Initial release

Author: flavio

.github/workflows/helm-chart-release.yml

@@ -0,0 +1,58 @@
+# This action releases the chimera-controller helm chart
+# The action must run on each commit done against master, however
+# a new release will be performed **only** when a change occurs inside
+# of the `charts` directory.
+#
+# When the helm chart is changed, this action will:
+#   * Create a new GitHub release named: chimera-controller-chart
+#   * This release has a chimera-controller-chart.tar.gz asset associated with
+#     it. This is the actual helm chart
+#   * Update the `index.yaml` file inside of the `gh-pages` branch. This is the
+#     index of the helm chart repository, which we serve through GitHub pages
+#
+# = FAQ
+#
+# == Why don't we run this action only when a tag like `v*` is created?
+#
+# Running the action only when a "release tag" is created will not produce
+# a helm chart. That happens because the code which determines if something
+# changed inside of the `charts` directory will not find any changes.
+#
+# == The action is just a "wrapper" around the official `github.com/helm/chart-releaser` tool, can't we just create our own action?
+#
+# Yes, we even got that to work. However, what we really want to do is the
+# ability to tag the releases of the chimera-controller and its helm chart
+# in an independent way. Which what the official GitHub action already does.
+
+name: Release helm chart
+
+on:
+  push:
+    branches:
+    - main
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        with:
+          charts_dir: charts
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

charts/chimera-controller/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/chimera-controller/Chart.yaml

@@ -0,0 +1,16 @@
+apiVersion: v2
+name: chimera-controller
+description: A Helm chart for deploying the Chimera stack
+
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"

charts/chimera-controller/crds/admissionpolicies.yaml

@@ -0,0 +1,75 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.1
+  creationTimestamp: null
+  name: admissionpolicies.chimera.suse.com
+spec:
+  group: chimera.suse.com
+  names:
+    kind: AdmissionPolicy
+    listKind: AdmissionPolicyList
+    plural: admissionpolicies
+    singular: admissionpolicy
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: AdmissionPolicy is the Schema for the admissionpolicies API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AdmissionPolicySpec defines the desired state of AdmissionPolicy
+            properties:
+              apiGroups:
+                description: APIGroups is a list of API groups that this webhook should be registered against. Empty array or "*" means everything.
+                items:
+                  type: string
+                type: array
+              apiVersions:
+                description: APIVersions is a list of API versions that this webhook should be registered against. Empty array or "*" means everything.
+                items:
+                  type: string
+                type: array
+              failurePolicy:
+                description: FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". * "Ignore" means that an error calling the webhook is ignored and the API   request is allowed to continue. * "Fail" means that an error calling the webhook causes the admission to   fail and the API request to be rejected. The default behaviour is "Fail"
+                type: string
+              module:
+                description: Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://).
+                type: string
+              operations:
+                description: Operations is a list of operations that this webhook should be registered against. Empty array or "*" means everything.
+                items:
+                  type: string
+                type: array
+              resources:
+                description: Resources is a list of resource types that this webhook should be registered against. Empty array or "*" means everything.
+                items:
+                  type: string
+                type: array
+              settings:
+                description: 'Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false'
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
+            type: object
+          status:
+            description: AdmissionPolicyStatus defines the observed state of AdmissionPolicy
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/chimera-controller/templates/NOTES.txt

@@ -0,0 +1,6 @@
+chimera-controller installed.
+
+You can start defining chimera policies by using the `admissionpolicies.chimera.suse.com`
+resource.
+
+For more information checkout https://chimera-kube.github.io/

charts/chimera-controller/templates/_helpers.tpl

@@ -0,0 +1,58 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "chimera-controller.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "chimera-controller.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chimera-controller.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "chimera-controller.labels" -}}
+helm.sh/chart: {{ include "chimera-controller.chart" . }}
+{{ include "chimera-controller.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "chimera-controller.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "chimera-controller.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "chimera-controller.serviceAccountName" -}}
+{{- include "chimera-controller.fullname" . }}
+{{- end }}

charts/chimera-controller/templates/configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: policy-server
+data:
+  replicas: {{ .Values.policyServer.replicaCount | default 1 }}
+  image: {{ .Values.policyServer.image.repository  }}:{{ .Values.policyServer.image.tag }}
+

charts/chimera-controller/templates/deployment.yaml

@@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "chimera-controller.fullname" . }}
+  labels:
+    {{- include "chimera-controller.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "chimera-controller.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "chimera-controller.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "chimera-controller.serviceAccountName" . }}
+      containers:
+      - name: kube-rbac-proxy
+        args:
+        - --secure-listen-address=0.0.0.0:8443
+        - --upstream=http://127.0.0.1:8080/
+        - --logtostderr=true
+        - --v=10
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
+        ports:
+        - containerPort: 8443
+          name: https
+      - name: manager
+        args:
+        - --metrics-addr=127.0.0.1:8080
+        - --enable-leader-election
+        - --deployments-namespace={{ .Release.Namespace }}
+        command:
+        - /manager
+        image: '{{ .Values.image.repository | default "ghcr.io/chimera-kube/chimera-controller" }}:{{ .Values.image.tag | default .Chart.AppVersion }}'
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        resources:
+          limits:
+            cpu: 100m
+            memory: 30Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+      terminationGracePeriodSeconds: 10
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}