }}
+{{- end }}
--- a/charts/policy-reporter/templates/serviceaccount.yaml
+++ b/charts/policy-reporter/templates/serviceaccount.yaml
@ -1,6 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "policyreporter.serviceAccountName" . }}
  labels:
    {{- include "policyreporter.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/charts/policy-reporter/values.yaml
+++ b/charts/policy-reporter/values.yaml
@ -5,16 +5,66 @@ image:

 imagePullSecrets: []

-deployment:
-  annotations: {}
+replicaCount: 1

-resources:
-  requests:
-    memory: 20Mi
-    cpu: 5m
-  limits:
-    memory: 30Mi
-    cpu: 10m
+deploymentStrategy: {}
+  # rollingUpdate:
+  #  maxSurge: 25%
+  #  maxUnavailable: 25%
+  # type: RollingUpdate
+
+# Key/value pairs that are attached to Deployment.
+annotations: {}
+
+# Create cluster role policies
+rbac:
+  enabled: true
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+service:
+  enabled: true
+  ## configuration of service
+  # key/value
+  annotations: {}
+  # key/value
+  labels: {}
+  type: ClusterIP
+  # integer nubmer. This is port for service
+  port: 2112
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+# Key/value pairs that are attached to pods.
+podAnnotations: {}
+
+# Key/value pairs that are attached to pods.
+podLabels: {}
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   memory: 30Mi
+  #   cpu: 10m
+  # requests:
+  #   memory: 20Mi
+  #   cpu: 5m

 monitoring:
  enabled: false
@ -24,9 +74,19 @@ monitoring:
    # labels to match the serviceMonitorSelector of the Prometheus Resource
    labels: {}

+global:
+  # The name of service policy-report. If you changed ReleaseName you have to replace it
+  backend: policy-reporter
+  # Service Port number
+  port: 8080
+
 api:
  enabled: false

+# Policy Priorities
+policyPriorities:
+  enabled: false
+
 loki:
  # loki host address
  host: ""
@ -63,3 +123,18 @@ discord:
  minimumPriority: ""
  # Skip already existing PolicyReportResults on startup
  skipExistingOnStartup: true
+
+# Node labels for pod assignment
+# ref: https://kubernetes.io/docs/user-guide/node-selection/
+nodeSelector: {}
+
+# Tolerations for pod assignment
+# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+tolerations: []
+
+# Anti-affinity to disallow deploying client and master nodes on the same worker node
+affinity: {}
+
+# enable policy-report-ui
+ui:
+  enabled: false