From 8aa130cef7109dcef10b0931c9c1fef231354274 Mon Sep 17 00:00:00 2001
From: Tunde Oladipupo <toladipupo@oteemo.com>
Date: Tue, 30 Nov 2021 17:28:13 +0000
Subject: [PATCH] SKIP UPGRADE: Kyverno Package

---
 chart/templates/kyverno/gitrepository.yaml   | 18 ++++++++
 chart/templates/kyverno/helmrelease.yaml     | 45 ++++++++++++++++++++
 chart/templates/kyverno/imagepullsecret.yaml | 16 +++++++
 chart/templates/kyverno/namespace.yaml       | 14 ++++++
 chart/templates/kyverno/values.yaml          | 21 +++++++++
 chart/values.yaml                            | 26 +++++++++++
 tests/test-values.yaml                       | 16 +++++++
 7 files changed, 156 insertions(+)
 create mode 100644 chart/templates/kyverno/gitrepository.yaml
 create mode 100644 chart/templates/kyverno/helmrelease.yaml
 create mode 100644 chart/templates/kyverno/imagepullsecret.yaml
 create mode 100644 chart/templates/kyverno/namespace.yaml
 create mode 100644 chart/templates/kyverno/values.yaml

diff --git a/chart/templates/kyverno/gitrepository.yaml b/chart/templates/kyverno/gitrepository.yaml
new file mode 100644
index 0000000000..e315501854
--- /dev/null
+++ b/chart/templates/kyverno/gitrepository.yaml
@@ -0,0 +1,18 @@
+{{- if and (not .Values.offline) .Values.kyverno.enabled }}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: kyverno
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kyverno
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.kyverno.git.repo }}
+  ref:
+    {{- include "validRef" .Values.kyverno.git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCreds" . | nindent 2 }}
+{{- end }}
diff --git a/chart/templates/kyverno/helmrelease.yaml b/chart/templates/kyverno/helmrelease.yaml
new file mode 100644
index 0000000000..1a9f658477
--- /dev/null
+++ b/chart/templates/kyverno/helmrelease.yaml
@@ -0,0 +1,45 @@
+{{- $fluxSettingskyverno := merge .Values.kyverno.flux .Values.flux -}}
+{{- if .Values.kyverno.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kyverno
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kyverno
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  targetNamespace: kyverno
+
+  chart:
+    spec:
+      chart: {{ .Values.kyverno.git.path }}
+      interval: 5m
+      sourceRef:
+        kind: GitRepository
+        name: kyverno
+        namespace: {{ .Release.Namespace }}
+
+  {{- toYaml $fluxSettingskyverno | nindent 2 }}
+
+  {{- if .Values.kyverno.postRenderers }}
+  postRenderers:
+  {{ toYaml .Values.kyverno.postRenderers | nindent 4 }}
+  {{- end }}
+  valuesFrom:
+    - name: {{ .Release.Name }}-kyverno-values
+      kind: Secret
+      valuesKey: "common"
+    - name: {{ .Release.Name }}-kyverno-values
+      kind: Secret
+      valuesKey: "defaults"
+    - name: {{ .Release.Name }}-kyverno-values
+      kind: Secret
+      valuesKey: "overlays"
+  {{- if .Values.gatekeeper.enabled }}
+  dependsOn:
+    - name: gatekeeper
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
+{{- end }}
diff --git a/chart/templates/kyverno/imagepullsecret.yaml b/chart/templates/kyverno/imagepullsecret.yaml
new file mode 100644
index 0000000000..c2c687f9d6
--- /dev/null
+++ b/chart/templates/kyverno/imagepullsecret.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.kyverno.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: kyverno
+  labels:
+    app.kubernetes.io/name: kyverno
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/kyverno/namespace.yaml b/chart/templates/kyverno/namespace.yaml
new file mode 100644
index 0000000000..d0e14c6f03
--- /dev/null
+++ b/chart/templates/kyverno/namespace.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.kyverno.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    admission.kyverno.sh/ignore: no-self-managing
+    control-plane: controller-manager
+    kyverno.sh/system: "yes"
+    app.kubernetes.io/name: kyverno
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+    istio-injection: disabled
+  name: kyverno
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/kyverno/values.yaml b/chart/templates/kyverno/values.yaml
new file mode 100644
index 0000000000..39c44a38fe
--- /dev/null
+++ b/chart/templates/kyverno/values.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.kyverno.enabled }}
+{{- include "values-secret" (dict "root" $ "package" .Values.kyverno "name" "kyverno" "defaults" (include "bigbang.defaults.kyverno" .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.kyverno" -}}
+image:
+  pullSecrets:
+  - name: private-registry
+
+openshift: {{ .Values.openshift }}
+
+networkPolicies:
+  enabled: {{ .Values.networkPolicies.enabled }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+monitoring:
+  enabled: false #{{ .Values.monitoring.enabled }} To enable this, we need PodMonitor crd
+
+istio:
+  enabled: {{ .Values.istio.enabled }}
+{{- end -}}
diff --git a/chart/values.yaml b/chart/values.yaml
index dadfcc6f2a..534e53ec4d 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -321,6 +321,32 @@ gatekeeper:
   postRenderers: []
 # ----------------------------------------------------------------------------------------------------------------------
 
+# ----------------------------------------------------------------------------------------------------------------------
+# Kyverno
+#
+kyverno:
+  # -- Toggle deployment of Kyverno.
+  enabled: false
+  git:
+    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno
+    path: "./chart"
+    tag: "2.1.2-bb.0"
+
+  # -- Flux reconciliation overrides specifically for the Kyverno Package
+  flux:
+    install:
+      crds: CreateReplace
+    upgrade:
+      crds: CreateReplace
+
+  # -- Values to passthrough to the kyverno chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno.git
+  values: {}
+
+  # -- Post Renderers.  See docs/postrenders.md
+  postRenderers: []
+# ----------------------------------------------------------------------------------------------------------------------
+
+
 # ----------------------------------------------------------------------------------------------------------------------
 # Logging
 #
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index 0d78abca83..3bab446b1a 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -200,6 +200,22 @@ gatekeeper:
           - name: "{{ .Chart.Name }}-kube-cache"
             emptyDir: {}
 
+kyverno:
+  enabled: false
+  values:
+    replicas: 1
+    bbtests:
+      enabled: true
+      scripts:
+        image: registry1.dso.mil/ironbank/opensource/kubernetes-1.21/kubectl:v1.21.1
+        additionalVolumeMounts:
+          - name: "{{ .Chart.Name }}-test-config"
+            mountPath: /yaml
+        additionalVolumes:
+          - name: "{{ .Chart.Name }}-test-config"
+            configMap:
+              name: "{{ .Chart.Name }}-test-config"
+
 logging:
   enabled: true
   sso:
-- 
GitLab