From 02c8d53b8ed5ddf7464a65fcb6006e8f5dec74b0 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Wed, 18 Sep 2024 17:30:20 +0530
Subject: [PATCH 1/2] feat: install apiservices using helm hooks (#192)

* feat: install apiservices using helm hooks

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: chart linter

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: bump chainsaw

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: add patch permissions

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: simplify permissions

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: charts and images

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 .github/workflows/migration-tests.yaml        |   7 +-
 Makefile                                      |   4 +-
 charts/reports-server/README.md               |  20 ++-
 .../reports-server/templates/api-service.yaml |   7 +-
 .../templates/cluster-roles.yaml              |  20 +++
 .../hooks/post-install-api-services.yaml      | 128 ++++++++++++++++++
 .../hooks/pre-delete-api-service-cleanup.yaml |  76 +++++++++++
 charts/reports-server/templates/roles.yaml    |  32 +++++
 charts/reports-server/values.yaml             |  74 ++++++++--
 config/install-inmemory.yaml                  |  58 ++++++++
 config/install.yaml                           |  58 ++++++++
 docs/INSTALL.md                               |   2 +-
 docs/MIGRATION.md                             |  27 ----
 13 files changed, 465 insertions(+), 48 deletions(-)
 create mode 100644 charts/reports-server/templates/hooks/post-install-api-services.yaml
 create mode 100644 charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml
 delete mode 100644 docs/MIGRATION.md

diff --git a/.github/workflows/migration-tests.yaml b/.github/workflows/migration-tests.yaml
index 5579fe2..dfb1edc 100644
--- a/.github/workflows/migration-tests.yaml
+++ b/.github/workflows/migration-tests.yaml
@@ -92,12 +92,7 @@ jobs:
           set -e
           kubectl create ns reports-server
           export HELM=${{ steps.helm.outputs.helm-path }}
-          make kind-migrate
-      - name: Install api services
-        run: |
-          set -e
-          export HELM=${{ steps.helm.outputs.helm-path }}
-          make kind-apply-api-services
+          make kind-install
       - name: Wait for report server ready
         run: |
           set -e
diff --git a/Makefile b/Makefile
index ec127b6..7790ee4 100644
--- a/Makefile
+++ b/Makefile
@@ -158,6 +158,7 @@ codegen-helm-docs: ## Generate helm docs
 codegen-install-manifest: $(HELM) ## Create install manifest
 	@echo Generate latest install manifest... >&2
 	@$(HELM) template reports-server --namespace reports-server ./charts/reports-server/ \
+		--set apiServicesManagement.installApiServices.enabled=true \
 		--set image.tag=latest \
 		--set templating.enabled=true \
  		| $(SED) -e '/^#.*/d' \
@@ -166,6 +167,7 @@ codegen-install-manifest: $(HELM) ## Create install manifest
 codegen-install-manifest-inmemory: $(HELM) ## Create install manifest without postgres
 	@echo Generate latest install manifest... >&2
 	@$(HELM) template reports-server --namespace reports-server ./charts/reports-server/ \
+		--set apiServicesManagement.installApiServices.enabled=true \
 		--set image.tag=latest \
 		--set config.debug=true \
 		--set postgresql.enabled=false \
@@ -244,7 +246,7 @@ kind-migrate: $(HELM) kind-load ## Build image, load it in kind cluster and depl
 		--set image.registry=$(KO_REGISTRY) \
 		--set image.repository=$(PACKAGE) \
 		--set image.tag=$(GIT_SHA) \
-		--set apiServices.enabled=false
+		--set apiServicesManagement.installApiServices.enabled=false
 
 .PHONY: kind-apply-api-services
 kind-apply-api-services: $(HELM) kind-load ## Build image, load it in kind cluster and deploy helm chart
diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md
index 483ad64..19f115b 100644
--- a/charts/reports-server/README.md
+++ b/charts/reports-server/README.md
@@ -25,8 +25,6 @@ helm install reports-server --namespace reports-server --create-namespace report
 | postgresql.enabled | bool | `true` | Deploy postgresql dependency chart |
 | postgresql.auth.postgresPassword | string | `"reports"` |  |
 | postgresql.auth.database | string | `"reportsdb"` |  |
-| apiServices.enabled | bool | `true` | Store reports in reports-server |
-| apiServices.installEphemeralReportsService | bool | `true` | Store ephemeral reports in reports-server |
 | nameOverride | string | `""` | Name override |
 | fullnameOverride | string | `""` | Full name override |
 | replicaCount | int | `1` | Number of pod replicas |
@@ -79,6 +77,24 @@ helm install reports-server --namespace reports-server --create-namespace report
 | config.db.sslrootcert | string | `""` | Database SSL root cert |
 | config.db.sslkey | string | `""` | Database SSL key |
 | config.db.sslcert | string | `""` | Database SSL cert |
+| apiServicesManagement.enabled | bool | `true` | Create a helm hooks to install and delete api services |
+| apiServicesManagement.installApiServices | object | `{"enabled":false,"installEphemeralReportsService":true}` | Install api services in manifest |
+| apiServicesManagement.installApiServices.enabled | bool | `false` | Store reports in reports-server |
+| apiServicesManagement.installApiServices.installEphemeralReportsService | bool | `true` | Store ephemeral reports in reports-server |
+| apiServicesManagement.image.registry | string | `"docker.io"` | Image registry |
+| apiServicesManagement.image.repository | string | `"bitnami/kubectl"` | Image repository |
+| apiServicesManagement.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted |
+| apiServicesManagement.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
+| apiServicesManagement.imagePullSecrets | list | `[]` | Image pull secrets |
+| apiServicesManagement.podSecurityContext | object | `{}` | Security context for the pod |
+| apiServicesManagement.nodeSelector | object | `{}` | Node labels for pod assignment |
+| apiServicesManagement.tolerations | list | `[]` | List of node taints to tolerate |
+| apiServicesManagement.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
+| apiServicesManagement.podAffinity | object | `{}` | Pod affinity constraints. |
+| apiServicesManagement.podLabels | object | `{}` | Pod labels. |
+| apiServicesManagement.podAnnotations | object | `{}` | Pod annotations. |
+| apiServicesManagement.nodeAffinity | object | `{}` | Node affinity constraints. |
+| apiServicesManagement.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
 
 ## Source Code
 
diff --git a/charts/reports-server/templates/api-service.yaml b/charts/reports-server/templates/api-service.yaml
index 02fc3ac..f8a4b30 100644
--- a/charts/reports-server/templates/api-service.yaml
+++ b/charts/reports-server/templates/api-service.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.apiServices.enabled }}
+{{- if .Values.apiServicesManagement.installApiServices.enabled }}
 ---
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
@@ -20,7 +20,7 @@ spec:
   version: v1alpha2
   versionPriority: 100
 
-{{- if .Values.apiServices.installEphemeralReportsService }}
+{{- if .Values.apiServicesManagement.installApiServices.installEphemeralReportsService }}
 ---
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
@@ -42,4 +42,5 @@ spec:
   version: v1
   versionPriority: 100
 {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
+	
diff --git a/charts/reports-server/templates/cluster-roles.yaml b/charts/reports-server/templates/cluster-roles.yaml
index bb51d48..f87e119 100644
--- a/charts/reports-server/templates/cluster-roles.yaml
+++ b/charts/reports-server/templates/cluster-roles.yaml
@@ -22,6 +22,26 @@ rules:
     - update
     - watch
     - deletecollection
+{{- if .Values.apiServicesManagement.enabled }}
+- apiGroups:
+    - apiregistration.k8s.io
+  resources:
+    - apiservices
+  verbs:
+    - create
+- apiGroups:
+    - apiregistration.k8s.io
+  resources:
+    - apiservices
+  verbs:
+    - get
+    - delete
+    - update
+    - patch
+  resourceNames:
+    - v1.reports.kyverno.io
+    - v1alpha2.wgpolicyk8s.io
+{{- end }}
 - apiGroups:
     - wgpolicyk8s.io
   resources:
diff --git a/charts/reports-server/templates/hooks/post-install-api-services.yaml b/charts/reports-server/templates/hooks/post-install-api-services.yaml
new file mode 100644
index 0000000..f028ae6
--- /dev/null
+++ b/charts/reports-server/templates/hooks/post-install-api-services.yaml
@@ -0,0 +1,128 @@
+{{- if .Values.apiServicesManagement.enabled -}}
+{{- if not .Values.templating.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "reports-server.fullname" . }}-post-install-install-api-services
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "reports-server.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-install
+    helm.sh/hook-weight: "100"
+spec:
+  backoffLimit: 2
+  template:
+    metadata:
+      {{- with .Values.apiServicesManagement.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.apiServicesManagement.podLabels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccount: {{ include "reports-server.serviceAccountName" . }}
+      {{- with .Values.apiServicesManagement.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      {{- with .Values.apiServicesManagement.imagePullSecrets | default .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: kubectl
+          image: "{{ .Values.apiServicesManagement.image.registry }}/{{ .Values.apiServicesManagement.image.repository }}:{{ .Values.apiServicesManagement.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.apiServicesManagement.image.pullPolicy }}
+          command:
+            - /bin/bash
+            - '-c'
+            - |-
+              set -euo pipefail
+              kubectl wait -n {{ $.Release.Namespace }} pod --for=condition=ready -l app.kubernetes.io/name={{ include "reports-server.fullname" . }} --timeout=120s
+              kubectl apply -f - <<EOF
+              {
+                "apiVersion": "apiregistration.k8s.io/v1",
+                "kind": "APIService",
+                "metadata": {
+                  "name": "v1alpha2.wgpolicyk8s.io",
+                  "namespace": {{ $.Release.Namespace | quote }},
+                  "labels": {
+                    "kube-aggregator.kubernetes.io/automanaged": "false"
+                  },
+                  "annotations": {
+                    "helm.sh/hook": "post-install"
+                  }
+                },
+                "spec": {
+                  "group": "wgpolicyk8s.io",
+                  "groupPriorityMinimum": 100,
+                  "insecureSkipTLSVerify": true,
+                  "service": {
+                    "name": {{ include "reports-server.fullname" . | quote }},
+                    "namespace": {{ $.Release.Namespace | quote }}
+                  },
+                  "version": "v1alpha2",
+                  "versionPriority": 100
+                }
+              }
+              EOF
+              kubectl apply -f - <<EOF
+              {
+                "apiVersion": "apiregistration.k8s.io/v1",
+                "kind": "APIService",
+                "metadata": {
+                  "name": "v1.reports.kyverno.io",
+                  "namespace": {{ $.Release.Namespace | quote }},
+                  "labels": {
+                    "kube-aggregator.kubernetes.io/automanaged": "false"
+                  },
+                  "annotations": {
+                    "helm.sh/hook": "post-install"
+                  }
+                },
+                "spec": {
+                  "group": "reports.kyverno.io",
+                  "groupPriorityMinimum": 100,
+                  "insecureSkipTLSVerify": true,
+                  "service": {
+                    "name": {{ include "reports-server.fullname" . | quote }},
+                    "namespace": {{ $.Release.Namespace | quote }}
+                  },
+                  "version": "v1",
+                  "versionPriority": 100
+                }
+              }
+              EOF
+          {{- with .Values.apiServicesManagement.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.apiServicesManagement.tolerations | default .Values.tolerations}}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.apiServicesManagement.nodeSelector | default .Values.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.apiServicesManagement.podAntiAffinity .Values.apiServicesManagement.podAffinity .Values.apiServicesManagement.nodeAffinity }}
+      affinity:
+        {{- with .Values.apiServicesManagement.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.apiServicesManagement.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.apiServicesManagement.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml b/charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml
new file mode 100644
index 0000000..bbd5d85
--- /dev/null
+++ b/charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml
@@ -0,0 +1,76 @@
+{{- if .Values.apiServicesManagement.enabled -}}
+{{- if not .Values.templating.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "reports-server.fullname" . }}-pre-delete-api-services-cleanup
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "reports-server.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    helm.sh/hook-weight: "100"
+spec:
+  backoffLimit: 2
+  template:
+    metadata:
+      {{- with .Values.apiServicesManagement.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.apiServicesManagement.podLabels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccount: {{ include "reports-server.serviceAccountName" . }}
+      {{- with .Values.apiServicesManagement.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      {{- with .Values.apiServicesManagement.imagePullSecrets | default .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: kubectl
+          image: "{{ .Values.apiServicesManagement.image.registry }}/{{ .Values.apiServicesManagement.image.repository }}:{{ .Values.apiServicesManagement.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.apiServicesManagement.image.pullPolicy }}
+          command:
+            - /bin/bash
+            - '-c'
+            - |-
+              set -euo pipefail
+              kubectl wait -n {{ $.Release.Namespace }} pod --for=condition=ready -l app.kubernetes.io/name={{ include "reports-server.fullname" . }} --timeout=120s
+              kubectl delete apiservice v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io --ignore-not-found=true
+          {{- with .Values.apiServicesManagement.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.apiServicesManagement.tolerations | default .Values.tolerations}}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.apiServicesManagement.nodeSelector | default .Values.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.apiServicesManagement.podAntiAffinity .Values.apiServicesManagement.podAffinity .Values.apiServicesManagement.nodeAffinity }}
+      affinity:
+        {{- with .Values.apiServicesManagement.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.apiServicesManagement.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.apiServicesManagement.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/reports-server/templates/roles.yaml b/charts/reports-server/templates/roles.yaml
index 66322aa..abbf907 100644
--- a/charts/reports-server/templates/roles.yaml
+++ b/charts/reports-server/templates/roles.yaml
@@ -13,3 +13,35 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "reports-server.serviceAccountName" $ }}
   namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "reports-server.fullname" . }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "reports-server.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+    - ''
+  resources:
+    - pods
+  verbs:
+    - get
+    - list
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "reports-server.fullname" . }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "reports-server.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "reports-server.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "reports-server.serviceAccountName" $ }}
+  namespace: {{ $.Release.Namespace }}
diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml
index 3e83362..819f7be 100644
--- a/charts/reports-server/values.yaml
+++ b/charts/reports-server/values.yaml
@@ -14,14 +14,6 @@ postgresql:
 
     database: reportsdb
 
-apiServices:
-
-  # -- Store reports in reports-server
-  enabled: true
-
-  # -- Store ephemeral reports in reports-server
-  installEphemeralReportsService: true
-
 # -- Name override
 nameOverride: ""
 
@@ -215,3 +207,69 @@ config:
 
     # -- Database SSL cert
     sslcert: ""
+
+apiServicesManagement:
+  # -- Create a helm hooks to install and delete api services
+  enabled: true
+
+  # -- Install api services in manifest
+  installApiServices:
+
+    # -- Store reports in reports-server
+    enabled: false
+
+    # -- Store ephemeral reports in reports-server
+    installEphemeralReportsService: true
+
+  image:
+    # -- (string) Image registry
+    registry: docker.io
+    # -- Image repository
+    repository: bitnami/kubectl
+    # -- Image tag
+    # Defaults to `latest` if omitted
+    tag: '1.30.2'
+    # -- (string) Image pull policy
+    # Defaults to image.pullPolicy if omitted
+    pullPolicy: ~
+
+  # -- Image pull secrets
+  imagePullSecrets: []
+
+  # -- Security context for the pod
+  podSecurityContext: {}
+
+  # -- Node labels for pod assignment
+  nodeSelector: {}
+
+  # -- List of node taints to tolerate
+  tolerations: []
+
+  # -- Pod anti affinity constraints.
+  podAntiAffinity: {}
+
+  # -- Pod affinity constraints.
+  podAffinity: {}
+
+  # -- Pod labels.
+  podLabels: {}
+
+  # -- Pod annotations.
+  podAnnotations: {}
+
+  # -- Node affinity constraints.
+  nodeAffinity: {}
+
+  # -- Security context for the hook containers
+  securityContext:
+    runAsUser: 65534
+    runAsGroup: 65534
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/config/install-inmemory.yaml b/config/install-inmemory.yaml
index 8370408..c1f10bd 100644
--- a/config/install-inmemory.yaml
+++ b/config/install-inmemory.yaml
@@ -44,6 +44,24 @@ rules:
     - update
     - watch
     - deletecollection
+- apiGroups:
+    - apiregistration.k8s.io
+  resources:
+    - apiservices
+  verbs:
+    - create
+- apiGroups:
+    - apiregistration.k8s.io
+  resources:
+    - apiservices
+  verbs:
+    - get
+    - delete
+    - update
+    - patch
+  resourceNames:
+    - v1.reports.kyverno.io
+    - v1alpha2.wgpolicyk8s.io
 - apiGroups:
     - wgpolicyk8s.io
   resources:
@@ -94,6 +112,26 @@ subjects:
   name: reports-server
   namespace: reports-server
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: reports-server
+  namespace: reports-server
+  labels:
+    helm.sh/chart: reports-server-0.1.0
+    app.kubernetes.io/name: reports-server
+    app.kubernetes.io/instance: reports-server
+    app.kubernetes.io/version: "v0.1.0"
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+    - ''
+  resources:
+    - pods
+  verbs:
+    - get
+    - list
+---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -114,6 +152,26 @@ subjects:
   name: reports-server
   namespace: reports-server
 ---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: reports-server
+  namespace: reports-server
+  labels:
+    helm.sh/chart: reports-server-0.1.0
+    app.kubernetes.io/name: reports-server
+    app.kubernetes.io/instance: reports-server
+    app.kubernetes.io/version: "v0.1.0"
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: reports-server
+subjects:
+- kind: ServiceAccount
+  name: reports-server
+  namespace: reports-server
+---
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/config/install.yaml b/config/install.yaml
index 42317e7..38192d4 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -73,6 +73,24 @@ rules:
     - update
     - watch
     - deletecollection
+- apiGroups:
+    - apiregistration.k8s.io
+  resources:
+    - apiservices
+  verbs:
+    - create
+- apiGroups:
+    - apiregistration.k8s.io
+  resources:
+    - apiservices
+  verbs:
+    - get
+    - delete
+    - update
+    - patch
+  resourceNames:
+    - v1.reports.kyverno.io
+    - v1alpha2.wgpolicyk8s.io
 - apiGroups:
     - wgpolicyk8s.io
   resources:
@@ -123,6 +141,26 @@ subjects:
   name: reports-server
   namespace: reports-server
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: reports-server
+  namespace: reports-server
+  labels:
+    helm.sh/chart: reports-server-0.1.0
+    app.kubernetes.io/name: reports-server
+    app.kubernetes.io/instance: reports-server
+    app.kubernetes.io/version: "v0.1.0"
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+    - ''
+  resources:
+    - pods
+  verbs:
+    - get
+    - list
+---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -143,6 +181,26 @@ subjects:
   name: reports-server
   namespace: reports-server
 ---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: reports-server
+  namespace: reports-server
+  labels:
+    helm.sh/chart: reports-server-0.1.0
+    app.kubernetes.io/name: reports-server
+    app.kubernetes.io/instance: reports-server
+    app.kubernetes.io/version: "v0.1.0"
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: reports-server
+subjects:
+- kind: ServiceAccount
+  name: reports-server
+  namespace: reports-server
+---
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
index 0349f99..c0d9813 100644
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -7,7 +7,7 @@ If kyverno is already installed in the cluster, follow the [migration guide](#mi
 Reports-server comes with a postgreSQL database. It is recommended to bring-your-own postgres database to have finer control of database configurations ([see database configuration guide](#database-configuration)).
 
 ### YAML Manifest
-It is recommended to install Reports-server using `kubectl apply`, especially when policy reports CRDs are already installed in the cluster ([see migration guide](#migration)). To install reports server using YAML manifest, create a `reports-server` namespace and run the following command:
+It is recommended to install Reports-server using `helm`. To install reports server using YAML manifest, create a `reports-server` namespace and run the following command:
 
 ```bash
 kubectl apply -f https://raw.githubusercontent.com/kyverno/reports-server/main/config/install.yaml
diff --git a/docs/MIGRATION.md b/docs/MIGRATION.md
deleted file mode 100644
index 3f2382b..0000000
--- a/docs/MIGRATION.md
+++ /dev/null
@@ -1,27 +0,0 @@
-# Migration
-
-This migration guide is for migrating an existing cluster using etcd to store policy reports to reports-server. 
-
-You need to follow this if:
-1. The cluster has kyverno already installed, or,
-2. The cluster has policy reports crds already installed
-
-Clusters with policy reports CRDs have existing API services for policy reports which need to be overwritten for reports-server to work. We do that by applying new api services with the label `kube-aggregator.kubernetes.io/automanaged: "false"`.
-
-Follow the given methods to migrate to reports server on your existing cluster:
-
-## YAML Manifest
-
-YAML manifest can be installed directly using `kubectl apply` and this will overwrite the existing API services. Run the following command:
-```bash
-kubectl apply -f https://raw.githubusercontent.com/kyverno/reports-server/main/config/install.yaml
-```
-
-## Helm Chart
-
-Helm cannot overwrite resources when they are not managed by helm. Thus we recommend installing the chart without the api services using the following command:
-```bash
-helm install reports-server --namespace reports-server reports-server/reports-server --devel  --set apiServices.enabled=false
-```
-
-Once the helm chart is installed, API services can be manually updated using `kubectl apply`. Update our [apiservices samples](./config/samples/apiservices.yaml) with the right reports-server name and namespace and apply that manifest.

From 34c1d7c279d01de6d9575c0ff6ed4efd9f32d0dd Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 Sep 2024 17:30:41 +0530
Subject: [PATCH 2/2] chore(deps): Bump github/codeql-action from 2.13.4 to
 3.26.7 (#197)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.13.4 to 3.26.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/cdcdbb579706841c47f7063dda365e292e5cad7a...8214744c546c1e5c8f03dde8fab3a7353211988d)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 .github/workflows/codeql.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index ffe2108..0d5a561 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -38,7 +38,7 @@ jobs:
           exit-code: '0'
           vuln-type: os,library
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
         with:
           sarif_file: trivy-results.sarif
           category: code
\ No newline at end of file