update docs

Signed-off-by: Frank Jogeleit <[email protected]>
kyverno · Sep 11, 2023 · 6e375c3 · 6e375c3
1 parent a349a57
commit 6e375c3
Show file tree

Hide file tree

Showing 11 changed files with 268 additions and 14 deletions.
diff --git a/components/Logo.vue b/components/Logo.vue
@@ -1,5 +1,6 @@
 <template>
-  <nuxt-img src="/logo-light.png" class="light-img" alt="Logo light" />
-  <nuxt-img src="/logo-dark.png" class="dark-img" alt="Logo dark" />
+    <nuxt-img src="/logo-light.png" class="light-img" alt="Logo light" />
+    <nuxt-img src="/logo-dark.png" class="dark-img" alt="Logo dark" />
 </template>
 
+<script setup></script>
diff --git a/content/01. guide/helm-chart-core.md b/content/01. guide/helm-chart-core.md
@@ -58,6 +58,23 @@ rest:
   enabled: true
 ```
 
+### Enable API BasicAuth (since v2.20.0)
+
+It is possible to enable global HTTP Basic Authentication for the API and metric endpoints
+
+```yaml [values.yaml]
+global:
+  basicAuth:
+    # username: username
+    # password: password
+    secretRef: auth-secret
+```
+
+The credentials can be configured directly or as reference to an already existing secret with `username` and `password` key/value pairs.
+
+Policy Reporter UI will automatically do authorized API calls. If `monitoring` is enabled the ServiceMonitor resources will also get the required `basicAuth` configuration.
+
+
 ### Enable Targets / Notification
 
 Policy Reporter supports several targets to which notifications can be sent. You can configure as many targets as you like, and also configure different targets for different priorities or sources (like Kyverno, Kube Bench or Falco). Channels in combination with filters allow you to configure multiple clients of the same type of targets. This is useful, for example, to forward different priorities or results of certain namespaces to a separate Slack channel.
@@ -552,7 +569,7 @@ Use tools like VPN, private Networks or internal Network Load Balancer to expose
 
 By default, the Policy Reporter UI processes only the Policy Reporter REST API running in the same cluster. If you are working in a multi-cluster environment and running Policy Reporter in each cluster, it can be annoying to switch between the different UIs of each cluster. To solve this problem, it is possible to configure additional Policy Reporter REST APIs from external clusters and switch between them as needed.
 
-The APIs must be accessible for Policy Reporter UI, currently no additional authentication is supported. Make sure that you make your APIs available only internally.
+The APIs must be accessible for Policy Reporter UI, currently only HTTP Basic authentication is supported. Make sure that you make your APIs available only internally.
 
 You can use the the `ui.clusterName` configuration to set the name of the default Cluster API, default is `Default`.
 
@@ -566,6 +583,9 @@ ui:
     kyvernoApi: https://kyverno-plugin.external.cluster # (optional) reachable external Policy Reporter Kyverno Plugin REST API
     skipTLS: false                                      # skip SSL verification
     certificate: "/app/certs/root.ca"                   # (optional) path to a mounted root cert for custom signed domains
+    username: username                                  # HTTP BasicAuth Username
+    password: password                                  # HTTP BasicAuth Password
+    secretRef: auth-secret                              # all configuration can also provided as existing secret with the related key/value pairs, except the cluster name.
 ```
 
 ### Kyverno Plugin integration

diff --git a/content/02. core/api-reference.md b/content/02. core/api-reference.md
@@ -943,7 +943,7 @@ curl -X GET "http://localhost:8080/metrics"
 
 * Response `200`
 
-```text
+```
 # HELP cluster_policy_report_result List of all ClusterPolicyReport Results
 # TYPE cluster_policy_report_result gauge
 cluster_policy_report_result{category="",kind="Namespace",name="argo-cd",policy="require-ns-labels",report="clusterpolicyreport",rule="check-for-labels-on-namespace",severity="",status="fail"} 1

diff --git a/content/02. core/config-reference.md b/content/02. core/config-reference.md
@@ -14,6 +14,11 @@ kubeconfig: '~/.kube/config'
 
 api:
   port: 8080
+  logging: false
+  basicAuth:
+    username: ""
+    password: ""
+    secretRef: ""
 
 rest:
   enabled: false
@@ -264,6 +269,46 @@ gcs:
       exclude: []
     channels: []
 
+  googleChat:
+    webhook: ""
+    minimumPriority: ""
+    skipExistingOnStartup: true
+    mountedSecret: ""
+    secretRef: ""
+    sources: []
+    filter:
+      namespaces:
+        include: []
+        exclude: []
+      policies:
+        include: []
+        exclude: []
+      priorities:
+        include: []
+        exclude: []
+      channels: []
+
+  telegram:
+    token: ""
+    chatID: ""
+    host: "" # optional proxy host
+    minimumPriority: ""
+    skipExistingOnStartup: true
+    mountedSecret: ""
+    secretRef: ""
+    sources: []
+    filter:
+      namespaces:
+        include: []
+        exclude: []
+      policies:
+        include: []
+        exclude: []
+      priorities:
+        include: []
+        exclude: []
+      channels: []
+
 emailReports:
   clusterName: ""
   smtp:

diff --git a/content/02. core/targets.md b/content/02. core/targets.md
@@ -698,6 +698,92 @@ gcs:
 }
 ```
 
+## Telegram
+
+Send new PolicyReportResults with all available information to Telegram Bot API.
+
+### Example
+
+The minimal configuration for Telegram requires a `chatID` and bot `token`.
+
+```yaml
+telegram:
+  chatID: "XXX"
+  token: "XXXX"
+  minimumPriority: "warning"
+  skipExistingOnStartup: true
+```
+
+### Channel Example
+
+Channels uses the same `token`, `minimumPriority` and `skipExistingOnStartup` configuration as the root target if not defined.
+
+#### Send notification based on namespace prefix to a dedicated GoogleChat Group
+
+```yaml
+telegram:
+  token: "XXXX"
+  minimumPriority: "warning"
+  skipExistingOnStartup: true
+  channels:
+  - chatID: "XXX1"
+    filter:
+      namespaces:
+        include: ["team-a-*"]
+  - chatID: "XXX2"
+    filter:
+      namespaces:
+        include: ["team-b-*"]
+```
+
+### Screenshot
+<a href="/images/targets/telegram.png" target="_blank">
+    <nuxt-img src="/images/targets/telegram.png" style="border: 1px solid #555" alt="Telegram Notification for a PolicyReportResult"></nuxt-img>
+</a>
+
+## Google Chat
+
+Send new PolicyReportResults with all available information to the GoogleChat API.
+
+### Example
+
+The minimal configuration for GoogleChat requires a valid and accessible webhook URL.
+
+```yaml
+googleChat:
+  webhook: "https://chat.googleapis.com/v1/spaces/XXX/messages?key=XXX&token=XXX"
+  minimumPriority: "critical"
+  skipExistingOnStartup: true
+  sources:
+  - kyverno
+```
+
+### Channel Example
+
+Channels uses the same `minimumPriority` and `skipExistingOnStartup` configuration as the root target if not defined.
+
+#### Send notification based on namespace prefix to a dedicated GoogleChat Group
+
+```yaml
+googleChat:
+  minimumPriority: "warning"
+  skipExistingOnStartup: true
+  channels:
+  - webhook: "https://chat.googleapis.com/v1/spaces/XXX1/messages?key=XXX&token=XXX"
+    filter:
+      namespaces:
+        include: ["team-a-*"]
+  - webhook: "https://chat.googleapis.com/v1/spaces/XXX2/messages?key=XXX&token=XXX"
+    filter:
+      namespaces:
+        include: ["team-b-*"]
+```
+
+### Screenshot
+<a href="/images/targets/google-chat.png" target="_blank">
+    <nuxt-img src="/images/targets/google-chat.png" style="border: 1px solid #555" alt="GoogleChat Notification for a PolicyReportResult"></nuxt-img>
+</a>
+
 ## Configuration Reference
 
 ::code-group
@@ -903,6 +989,46 @@ gcs:
           include: []
           exclude: []
         channels: []
+
+    googleChat:
+      webhook: ""
+      minimumPriority: ""
+      skipExistingOnStartup: true
+      mountedSecret: ""
+      secretRef: ""
+      sources: []
+      filter:
+        namespaces:
+          include: []
+          exclude: []
+        policies:
+          include: []
+          exclude: []
+        priorities:
+          include: []
+          exclude: []
+        channels: []
+
+    telegram:
+      token: ""
+      chatID: ""
+      host: ""
+      minimumPriority: ""
+      skipExistingOnStartup: true
+      mountedSecret: ""
+      secretRef: ""
+      sources: []
+      filter:
+        namespaces:
+          include: []
+          exclude: []
+        policies:
+          include: []
+          exclude: []
+        priorities:
+          include: []
+          exclude: []
+        channels: []
   ```
 
   ```yaml [config.yaml]
@@ -1103,6 +1229,45 @@ gcs:
         include: []
         exclude: []
       channels: []
+
+  googleChat:
+    webhook: ""
+    minimumPriority: ""
+    skipExistingOnStartup: true
+    mountedSecret: ""
+    secretRef: ""
+    sources: []
+    filter:
+      namespaces:
+        include: []
+        exclude: []
+      policies:
+        include: []
+        exclude: []
+      priorities:
+        include: []
+        exclude: []
+      channels: []
+
+  telegram:
+    token: ""
+    chatID: ""
+    host: ""
+    minimumPriority: ""
+    skipExistingOnStartup: true
+    mountedSecret: ""
+    secretRef: ""
+    sources: []
+    filter:
+      namespaces:
+        include: []
+        exclude: []
+      policies:
+        include: []
+        exclude: []
+      priorities:
+        include: []
+        exclude: []
+      channels: []
   ```
 ::
-</code-group>
diff --git a/content/03. ui/config-reference.md b/content/03. ui/config-reference.md
@@ -10,6 +10,17 @@ category: 'Policy Reporter UI'
 Configuration file reference with all possible options.
 
 ```yaml
+apiConfig:
+  # enable API debug logging
+  logging: false
+  # set forward and origin headers
+  overwriteHost: false
+  # authorize API calls against HTTP Basic authenticated API calls
+  basicAuth:
+    username: ""
+    password: ""
+    secretRef: "" # get username/password from existing secret
+
 logSize: 200
 displayMode: "" # Possible options: "dark" / "light"
 
@@ -22,6 +33,9 @@ clusters:
  - name: External Cluster                              # name used for the selection of the Cluster
    api: https://policy-reporter.external.cluster       # reachable external Policy Reporter REST API
    kyvernoApi: https://kyverno-plugin.external.cluster # (optional) reachable external Policy Reporter Kyverno Plugin REST API
+    username: username                                  # HTTP BasicAuth Username
+    password: password                                  # HTTP BasicAuth Password
+    secretRef: auth-secret                              # all configuration can also provided as existing secret with the related key/value pairs, except the cluster name.
 
 views:
   # information shown on the overall dashboard / index page

diff --git a/content/04. kyverno-plugin/api-reference.md b/content/04. kyverno-plugin/api-reference.md
@@ -183,7 +183,7 @@ curl -X GET "http://localhost:8080/metrics"
 
 * Response `200`
 
-```text
+```
 # HELP policy_report_kyverno_policy List of all Policies
 # TYPE policy_report_kyverno_policy gauge
 kyverno_policy{background="true",category="",kind="ClusterPolicy",namespace="",policy="require-ns-labels",rule="check-for-labels-on-namespace",severity="",type="validation",validationFailureAction="audit"} 1

diff --git a/content/04. kyverno-plugin/config-reference.md b/content/04. kyverno-plugin/config-reference.md
@@ -14,6 +14,11 @@ kubeconfig: '~/.kube/config'
 
 api:
   port: 8080
+  # HTTP Basic Authentication for APIs and metrics endpoints
+  basicAuth:
+    username: ""
+    password: ""
+    secretRef: ""
 
 rest:
   enabled: false