diff --git a/chart/templates/kyverno/gitrepository.yaml b/chart/templates/kyverno/gitrepository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e3155018544f6f5ee8b4263080fc155d020636db
--- /dev/null
+++ b/chart/templates/kyverno/gitrepository.yaml
@@ -0,0 +1,18 @@
+{{- if and (not .Values.offline) .Values.kyverno.enabled }}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+ name: kyverno
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: kyverno
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+spec:
+ interval: {{ .Values.flux.interval }}
+ url: {{ .Values.kyverno.git.repo }}
+ ref:
+ {{- include "validRef" .Values.kyverno.git | nindent 4 }}
+ {{ include "gitIgnore" . }}
+ {{- include "gitCreds" . | nindent 2 }}
+{{- end }}
diff --git a/chart/templates/kyverno/helmrelease.yaml b/chart/templates/kyverno/helmrelease.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1a9f6584776225a7afa434b1154a2d30aa589168
--- /dev/null
+++ b/chart/templates/kyverno/helmrelease.yaml
@@ -0,0 +1,45 @@
+{{- $fluxSettingskyverno := merge .Values.kyverno.flux .Values.flux -}}
+{{- if .Values.kyverno.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: kyverno
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: kyverno
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+spec:
+ targetNamespace: kyverno
+
+ chart:
+ spec:
+ chart: {{ .Values.kyverno.git.path }}
+ interval: 5m
+ sourceRef:
+ kind: GitRepository
+ name: kyverno
+ namespace: {{ .Release.Namespace }}
+
+ {{- toYaml $fluxSettingskyverno | nindent 2 }}
+
+ {{- if .Values.kyverno.postRenderers }}
+ postRenderers:
+ {{ toYaml .Values.kyverno.postRenderers | nindent 4 }}
+ {{- end }}
+ valuesFrom:
+ - name: {{ .Release.Name }}-kyverno-values
+ kind: Secret
+ valuesKey: "common"
+ - name: {{ .Release.Name }}-kyverno-values
+ kind: Secret
+ valuesKey: "defaults"
+ - name: {{ .Release.Name }}-kyverno-values
+ kind: Secret
+ valuesKey: "overlays"
+ {{- if .Values.gatekeeper.enabled }}
+ dependsOn:
+ - name: gatekeeper
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+{{- end }}
diff --git a/chart/templates/kyverno/imagepullsecret.yaml b/chart/templates/kyverno/imagepullsecret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c2c687f9d6983e1327fe5ce68b152f40ac6c58fd
--- /dev/null
+++ b/chart/templates/kyverno/imagepullsecret.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.kyverno.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: private-registry
+ namespace: kyverno
+ labels:
+ app.kubernetes.io/name: kyverno
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/kyverno/namespace.yaml b/chart/templates/kyverno/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d0e14c6f031ae42066dd4550f94a1b2386527b55
--- /dev/null
+++ b/chart/templates/kyverno/namespace.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.kyverno.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ admission.kyverno.sh/ignore: no-self-managing
+ control-plane: controller-manager
+ kyverno.sh/system: "yes"
+ app.kubernetes.io/name: kyverno
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+ istio-injection: disabled
+ name: kyverno
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/kyverno/values.yaml b/chart/templates/kyverno/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..39c44a38fe94aa7cfbb1018947d89d159d4e8986
--- /dev/null
+++ b/chart/templates/kyverno/values.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.kyverno.enabled }}
+{{- include "values-secret" (dict "root" $ "package" .Values.kyverno "name" "kyverno" "defaults" (include "bigbang.defaults.kyverno" .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.kyverno" -}}
+image:
+ pullSecrets:
+ - name: private-registry
+
+openshift: {{ .Values.openshift }}
+
+networkPolicies:
+ enabled: {{ .Values.networkPolicies.enabled }}
+ controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+monitoring:
+ enabled: false #{{ .Values.monitoring.enabled }} To enable this, we need PodMonitor crd
+
+istio:
+ enabled: {{ .Values.istio.enabled }}
+{{- end -}}
diff --git a/chart/values.yaml b/chart/values.yaml
index dadfcc6f2ab2ce0dfbf305af4d8b113ae6d82922..534e53ec4d5681287a1dabb5f56547e25ab7da52 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -321,6 +321,32 @@ gatekeeper:
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
+# ----------------------------------------------------------------------------------------------------------------------
+# Kyverno
+#
+kyverno:
+ # -- Toggle deployment of Kyverno.
+ enabled: false
+ git:
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno
+ path: "./chart"
+ tag: "2.1.2-bb.0"
+
+ # -- Flux reconciliation overrides specifically for the Kyverno Package
+ flux:
+ install:
+ crds: CreateReplace
+ upgrade:
+ crds: CreateReplace
+
+ # -- Values to passthrough to the kyverno chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno.git
+ values: {}
+
+ # -- Post Renderers. See docs/postrenders.md
+ postRenderers: []
+# ----------------------------------------------------------------------------------------------------------------------
+
+
# ----------------------------------------------------------------------------------------------------------------------
# Logging
#
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index 0d78abca8370483624f6cd59c56d5f5bd01c75ad..3bab446b1a5b36b151e9f83186e01869250af88f 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -200,6 +200,22 @@ gatekeeper:
- name: "{{ .Chart.Name }}-kube-cache"
emptyDir: {}
+kyverno:
+ enabled: false
+ values:
+ replicas: 1
+ bbtests:
+ enabled: true
+ scripts:
+ image: registry1.dso.mil/ironbank/opensource/kubernetes-1.21/kubectl:v1.21.1
+ additionalVolumeMounts:
+ - name: "{{ .Chart.Name }}-test-config"
+ mountPath: /yaml
+ additionalVolumes:
+ - name: "{{ .Chart.Name }}-test-config"
+ configMap:
+ name: "{{ .Chart.Name }}-test-config"
+
logging:
enabled: true
sso: