fix: add crds to helm (kyverno#182)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Makefile

@@ -10,6 +10,7 @@ PACKAGE_SHIM                       := $(GOPATH_SHIM)/src/$(PACKAGE)
 CLI_BIN                            := kyverno-envoy-plugin
 CGO_ENABLED                        ?= 0
 GOOS                               ?= $(shell go env GOOS)
+CRDS_PATH                          := .crds
 ifdef VERSION
 LD_FLAGS                           := "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(VERSION)"
 else
@@ -96,7 +97,7 @@ codegen-crds: $(CONTROLLER_GEN)
 codegen-crds: $(REGISTER_GEN)
 	@echo Generate CRDs... >&2
 	@$(CONTROLLER_GEN) paths=./apis/v1alpha1/... object
-	@$(CONTROLLER_GEN) paths=./apis/v1alpha1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=./config/crds
+	@$(CONTROLLER_GEN) paths=./apis/v1alpha1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)
 	@$(REGISTER_GEN) --input-dirs=./apis/v1alpha1 --go-header-file=./hack/boilerplate.go.txt --output-base=.
 
 .PHONY: codegen-mkdocs
@@ -107,10 +108,27 @@ codegen-mkdocs: ## Generate mkdocs website
 	@$(PIP) install -U mkdocs-material mkdocs-redirects mkdocs-minify-plugin mkdocs-include-markdown-plugin lunr mkdocs-rss-plugin mike
 	@mkdocs build -f ./website/mkdocs.yaml
 
+.PHONY: codegen-helm-crds
+codegen-helm-crds: codegen-crds ## Generate helm CRDs
+	@echo Generate helm crds... >&2
+	@cat $(CRDS_PATH)/* \
+		| $(SED) -e '1i{{- if .Values.crds.install }}' \
+		| $(SED) -e '$$a{{- end }}' \
+		| $(SED) -e '/^  annotations:/a \ \ \ \ {{- end }}' \
+ 		| $(SED) -e '/^  annotations:/a \ \ \ \ {{- toYaml . | nindent 4 }}' \
+		| $(SED) -e '/^  annotations:/a \ \ \ \ {{- with .Values.crds.annotations }}' \
+ 		| $(SED) -e '/^  annotations:/i \ \ labels:' \
+		| $(SED) -e '/^  labels:/a \ \ \ \ {{- end }}' \
+ 		| $(SED) -e '/^  labels:/a \ \ \ \ {{- toYaml . | nindent 4 }}' \
+		| $(SED) -e '/^  labels:/a \ \ \ \ {{- with .Values.crds.labels }}' \
+		| $(SED) -e '/^  labels:/a \ \ \ \ {{- include "kyverno-authz-server.labels" . | nindent 4 }}' \
+ 		> ./charts/kyverno-authz-server/templates/crds.yaml
+
 .PHONY: codegen
 codegen: ## Rebuild all generated code and docs
 codegen: codegen-mkdocs
 codegen: codegen-crds
+codegen: codegen-helm-crds
 
 .PHONY: verify-codegen
 verify-codegen: ## Verify all generated code and docs are up to date
@@ -290,7 +308,7 @@ install-kyverno-authz-server: kind-load-image
 install-kyverno-authz-server: codegen-crds
 install-kyverno-authz-server: $(HELM)
 	@echo Install CRDs... >&2
-	@kubectl apply -f config/crds
+	@kubectl apply -f $(CRDS_PATH)
 	@echo Build kyverno-authz-server dependecy... >&2
 	@$(HELM) dependency build --skip-refresh ./charts/kyverno-authz-server
 	@echo Install kyverno-authz-server chart... >&2

charts/kyverno-authz-server/templates/crds.yaml

@@ -0,0 +1,118 @@
+{{- if .Values.crds.install }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    {{- include "kyverno-authz-server.labels" . | nindent 4 }}
+    {{- with .Values.crds.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.crds.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.16.5
+  name: authorizationpolicies.envoy.kyverno.io
+spec:
+  group: envoy.kyverno.io
+  names:
+    kind: AuthorizationPolicy
+    listKind: AuthorizationPolicyList
+    plural: authorizationpolicies
+    singular: authorizationpolicy
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              authorizations:
+                description: Authorizations contain CEL expressions which is used
+                  to apply the authorization.
+                items:
+                  properties:
+                    expression:
+                      description: |-
+                        Expression represents the expression which will be evaluated by CEL.
+                        ref: https://github.com/google/cel-spec
+                        CEL expressions have access to CEL variables as well as some other useful variables:
+
+                        - 'object' - The object from the incoming request. (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#service-auth-v3-checkrequest)
+
+                        CEL expressions are expected to return an envoy CheckResponse (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#service-auth-v3-checkresponse).
+                      type: string
+                  required:
+                  - expression
+                  type: object
+                type: array
+                x-kubernetes-list-type: atomic
+              failurePolicy:
+                description: |-
+                  FailurePolicy defines how to handle failures for the policy. Failures can
+                  occur from CEL expression parse errors, type check errors, runtime errors and invalid
+                  or mis-configured policy definitions.
+
+                  FailurePolicy does not define how validations that evaluate to false are handled.
+
+                  Allowed values are Ignore or Fail. Defaults to Fail.
+                type: string
+              variables:
+                description: |-
+                  Variables contain definitions of variables that can be used in composition of other expressions.
+                  Each variable is defined as a named CEL expression.
+                  The variables defined here will be available under `variables` in other expressions of the policy
+                  except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+
+                  The expression of a variable can refer to other variables defined earlier in the list but not those after.
+                  Thus, Variables must be sorted by the order of first appearance and acyclic.
+                items:
+                  description: Variable is the definition of a variable that is used
+                    for composition. A variable is defined as a named expression.
+                  properties:
+                    expression:
+                      description: |-
+                        Expression is the expression that will be evaluated as the value of the variable.
+                        The CEL expression has access to the same identifiers as the CEL expressions in Validation.
+                      type: string
+                    name:
+                      description: |-
+                        Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+                        The variable can be accessed in other expressions through `variables`
+                        For example, if name is "foo", the variable will be available as `variables.foo`
+                      type: string
+                  required:
+                  - expression
+                  - name
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+{{- end }}

charts/kyverno-authz-server/values.yaml

@@ -11,6 +11,19 @@ nameOverride: ~
 # -- (string) Override the expanded name of the chart
 fullnameOverride: ~
 
+crds:
+
+  # -- Whether to have Helm install the CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
+  install: true
+
+  # -- Additional CRDs annotations
+  annotations: {}
+    # argocd.argoproj.io/sync-options: Replace=true
+    # strategy.spinnaker.io/replace: 'true'
+
+  # -- Additional CRDs labels
+  labels: {}
+
 rbac:
 
   # -- Create RBAC resources