Merge branch '828-kyverno-pkg' into 'master'

SKIP UPGRADE: Kyverno Package Closes #828 See merge request platform-one/big-bang/bigbang!1124

Merge branch '828-kyverno-pkg' into 'master'
9f6e324e · Micah Nagel · 59fda8c2 · 8aa130ce · 9f6e324e · 9f6e324e
Commit 9f6e324e authored 3 years ago by Micah Nagel
--- a/chart/templates/kyverno/gitrepository.yaml
+++ b/chart/templates/kyverno/gitrepository.yaml
+{{- if and (not .Values.offline) .Values.kyverno.enabled }}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: kyverno
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kyverno
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.kyverno.git.repo }}
+  ref:
+    {{- include "validRef" .Values.kyverno.git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCreds" . | nindent 2 }}
+{{- end }}
--- a/chart/templates/kyverno/helmrelease.yaml
+++ b/chart/templates/kyverno/helmrelease.yaml
+{{- $fluxSettingskyverno := merge .Values.kyverno.flux .Values.flux -}}
+{{- if .Values.kyverno.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kyverno
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kyverno
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  targetNamespace: kyverno
+
+  chart:
+    spec:
+      chart: {{ .Values.kyverno.git.path }}
+      interval: 5m
+      sourceRef:
+        kind: GitRepository
+        name: kyverno
+        namespace: {{ .Release.Namespace }}
+
+  {{- toYaml $fluxSettingskyverno | nindent 2 }}
+
+  {{- if .Values.kyverno.postRenderers }}
+  postRenderers:
+  {{ toYaml .Values.kyverno.postRenderers | nindent 4 }}
+  {{- end }}
+  valuesFrom:
+    - name: {{ .Release.Name }}-kyverno-values
+      kind: Secret
+      valuesKey: "common"
+    - name: {{ .Release.Name }}-kyverno-values
+      kind: Secret
+      valuesKey: "defaults"
+    - name: {{ .Release.Name }}-kyverno-values
+      kind: Secret
+      valuesKey: "overlays"
+  {{- if .Values.gatekeeper.enabled }}
+  dependsOn:
+    - name: gatekeeper
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
+{{- end }}
--- a/chart/templates/kyverno/imagepullsecret.yaml
+++ b/chart/templates/kyverno/imagepullsecret.yaml
+{{- if .Values.kyverno.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: kyverno
+  labels:
+    app.kubernetes.io/name: kyverno
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/kyverno/namespace.yaml
+++ b/chart/templates/kyverno/namespace.yaml
+{{- if .Values.kyverno.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    admission.kyverno.sh/ignore: no-self-managing
+    control-plane: controller-manager
+    kyverno.sh/system: "yes"
+    app.kubernetes.io/name: kyverno
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+    istio-injection: disabled
+  name: kyverno
+{{- end }}
\ No newline at end of file
--- a/chart/templates/kyverno/values.yaml
+++ b/chart/templates/kyverno/values.yaml
+{{- if .Values.kyverno.enabled }}
+{{- include "values-secret" (dict "root" $ "package" .Values.kyverno "name" "kyverno" "defaults" (include "bigbang.defaults.kyverno" .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.kyverno" -}}
+image:
+  pullSecrets:
+  - name: private-registry
+
+openshift: {{ .Values.openshift }}
+
+networkPolicies:
+  enabled: {{ .Values.networkPolicies.enabled }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+monitoring:
+  enabled: false #{{ .Values.monitoring.enabled }} To enable this, we need PodMonitor crd
+
+istio:
+  enabled: {{ .Values.istio.enabled }}
+{{- end -}}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -321,6 +321,32 @@ gatekeeper:
  postRenderers: []
 # ----------------------------------------------------------------------------------------------------------------------

+# ----------------------------------------------------------------------------------------------------------------------
+# Kyverno
+#
+kyverno:
+  # -- Toggle deployment of Kyverno.
+  enabled: false
+  git:
+    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno
+    path: "./chart"
+    tag: "2.1.2-bb.0"
+
+  # -- Flux reconciliation overrides specifically for the Kyverno Package
+  flux:
+    install:
+      crds: CreateReplace
+    upgrade:
+      crds: CreateReplace
+
+  # -- Values to passthrough to the kyverno chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno.git
+  values: {}
+
+  # -- Post Renderers.  See docs/postrenders.md
+  postRenderers: []
+# ----------------------------------------------------------------------------------------------------------------------
+
+
 # ----------------------------------------------------------------------------------------------------------------------
 # Logging
 #

--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -200,6 +200,22 @@ gatekeeper:
          - name: "{{ .Chart.Name }}-kube-cache"
            emptyDir: {}

+kyverno:
+  enabled: false
+  values:
+    replicas: 1
+    bbtests:
+      enabled: true
+      scripts:
+        image: registry1.dso.mil/ironbank/opensource/kubernetes-1.21/kubectl:v1.21.1
+        additionalVolumeMounts:
+          - name: "{{ .Chart.Name }}-test-config"
+            mountPath: /yaml
+        additionalVolumes:
+          - name: "{{ .Chart.Name }}-test-config"
+            configMap:
+              name: "{{ .Chart.Name }}-test-config"
+
 logging:
  enabled: true
  sso: