diff --git a/.github/workflows/conformance-tests.yaml b/.github/workflows/conformance-tests.yaml index dbf227b..0be1c3a 100644 --- a/.github/workflows/conformance-tests.yaml +++ b/.github/workflows/conformance-tests.yaml @@ -42,6 +42,11 @@ jobs: uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ~1.21.1 + - name: Install helm + id: helm + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 + with: + token: ${{ secrets.GITHUB_TOKEN }} - name: Install Tools run: | set -e @@ -64,8 +69,8 @@ jobs: - name: Install report server testing run: | set -e - kubectl create ns reports-server - kubectl create -f ./config/debug.yaml + export HELM=${{ steps.helm.outputs.helm-path }} + make kind-install - name: Wait for report server ready run: | set -e diff --git a/Makefile b/Makefile index d697ed6..43b1fe5 100644 --- a/Makefile +++ b/Makefile @@ -141,19 +141,11 @@ codegen-install-manifest: $(HELM) ## Create install manifest | $(SED) -e '/^#.*/d' \ > ./config/install.yaml -.PHONY: codegen-manifest-debug -codegen-debug-manifest: $(HELM) ## Create debug manifest - @echo Generate debug manifest... >&2 - @$(HELM) template reports-server --namespace reports-server ./charts/reports-server/ --set image.tag=latest \ - | $(SED) -e '/^#.*/d' \ - > ./config/debug.yaml - .PHONY: codegen codegen: ## Rebuild all generated code and docs codegen: codegen-helm-docs codegen: codegen-openapi codegen: codegen-install-manifest -codegen: codegen-debug-manifest .PHONY: verify-codegen verify-codegen: codegen ## Verify all generated code and docs are up to date diff --git a/config/debug.yaml b/config/debug.yaml deleted file mode 100644 index 6f3717c..0000000 --- a/config/debug.yaml +++ /dev/null @@ -1,515 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: reports-server-postgresql - namespace: "reports-server" - labels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-13.4.1 -automountServiceAccountToken: false ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: reports-server - namespace: reports-server - labels: - helm.sh/chart: reports-server-0.0.1 - app.kubernetes.io/name: reports-server - app.kubernetes.io/instance: reports-server - app.kubernetes.io/version: "v0.0.1" - app.kubernetes.io/managed-by: Helm ---- -apiVersion: v1 -kind: Secret -metadata: - name: reports-server-postgresql - namespace: "reports-server" - labels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-13.4.1 -type: Opaque -data: - postgres-password: "cmVwb3J0cw==" - # We don't auto-generate LDAP password when it's not provided as we do for other passwords ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: -metadata: - name: reports-server - labels: - rbac.authorization.k8s.io/aggregate-to-admin: 'true' - rbac.authorization.k8s.io/aggregate-to-edit: 'true' - rbac.authorization.k8s.io/aggregate-to-view: 'true' - helm.sh/chart: reports-server-0.0.1 - app.kubernetes.io/name: reports-server - app.kubernetes.io/instance: reports-server - app.kubernetes.io/version: "v0.0.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - reports.kyverno.io - resources: - - ephemeralreports - - clusterephemeralreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection -- apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - policyreports/status - - clusterpolicyreports - - clusterpolicyreports/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection -- apiGroups: - - '' - - events.k8s.io - resources: - - events - verbs: - - create - - patch -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: reports-server - labels: - helm.sh/chart: reports-server-0.0.1 - app.kubernetes.io/name: reports-server - app.kubernetes.io/instance: reports-server - app.kubernetes.io/version: "v0.0.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: reports-server -subjects: -- kind: ServiceAccount - name: reports-server - namespace: reports-server ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: reports-server - namespace: kube-system - labels: - helm.sh/chart: reports-server-0.0.1 - app.kubernetes.io/name: reports-server - app.kubernetes.io/instance: reports-server - app.kubernetes.io/version: "v0.0.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: reports-server - namespace: reports-server ---- -apiVersion: v1 -kind: Service -metadata: - name: reports-server-postgresql-hl - namespace: "reports-server" - labels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-13.4.1 - app.kubernetes.io/component: primary - annotations: - # Use this annotation in addition to the actual publishNotReadyAddresses - # field below because the annotation will stop being respected soon but the - # field is broken in some versions of Kubernetes: - # https://github.com/kubernetes/kubernetes/issues/58662 - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - type: ClusterIP - clusterIP: None - # We want all pods in the StatefulSet to have their addresses published for - # the sake of the other Postgresql pods even before they're ready, since they - # have to be able to talk to each other in order to become ready. - publishNotReadyAddresses: true - ports: - - name: tcp-postgresql - port: 5432 - targetPort: tcp-postgresql - selector: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/name: postgresql - app.kubernetes.io/component: primary ---- -apiVersion: v1 -kind: Service -metadata: - name: reports-server-postgresql - namespace: "reports-server" - labels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-13.4.1 - app.kubernetes.io/component: primary -spec: - type: ClusterIP - sessionAffinity: None - ports: - - name: tcp-postgresql - port: 5432 - targetPort: tcp-postgresql - nodePort: null - selector: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/name: postgresql - app.kubernetes.io/component: primary ---- -apiVersion: v1 -kind: Service -metadata: - name: reports-server - namespace: reports-server - labels: - helm.sh/chart: reports-server-0.0.1 - app.kubernetes.io/name: reports-server - app.kubernetes.io/instance: reports-server - app.kubernetes.io/version: "v0.0.1" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - name: https - port: 443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/name: reports-server - app.kubernetes.io/instance: reports-server ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reports-server - namespace: reports-server - labels: - helm.sh/chart: reports-server-0.0.1 - app.kubernetes.io/name: reports-server - app.kubernetes.io/instance: reports-server - app.kubernetes.io/version: "v0.0.1" - app.kubernetes.io/managed-by: Helm -spec: - strategy: - rollingUpdate: - maxUnavailable: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: reports-server - app.kubernetes.io/instance: reports-server - template: - metadata: - labels: - app.kubernetes.io/name: reports-server - app.kubernetes.io/instance: reports-server - spec: - priorityClassName: system-cluster-critical - serviceAccountName: reports-server - securityContext: - fsGroup: 2000 - containers: - - name: reports-server - args: - - --dbhost=reports-server-postgresql.reports-server - - --dbname=reportsdb - - --dbuser=postgres - - --dbpassword=reports - - --cert-dir=/tmp - - --secure-port=4443 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - image: "ghcr.io/kyverno/reports-server:latest" - imagePullPolicy: IfNotPresent - ports: - - name: https - containerPort: 4443 - protocol: TCP - volumeMounts: - - mountPath: /tmp - name: tmp-dir - livenessProbe: - failureThreshold: 3 - httpGet: - path: /livez - port: https - scheme: HTTPS - periodSeconds: 10 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /readyz - port: https - scheme: HTTPS - initialDelaySeconds: 20 - periodSeconds: 10 - resources: - limits: null - requests: null - volumes: - - emptyDir: {} - name: tmp-dir ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: reports-server-postgresql - namespace: "reports-server" - labels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-13.4.1 - app.kubernetes.io/component: primary -spec: - replicas: 1 - serviceName: reports-server-postgresql-hl - updateStrategy: - rollingUpdate: {} - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/name: postgresql - app.kubernetes.io/component: primary - template: - metadata: - name: reports-server-postgresql - labels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-13.4.1 - app.kubernetes.io/component: primary - spec: - serviceAccountName: reports-server-postgresql - - automountServiceAccountToken: false - affinity: - podAffinity: - - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/name: postgresql - app.kubernetes.io/component: primary - topologyKey: kubernetes.io/hostname - weight: 1 - nodeAffinity: - - securityContext: - fsGroup: 1001 - fsGroupChangePolicy: Always - supplementalGroups: [] - sysctls: [] - hostNetwork: false - hostIPC: false - containers: - - name: postgresql - image: docker.io/bitnami/postgresql:16.1.0-debian-11-r22 - imagePullPolicy: "IfNotPresent" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsNonRoot: true - runAsUser: 1001 - seLinuxOptions: {} - seccompProfile: - type: RuntimeDefault - env: - - name: BITNAMI_DEBUG - value: "false" - - name: POSTGRESQL_PORT_NUMBER - value: "5432" - - name: POSTGRESQL_VOLUME_DIR - value: "/bitnami/postgresql" - - name: PGDATA - value: "/bitnami/postgresql/data" - # Authentication - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: reports-server-postgresql - key: postgres-password - - name: POSTGRES_DATABASE - value: "reportsdb" - # Replication - # Initdb - # Standby - # LDAP - - name: POSTGRESQL_ENABLE_LDAP - value: "no" - # TLS - - name: POSTGRESQL_ENABLE_TLS - value: "no" - # Audit - - name: POSTGRESQL_LOG_HOSTNAME - value: "false" - - name: POSTGRESQL_LOG_CONNECTIONS - value: "false" - - name: POSTGRESQL_LOG_DISCONNECTIONS - value: "false" - - name: POSTGRESQL_PGAUDIT_LOG_CATALOG - value: "off" - # Others - - name: POSTGRESQL_CLIENT_MIN_MESSAGES - value: "error" - - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES - value: "pgaudit" - ports: - - name: tcp-postgresql - containerPort: 5432 - livenessProbe: - failureThreshold: 6 - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - exec: - command: - - /bin/sh - - -c - - exec pg_isready -U "postgres" -d "dbname=reportsdb" -h 127.0.0.1 -p 5432 - readinessProbe: - failureThreshold: 6 - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - exec: - command: - - /bin/sh - - -c - - -e - - | - exec pg_isready -U "postgres" -d "dbname=reportsdb" -h 127.0.0.1 -p 5432 - [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] - resources: - limits: {} - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - name: dshm - mountPath: /dev/shm - - name: data - mountPath: /bitnami/postgresql - volumes: - - name: dshm - emptyDir: - medium: Memory - volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: data - spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "8Gi" ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha2.wgpolicyk8s.io - namespace: reports-server - labels: - helm.sh/chart: reports-server-0.0.1 - app.kubernetes.io/name: reports-server - app.kubernetes.io/instance: reports-server - app.kubernetes.io/version: "v0.0.1" - app.kubernetes.io/managed-by: Helm - kube-aggregator.kubernetes.io/automanaged: "false" -spec: - group: wgpolicyk8s.io - groupPriorityMinimum: 100 - insecureSkipTLSVerify: true - service: - name: reports-server - namespace: reports-server - version: v1alpha2 - versionPriority: 100 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1.reports.kyverno.io - namespace: reports-server - labels: - helm.sh/chart: reports-server-0.0.1 - app.kubernetes.io/name: reports-server - app.kubernetes.io/instance: reports-server - app.kubernetes.io/version: "v0.0.1" - app.kubernetes.io/managed-by: Helm - kube-aggregator.kubernetes.io/automanaged: "false" -spec: - group: reports.kyverno.io - groupPriorityMinimum: 100 - insecureSkipTLSVerify: true - service: - name: reports-server - namespace: reports-server - version: v1 - versionPriority: 100