From 78ed2cc0240fcc855c8f25f3eded00e2d8c6773c Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Fri, 2 Feb 2024 22:37:28 +0530 Subject: [PATCH] feat: add install manifest (#48) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: add install manifest Signed-off-by: Vishal Choudhary * fix: lint Signed-off-by: Vishal Choudhary * fix: codegen Signed-off-by: Vishal Choudhary * Update Makefile Co-authored-by: Charles-Edouard Brétéché Signed-off-by: Vishal Choudhary * fix: update manifest Signed-off-by: Vishal Choudhary --------- Signed-off-by: Vishal Choudhary Co-authored-by: Charles-Edouard Brétéché --- Makefile | 13 + charts/reports-server/README.md | 3 +- .../reports-server/templates/api-service.yaml | 5 +- charts/reports-server/values.yaml | 7 +- config/install.yaml | 515 ++++++++++++++++++ 5 files changed, 539 insertions(+), 4 deletions(-) create mode 100644 config/install.yaml diff --git a/Makefile b/Makefile index 17ed86b..0fcdcdb 100644 --- a/Makefile +++ b/Makefile @@ -27,6 +27,11 @@ KO_VERSION := v0.14.1 HELM := $(TOOLS_DIR)/helm HELM_VERSION := v3.10.1 TOOLS := $(REGISTER_GEN) $(OPENAPI_GEN) $(KIND) $(KO) $(HELM) +ifeq ($(GOOS), darwin) +SED := gsed +else +SED := sed +endif $(REGISTER_GEN): @echo Install register-gen... >&2 @@ -129,10 +134,18 @@ codegen-helm-docs: ## Generate helm docs @echo Generate helm docs... >&2 @docker run -v ${PWD}/charts:/work -w /work jnorwood/helm-docs:v1.11.0 -s file +.PHONY: codegen-manifest-install-latest +codegen-install-manifest: $(HELM) ## Create install manifest + @echo Generate latest install manifest... >&2 + @$(HELM) template reports-server --namespace reports-server ./charts/reports-server/ \ + | $(SED) -e '/^#.*/d' \ + > ./config/install.yaml + .PHONY: codegen codegen: ## Rebuild all generated code and docs codegen: codegen-helm-docs codegen: codegen-openapi +codegen: codegen-install-manifest .PHONY: verify-codegen verify-codegen: codegen ## Verify all generated code and docs are up to date diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md index bfa79e4..d2aa4bc 100644 --- a/charts/reports-server/README.md +++ b/charts/reports-server/README.md @@ -25,7 +25,8 @@ helm install reports-server --namespace reports-server --create-namespace report | postgresql.enabled | bool | `true` | Deploy postgresql dependency chart | | postgresql.auth.postgresPassword | string | `"reports"` | | | postgresql.auth.database | string | `"reportsdb"` | | -| ephemeralReportsStorage.enabled | bool | `true` | Store ephemeral reports in reports-server | +| apiServices.enabled | bool | `true` | Store reports in reports-server | +| apiServices.installEphemeralReportsService | bool | `true` | Store ephemeral reports in reports-server | | nameOverride | string | `""` | Name override | | fullnameOverride | string | `""` | Full name override | | replicaCount | int | `1` | Number of pod replicas | diff --git a/charts/reports-server/templates/api-service.yaml b/charts/reports-server/templates/api-service.yaml index 17ab945..d3c5a2f 100644 --- a/charts/reports-server/templates/api-service.yaml +++ b/charts/reports-server/templates/api-service.yaml @@ -1,3 +1,5 @@ +{{- if .Values.apiServices.enabled }} +--- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -16,7 +18,7 @@ spec: version: v1alpha2 versionPriority: 100 -{{- if .Values.ephemeralReportsStorage.enabled }} +{{- if .Values.apiServices.installEphemeralReportsService }} --- apiVersion: apiregistration.k8s.io/v1 kind: APIService @@ -35,4 +37,5 @@ spec: namespace: {{ $.Release.Namespace }} version: v1 versionPriority: 100 +{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml index ea235d5..0881de6 100644 --- a/charts/reports-server/values.yaml +++ b/charts/reports-server/values.yaml @@ -9,11 +9,14 @@ postgresql: database: reportsdb -ephemeralReportsStorage: +apiServices: - # -- Store ephemeral reports in reports-server + # -- Store reports in reports-server enabled: true + # -- Store ephemeral reports in reports-server + installEphemeralReportsService: true + # -- Name override nameOverride: "" diff --git a/config/install.yaml b/config/install.yaml new file mode 100644 index 0000000..f4ab890 --- /dev/null +++ b/config/install.yaml @@ -0,0 +1,515 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: reports-server-postgresql + namespace: "reports-server" + labels: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 16.1.0 + helm.sh/chart: postgresql-13.4.1 +automountServiceAccountToken: false +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: reports-server + namespace: reports-server + labels: + helm.sh/chart: reports-server-0.0.1 + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server + app.kubernetes.io/version: "v0.0.1" + app.kubernetes.io/managed-by: Helm +--- +apiVersion: v1 +kind: Secret +metadata: + name: reports-server-postgresql + namespace: "reports-server" + labels: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 16.1.0 + helm.sh/chart: postgresql-13.4.1 +type: Opaque +data: + postgres-password: "cmVwb3J0cw==" + # We don't auto-generate LDAP password when it's not provided as we do for other passwords +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: +metadata: + name: reports-server + labels: + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + rbac.authorization.k8s.io/aggregate-to-view: 'true' + helm.sh/chart: reports-server-0.0.1 + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server + app.kubernetes.io/version: "v0.0.1" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - reports.kyverno.io + resources: + - ephemeralreports + - clusterephemeralreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection +- apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - policyreports/status + - clusterpolicyreports + - clusterpolicyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection +- apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - patch +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: reports-server + labels: + helm.sh/chart: reports-server-0.0.1 + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server + app.kubernetes.io/version: "v0.0.1" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: reports-server +subjects: +- kind: ServiceAccount + name: reports-server + namespace: reports-server +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: reports-server + namespace: kube-system + labels: + helm.sh/chart: reports-server-0.0.1 + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server + app.kubernetes.io/version: "v0.0.1" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: reports-server + namespace: reports-server +--- +apiVersion: v1 +kind: Service +metadata: + name: reports-server-postgresql-hl + namespace: "reports-server" + labels: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 16.1.0 + helm.sh/chart: postgresql-13.4.1 + app.kubernetes.io/component: primary + annotations: + # Use this annotation in addition to the actual publishNotReadyAddresses + # field below because the annotation will stop being respected soon but the + # field is broken in some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: 5432 + targetPort: tcp-postgresql + selector: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/name: postgresql + app.kubernetes.io/component: primary +--- +apiVersion: v1 +kind: Service +metadata: + name: reports-server-postgresql + namespace: "reports-server" + labels: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 16.1.0 + helm.sh/chart: postgresql-13.4.1 + app.kubernetes.io/component: primary +spec: + type: ClusterIP + sessionAffinity: None + ports: + - name: tcp-postgresql + port: 5432 + targetPort: tcp-postgresql + nodePort: null + selector: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/name: postgresql + app.kubernetes.io/component: primary +--- +apiVersion: v1 +kind: Service +metadata: + name: reports-server + namespace: reports-server + labels: + helm.sh/chart: reports-server-0.0.1 + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server + app.kubernetes.io/version: "v0.0.1" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reports-server + namespace: reports-server + labels: + helm.sh/chart: reports-server-0.0.1 + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server + app.kubernetes.io/version: "v0.0.1" + app.kubernetes.io/managed-by: Helm +spec: + strategy: + rollingUpdate: + maxUnavailable: 0 + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server + template: + metadata: + labels: + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server + spec: + priorityClassName: system-cluster-critical + serviceAccountName: reports-server + securityContext: + fsGroup: 2000 + containers: + - name: reports-server + args: + - --dbhost=reports-server-postgresql.reports-server + - --dbname=reportsdb + - --dbuser=postgres + - --dbpassword=reports + - --cert-dir=/tmp + - --secure-port=4443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/kyverno/reports-server:v0.0.1" + imagePullPolicy: IfNotPresent + ports: + - name: https + containerPort: 4443 + protocol: TCP + volumeMounts: + - mountPath: /tmp + name: tmp-dir + livenessProbe: + failureThreshold: 3 + httpGet: + path: /livez + port: https + scheme: HTTPS + periodSeconds: 10 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: https + scheme: HTTPS + initialDelaySeconds: 20 + periodSeconds: 10 + resources: + limits: null + requests: null + volumes: + - emptyDir: {} + name: tmp-dir +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: reports-server-postgresql + namespace: "reports-server" + labels: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 16.1.0 + helm.sh/chart: postgresql-13.4.1 + app.kubernetes.io/component: primary +spec: + replicas: 1 + serviceName: reports-server-postgresql-hl + updateStrategy: + rollingUpdate: {} + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/name: postgresql + app.kubernetes.io/component: primary + template: + metadata: + name: reports-server-postgresql + labels: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 16.1.0 + helm.sh/chart: postgresql-13.4.1 + app.kubernetes.io/component: primary + spec: + serviceAccountName: reports-server-postgresql + + automountServiceAccountToken: false + affinity: + podAffinity: + + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/name: postgresql + app.kubernetes.io/component: primary + topologyKey: kubernetes.io/hostname + weight: 1 + nodeAffinity: + + securityContext: + fsGroup: 1001 + fsGroupChangePolicy: Always + supplementalGroups: [] + sysctls: [] + hostNetwork: false + hostIPC: false + containers: + - name: postgresql + image: docker.io/bitnami/postgresql:16.1.0-debian-11-r22 + imagePullPolicy: "IfNotPresent" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 1001 + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault + env: + - name: BITNAMI_DEBUG + value: "false" + - name: POSTGRESQL_PORT_NUMBER + value: "5432" + - name: POSTGRESQL_VOLUME_DIR + value: "/bitnami/postgresql" + - name: PGDATA + value: "/bitnami/postgresql/data" + # Authentication + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: reports-server-postgresql + key: postgres-password + - name: POSTGRES_DATABASE + value: "reportsdb" + # Replication + # Initdb + # Standby + # LDAP + - name: POSTGRESQL_ENABLE_LDAP + value: "no" + # TLS + - name: POSTGRESQL_ENABLE_TLS + value: "no" + # Audit + - name: POSTGRESQL_LOG_HOSTNAME + value: "false" + - name: POSTGRESQL_LOG_CONNECTIONS + value: "false" + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: "false" + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: "off" + # Others + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: "error" + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: "pgaudit" + ports: + - name: tcp-postgresql + containerPort: 5432 + livenessProbe: + failureThreshold: 6 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U "postgres" -d "dbname=reportsdb" -h 127.0.0.1 -p 5432 + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + exec: + command: + - /bin/sh + - -c + - -e + - | + exec pg_isready -U "postgres" -d "dbname=reportsdb" -h 127.0.0.1 -p 5432 + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] + resources: + limits: {} + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - name: dshm + mountPath: /dev/shm + - name: data + mountPath: /bitnami/postgresql + volumes: + - name: dshm + emptyDir: + medium: Memory + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: data + spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "8Gi" +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha2.wgpolicyk8s.io + namespace: reports-server + labels: + helm.sh/chart: reports-server-0.0.1 + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server + app.kubernetes.io/version: "v0.0.1" + app.kubernetes.io/managed-by: Helm + kube-aggregator.kubernetes.io/automanaged: "false" +spec: + group: wgpolicyk8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: reports-server + namespace: reports-server + version: v1alpha2 + versionPriority: 100 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1.reports.kyverno.io + namespace: reports-server + labels: + helm.sh/chart: reports-server-0.0.1 + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server + app.kubernetes.io/version: "v0.0.1" + app.kubernetes.io/managed-by: Helm + kube-aggregator.kubernetes.io/automanaged: "false" +spec: + group: reports.kyverno.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: reports-server + namespace: reports-server + version: v1 + versionPriority: 100