Merge branch 'kyverno-reporter' into 'master'

Add Kyverno Reporter

See merge request platform-one/big-bang/bigbang!2123

chart/templates/kyverno/gitrepository.yaml

-{{- if and (not .Values.offline) (or .Values.kyverno.enabled .Values.kyvernopolicies.enabled) }}
+{{- if and (not .Values.offline) (or .Values.kyverno.enabled .Values.kyvernopolicies.enabled .Values.kyvernoreporter.enabled) }}
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:

chart/templates/kyverno/helmrelease.yaml

 {{- $fluxSettingskyverno := merge .Values.kyverno.flux .Values.flux -}}
-{{- if or .Values.kyverno.enabled .Values.kyvernopolicies.enabled }}
+{{- if or .Values.kyverno.enabled .Values.kyvernopolicies.enabled .Values.kyvernoreporter.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:

chart/templates/kyverno/imagepullsecret.yaml

-{{- if or .Values.kyverno.enabled .Values.kyvernopolicies.enabled }}
+{{- if or .Values.kyverno.enabled .Values.kyvernopolicies.enabled .Values.kyvernoreporter.enabled }}
 {{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
 kind: Secret

chart/templates/kyverno/namespace.yaml

-{{- if or .Values.kyverno.enabled .Values.kyvernopolicies.enabled }}
+{{- if or .Values.kyverno.enabled .Values.kyvernopolicies.enabled .Values.kyvernoreporter.enabled }}
 apiVersion: v1
 kind: Namespace
 metadata:

chart/templates/kyverno/policies/values.yaml

 {{- $pkg := "kyvernopolicies" }}
 
-{{- if .Values.kyvernopolicies.enabled }}
+{{- if (get .Values $pkg).enabled }}
 {{- include "values-secret" (dict "root" $ "package" (dict "values" (fromYaml (include "bigbang.overlays.kyvernopolicies" .))) "name" "kyvernopolicies" "defaults" (include "bigbang.defaults.kyvernopolicies" .)) }}
 {{- end }}
 

chart/templates/kyverno/reporter/gitrepository.yaml

+{{- $pkg := "kyvernoreporter" }}
+{{- if (get .Values $pkg).enabled }}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: {{ $pkg }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $pkg }}
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ (get .Values $pkg).git.repo }}
+  ref:
+    {{- include "validRef" (get .Values $pkg).git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCreds" . | nindent 2 }}
+{{- end }}
\ No newline at end of file

chart/templates/kyverno/reporter/helmrelease.yaml

+{{- $pkg := "kyvernoreporter" }}
+{{- $fluxSettings := merge (get .Values $pkg).flux .Values.flux -}}
+{{- if (get .Values $pkg).enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: {{ $pkg }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $pkg }}
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  targetNamespace: kyverno-reporter
+  chart:
+    spec:
+      chart: {{ (get .Values $pkg).git.path }}
+      interval: 5m
+      sourceRef:
+        kind: GitRepository
+        name: {{ $pkg }}
+        namespace: {{ .Release.Namespace }}
+
+  {{- toYaml $fluxSettings | nindent 2 }}
+
+  {{- if (get .Values $pkg).postRenderers }}
+  postRenderers:
+  {{ toYaml (get .Values $pkg).postRenderers | nindent 4 }}
+  {{- end }}
+  valuesFrom:
+    - name: {{ .Release.Name }}-{{ $pkg }}-values
+      kind: Secret
+      valuesKey: "common"
+    - name: {{ .Release.Name }}-{{ $pkg }}-values
+      kind: Secret
+      valuesKey: "defaults"
+    - name: {{ .Release.Name }}-{{ $pkg }}-values
+      kind: Secret
+      valuesKey: "overlays"
+  dependsOn:
+    - name: kyverno
+      namespace: {{ .Release.Namespace }}
+    {{- if .Values.kyvernopolicies.enabled }}
+    - name: kyvernopolicies
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.monitoring.enabled }}
+    - name: monitoring
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.istio.enabled }}
+    - name: istio
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/kyverno/reporter/imagepullsecret.yaml

+{{- $pkg := "kyvernoreporter" }}
+{{- if (get .Values $pkg).enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: kyverno-reporter
+  labels:
+    app.kubernetes.io/name: {{ $pkg }}
+    {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/kyverno/reporter/namespace.yaml

+{{- $pkg := "kyvernoreporter" }}
+{{- if (get .Values $pkg).enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ $pkg }}
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+    istio-injection: enabled
+  name: kyverno-reporter
+{{- end }}
\ No newline at end of file

chart/templates/kyverno/reporter/values.yaml

+{{- $pkg := "kyvernoreporter" }}
+
+{{- if (get .Values $pkg).enabled }}
+{{- include "values-secret" (dict "root" $ "package" (get .Values $pkg) "name" $pkg "defaults" (include (printf "bigbang.defaults.%s" $pkg) .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.kyvernoreporter" -}}
+
+global:
+  fullnameOverride: kyverno-reporter
+
+image:
+  pullPolicy: {{ .Values.imagePullPolicy }}
+imagePullSecrets:
+- name: private-registry
+
+{{- if .Values.istio.enabled }}
+istio:
+  enabled: true
+podAnnotations:
+  {{ include "istioAnnotation" . }}
+{{- end }}
+
+kyvernoPlugin:
+  image:
+    pullPolicy: {{ .Values.imagePullPolicy }}
+  imagePullSecrets:
+  - name: private-registry
+  {{- if .Values.istio.enabled }}
+  podAnnotations:
+    {{ include "istioAnnotation" . }}
+  {{- end }}
+
+ui:
+  image:
+    pullPolicy: {{ .Values.imagePullPolicy }}
+  imagePullSecrets:
+  - name: private-registry
+  {{- if .Values.istio.enabled }}
+  podAnnotations:
+    {{ include "istioAnnotation" . }}
+  {{- end }}
+
+monitoring:
+  enabled: {{ .Values.monitoring.enabled }}
+  grafana:
+    namespace: monitoring
+
+openshift: {{ .Values.openshift }}
+
+networkPolicies:
+  enabled: {{ .Values.networkPolicies.enabled }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+{{- end -}}
\ No newline at end of file

chart/templates/kyverno/values.yaml

-{{- if or .Values.kyverno.enabled .Values.kyvernopolicies.enabled }}
+{{- if or .Values.kyverno.enabled .Values.kyvernopolicies.enabled .Values.kyvernoreporter.enabled }}
 {{- include "values-secret" (dict "root" $ "package" .Values.kyverno "name" "kyverno" "defaults" (include "bigbang.defaults.kyverno" .)) }}
 {{- end }}
 

chart/values.yaml

@@ -407,6 +407,23 @@ kyvernopolicies:
   # -- Post Renderers.  See docs/postrenders.md
   postRenderers: []
 
+kyvernoreporter:
+  # -- Toggle deployment of Kyverno Reporter
+  enabled: false
+  git:
+    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-reporter
+    path: ./chart
+    tag: "2.13.0-bb.0"
+
+  # -- Flux reconciliation overrides specifically for the Kyverno Reporter Package
+  flux: {}
+
+  # -- Values to passthrough to the kyverno reporter chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-reporter.git
+  values: {}
+
+  # -- Post Renderers.  See docs/postrenders.md
+  postRenderers: []
+
 # ----------------------------------------------------------------------------------------------------------------------
 
 # ----------------------------------------------------------------------------------------------------------------------

docs/packages.md

@@ -26,6 +26,7 @@ Columns:
 | [Cluster Auditor](https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor) | ![Cluster Auditor Build](https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor/badges/main/pipeline.svg)  | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/565) | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1370) | No |
 | [Kyverno](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno) | ![Kyverno Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno/badges/main/pipeline.svg) |  No | No | No | Yes | No | No |
 | [Kyverno Policies](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Kyverno Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies/badges/main/pipeline.svg) |  No | No | No | Yes | No | No |
+| [Kyverno Reporter](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-reporter) | ![Kyverno Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-reporter/badges/main/pipeline.svg) |  No | No | No | Yes | Yes (STRICT) | No |
 | [Promtail](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/promtail) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Promtail Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/promtail/badges/main/pipeline.svg) |  No | No | No | Yes | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1516) | No |
 | [Loki](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/loki) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Loki Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/loki/badges/main/pipeline.svg) |  No | No | No | Yes | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1516) | No |
 | [Tempo](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/tempo) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Tempo Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/tempo/badges/main/pipeline.svg) | No | Yes | Yes | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1253) | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1762) | No |

docs/understanding-bigbang/package-architecture/kyverno.md

@@ -40,6 +40,37 @@ kyverno:
     replicaCount: 3
 ```
 
+## Kyverno Reporter
+
+Kyverno Reporter is an optional component providing two main reporting functions: 
+* Providing a metrics endpoint which can be used to observe in monitoring tools like Grafana.
+* Reporting Kyverno policy violations to various configurable `targets`, including Grafana Loki, Elasticsearch, Slack, Discord or MS Teams.
+
+
+```yaml
+kyvernoreporter:
+  enabled: true
+```
+
+### Kyverno Reporter UI
+While not yet officially supported by BigBang the Kyverno Reporter can be useful for inspecting policy results when other tools like Grafana are not available or in debugging scenarios.
+```yaml
+kyvernoreporter:
+  enabled: true
+
+  values:
+    global:
+      plugins:
+        kyverno:
+          enabled: true
+
+    ui:
+      enabled: true
+
+    kyvernoPlugin:
+      enabled: true
+```
+
 ## Single Sign on (SSO)
 
 None. This service doesn't have a web interface.

tests/test-values.yaml

@@ -293,6 +293,15 @@ kyverno:
     bbtests:
       enabled: true
 
+kyvernoreporter:
+  enabled: false
+  values:
+    bbtests:
+      cypress:
+        envs:
+          cypress_grafana_url: https://grafana.bigbang.dev
+          cypress_prometheus_url: https://prometheus.bigbang.dev
+
 kyvernopolicies:
   enabled: false
   values: