diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 6e65277..5ea8bf9 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -79,6 +79,6 @@ jobs: run: | set -e make kind-create-cluster - make install-kyverno-envoy-plugin + make install-kyverno-sidecar-injector - name: Run Chainsaw Tests run: chainsaw test tests/e2e-test diff --git a/Makefile b/Makefile index 75d3377..91c399c 100644 --- a/Makefile +++ b/Makefile @@ -192,9 +192,9 @@ kind-load-image: ko-build # ISTIO # ######### -.PHONY: istio-install -istio-install: ## Install ISTIO -istio-install: $(HELM) +.PHONY: install-istio +install-istio: ## Install istio +install-istio: $(HELM) @echo Install istio... >&2 @$(HELM) upgrade --install istio-base --namespace istio-system --create-namespace --wait --repo https://istio-release.storage.googleapis.com/charts base @$(HELM) upgrade --install istiod --namespace istio-system --create-namespace --wait --repo https://istio-release.storage.googleapis.com/charts istiod @@ -203,17 +203,17 @@ istio-install: $(HELM) # HELM # ######## -.PHONY: install-kyverno-envoy-plugin -install-kyverno-envoy-plugin: ## Install kyverno-envoy-plugin chart -install-kyverno-envoy-plugin: kind-load-image -install-kyverno-envoy-plugin: $(HELM) - @echo Build kyverno-envoy-plugin dependecy... >&2 - @$(HELM) dependency build --skip-refresh ./charts/kyverno-envoy-plugin - @echo Install kyverno-envoy-plugin chart... >&2 - @$(HELM) upgrade --install kyverno-envoy-plugin --namespace kyverno --create-namespace --wait ./charts/kyverno-envoy-plugin \ - --set sidecarInjector.containers.injector.image.registry=$(KO_REGISTRY) \ - --set sidecarInjector.containers.injector.image.repository=$(PACKAGE) \ - --set sidecarInjector.containers.injector.image.tag=$(GIT_SHA) +.PHONY: install-kyverno-sidecar-injector +install-kyverno-sidecar-injector: ## Install kyverno-sidecar-injector chart +install-kyverno-sidecar-injector: kind-load-image +install-kyverno-sidecar-injector: $(HELM) + @echo Build kyverno-sidecar-injector dependecy... >&2 + @$(HELM) dependency build --skip-refresh ./charts/kyverno-sidecar-injector + @echo Install kyverno-sidecar-injector chart... >&2 + @$(HELM) upgrade --install kyverno-sidecar-injector --namespace kyverno --create-namespace --wait ./charts/kyverno-sidecar-injector \ + --set containers.injector.image.registry=$(KO_REGISTRY) \ + --set containers.injector.image.repository=$(PACKAGE) \ + --set containers.injector.image.tag=$(GIT_SHA) .PHONY: install-kyverno-authz-server install-kyverno-authz-server: ## Install kyverno-authz-server chart diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/rbac.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/rbac.yaml deleted file mode 100644 index b853d7e..0000000 --- a/charts/kyverno-envoy-plugin/templates/sidecar-injector/rbac.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.sidecarInjector.enabled -}} -{{- if .Values.sidecarInjector.rbac.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "sidecar-injector.service-account.name" . }} - namespace: {{ template "kyverno.lib.namespace" . }} - labels: - {{- include "sidecar-injector.labels" . | nindent 4 }} - {{- with .Values.sidecarInjector.rbac.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "sidecar-injector.role.name" . }} - labels: - {{- include "sidecar-injector.labels" . | nindent 4 }} -rules: - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "sidecar-injector.role.name" . }} - labels: - {{- include "sidecar-injector.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "sidecar-injector.role.name" . }} -subjects: - - kind: ServiceAccount - name: {{ template "sidecar-injector.service-account.name" . }} - namespace: {{ template "kyverno.lib.namespace" . }} -{{- end -}} -{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/service.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/service.yaml deleted file mode 100644 index 10ffc7b..0000000 --- a/charts/kyverno-envoy-plugin/templates/sidecar-injector/service.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.sidecarInjector.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "sidecar-injector.service-account.name" . }} - namespace: {{ template "kyverno.lib.namespace" . }} - labels: - {{- include "sidecar-injector.labels" . | nindent 4 }} - {{- with .Values.sidecarInjector.service.annotations }} - annotations: - {{- tpl (toYaml .) $ | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.sidecarInjector.service.type }} - ports: - - name: https - port: {{ .Values.sidecarInjector.service.port }} - protocol: TCP - appProtocol: https - targetPort: https - {{- if and (eq .Values.sidecarInjector.service.type "NodePort") (not (empty .Values.sidecarInjector.service.nodePort)) }} - nodePort: {{ .Values.sidecarInjector.service.nodePort }} - {{- end }} - selector: - {{- include "sidecar-injector.labels.match" . | nindent 4 }} -{{- end -}} diff --git a/charts/kyverno-envoy-plugin/values.yaml b/charts/kyverno-envoy-plugin/values.yaml deleted file mode 100644 index dfdc493..0000000 --- a/charts/kyverno-envoy-plugin/values.yaml +++ /dev/null @@ -1,255 +0,0 @@ -# -- Internal settings used with `helm template` to generate install manifest -# @ignored -templating: - enabled: false - debug: false - version: ~ - -# -- (string) Override the name of the chart -nameOverride: ~ - -# -- (string) Override the expanded name of the chart -fullnameOverride: ~ - -# -- (string) Override the namespace the chart deploys to -namespaceOverride: ~ - -# Sidecar injector configuration -sidecarInjector: - - # -- Enable sidecar injector - enabled: true - - rbac: - - # -- Create RBAC resources - create: true - - serviceAccount: - - # -- The ServiceAccount name - name: - - # -- Annotations for the ServiceAccount - annotations: {} - # example.com/annotation: value - - certificates: - - # -- Create self-signed certificates at deployment time. - # The certificates won't be automatically renewed if this is set to `true`. - selfSigned: true - - deployment: - - # -- (int) Desired number of pods - replicas: ~ - - # -- The number of revisions to keep - revisionHistoryLimit: 10 - - # -- Deployment annotations. - annotations: {} - - # -- Deployment update strategy. - # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - # @default -- See [values.yaml](values.yaml) - updateStrategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 40% - type: RollingUpdate - - pod: - - # -- Additional labels to add to each pod - labels: {} - # example.com/label: foo - - # -- Additional annotations to add to each pod - annotations: {} - # example.com/annotation: foo - - # -- Image pull secrets - imagePullSecrets: [] - # - secretName - - # -- Security context - securityContext: {} - - # -- Node labels for pod assignment - nodeSelector: {} - - # -- List of node taints to tolerate - tolerations: [] - - # -- Topology spread constraints. - topologySpreadConstraints: [] - - # -- Optional priority class - priorityClassName: '' - - # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. - # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. - # Update the `dnsPolicy` accordingly as well to suit the host network mode. - hostNetwork: false - - # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. - # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. - # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. - dnsPolicy: ClusterFirst - - # -- Pod anti affinity constraints. - # @default -- See [values.yaml](values.yaml) - antiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - admission-controller - topologyKey: kubernetes.io/hostname - - # -- Pod affinity constraints. - affinity: {} - - # -- Node affinity constraints. - nodeAffinity: {} - - containers: - - injector: - - image: - - # -- Image registry - registry: ghcr.io - - # -- Image repository - repository: kyverno/kyverno-envoy-plugin - - # -- (string) Image tag - # Defaults to appVersion in Chart.yaml if omitted - tag: ~ - - # -- Image pull policy - pullPolicy: IfNotPresent - - resources: - - # -- Pod resource limits - limits: - memory: 384Mi - - # -- Pod resource requests - requests: - cpu: 100m - memory: 128Mi - - # -- Container security context - securityContext: - runAsNonRoot: true - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - - # -- Startup probe. - # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - # @default -- See [values.yaml](values.yaml) - startupProbe: - httpGet: - path: /livez - port: 9443 - scheme: HTTPS - failureThreshold: 20 - initialDelaySeconds: 2 - periodSeconds: 6 - - # -- Liveness probe. - # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - # @default -- See [values.yaml](values.yaml) - livenessProbe: - httpGet: - path: /livez - port: 9443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 2 - successThreshold: 1 - - # -- Readiness Probe. - # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - # @default -- See [values.yaml](values.yaml) - readinessProbe: - httpGet: - path: /readyz - port: 9443 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - - # -- Container ports. - ports: - - containerPort: 9443 - name: https - protocol: TCP - - # -- Container args. - args: - - sidecar-injector - - --address=:9443 - - --cert-file=/opt/kubernetes-sidecar-injector/certs/tls.crt - - --key-file=/opt/kubernetes-sidecar-injector/certs/tls.key - - service: - - # -- Service port. - port: 443 - - # -- Service type. - type: ClusterIP - - # -- Service node port. - # Only used if `type` is `NodePort`. - nodePort: - - # -- Service annotations. - annotations: {} - - webhook: - - # -- Webhook annotations - annotations: {} - # example.com/annotation: value - - # -- Webhook object selector - objectSelector: ~ - - # -- Webhook failure policy - failurePolicy: Fail - - # -- Webhook namespace selector - namespaceSelector: - matchExpressions: - - key: kyverno-injection - operator: In - values: - - enabled - - pdb: diff --git a/charts/kyverno-envoy-plugin/.helmignore b/charts/kyverno-sidecar-injector/.helmignore similarity index 100% rename from charts/kyverno-envoy-plugin/.helmignore rename to charts/kyverno-sidecar-injector/.helmignore diff --git a/charts/kyverno-envoy-plugin/Chart.lock b/charts/kyverno-sidecar-injector/Chart.lock similarity index 100% rename from charts/kyverno-envoy-plugin/Chart.lock rename to charts/kyverno-sidecar-injector/Chart.lock diff --git a/charts/kyverno-envoy-plugin/Chart.yaml b/charts/kyverno-sidecar-injector/Chart.yaml similarity index 94% rename from charts/kyverno-envoy-plugin/Chart.yaml rename to charts/kyverno-sidecar-injector/Chart.yaml index 6fe705e..d911d88 100644 --- a/charts/kyverno-envoy-plugin/Chart.yaml +++ b/charts/kyverno-sidecar-injector/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: kyverno-envoy-plugin +name: kyverno-sidecar-injector description: Kyverno policies based authorization plugin for Envoy ❤️ icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png home: https://kyverno.github.io/kyverno-envoy-plugin diff --git a/charts/kyverno-envoy-plugin/templates/NOTES.txt b/charts/kyverno-sidecar-injector/templates/NOTES.txt similarity index 100% rename from charts/kyverno-envoy-plugin/templates/NOTES.txt rename to charts/kyverno-sidecar-injector/templates/NOTES.txt diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl b/charts/kyverno-sidecar-injector/templates/_helpers.tpl similarity index 76% rename from charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl rename to charts/kyverno-sidecar-injector/templates/_helpers.tpl index 3739e6f..46cb8f5 100644 --- a/charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl +++ b/charts/kyverno-sidecar-injector/templates/_helpers.tpl @@ -7,11 +7,11 @@ {{- define "sidecar-injector.labels" -}} {{- template "kyverno.lib.labels.merge" (list (include "kyverno.lib.labels.common" .) - (include "sidecar-injector.labels.match" .) + (include "sidecar-injector.labels.selector" .) ) -}} {{- end -}} -{{- define "sidecar-injector.labels.match" -}} +{{- define "sidecar-injector.labels.selector" -}} {{- template "kyverno.lib.labels.merge" (list (include "kyverno.lib.labels.common.selector" .) (include "kyverno.lib.labels.component" "sidecar-injector") @@ -23,10 +23,10 @@ {{- end -}} {{- define "sidecar-injector.service-account.name" -}} -{{- if .Values.sidecarInjector.rbac.create -}} - {{- default (include "sidecar-injector.name" .) .Values.sidecarInjector.rbac.serviceAccount.name -}} +{{- if .Values.rbac.create -}} + {{- default (include "sidecar-injector.name" .) .Values.rbac.serviceAccount.name -}} {{- else -}} - {{- required "A service account name is required when `rbac.create` is set to `false`" .Values.sidecarInjector.rbac.serviceAccount.name -}} + {{- required "A service account name is required when `rbac.create` is set to `false`" .Values.rbac.serviceAccount.name -}} {{- end -}} {{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml b/charts/kyverno-sidecar-injector/templates/certificates.yaml similarity index 80% rename from charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml rename to charts/kyverno-sidecar-injector/templates/certificates.yaml index 4ec93ad..c2d3216 100644 --- a/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml +++ b/charts/kyverno-sidecar-injector/templates/certificates.yaml @@ -1,8 +1,7 @@ -{{- if .Values.sidecarInjector.enabled -}} {{- $ca := genCA (printf "*.%s.svc" (include "kyverno.lib.namespace" .)) 1024 -}} {{- $svcName := (printf "%s.%s.svc" (include "sidecar-injector.name" .) (include "kyverno.lib.namespace" .)) -}} {{- $tls := genSignedCert $svcName nil (list $svcName) 1024 $ca -}} -{{- if .Values.sidecarInjector.certificates.selfSigned -}} +{{- if .Values.certificates.selfSigned -}} apiVersion: v1 kind: Secret metadata: @@ -25,7 +24,7 @@ metadata: name: {{ template "sidecar-injector.name" . }} labels: {{- include "sidecar-injector.labels" . | nindent 4 }} - {{- with .Values.sidecarInjector.webhook.annotations }} + {{- with .Values.webhook.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} @@ -37,7 +36,7 @@ webhooks: namespace: {{ template "kyverno.lib.namespace" . }} path: "/mutate" caBundle: {{ $ca.Cert | b64enc }} - failurePolicy: {{ .Values.sidecarInjector.webhook.failurePolicy }} + failurePolicy: {{ .Values.webhook.failurePolicy }} sideEffects: None admissionReviewVersions: [ v1 ] rules: @@ -46,12 +45,11 @@ webhooks: resources: [ pods ] operations: [ CREATE ] scope: '*' - {{- with .Values.sidecarInjector.webhook.objectSelector }} + {{- with .Values.webhook.objectSelector }} objectSelector: {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} - {{- with .Values.sidecarInjector.webhook.namespaceSelector }} + {{- with .Values.webhook.namespaceSelector }} namespaceSelector: {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} -{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/deployment.yaml b/charts/kyverno-sidecar-injector/templates/deployment.yaml similarity index 70% rename from charts/kyverno-envoy-plugin/templates/sidecar-injector/deployment.yaml rename to charts/kyverno-sidecar-injector/templates/deployment.yaml index d31d023..66d4732 100644 --- a/charts/kyverno-envoy-plugin/templates/sidecar-injector/deployment.yaml +++ b/charts/kyverno-sidecar-injector/templates/deployment.yaml @@ -1,4 +1,3 @@ -{{- if .Values.sidecarInjector.enabled -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -6,72 +5,72 @@ metadata: namespace: {{ template "kyverno.lib.namespace" . }} labels: {{- include "sidecar-injector.labels" . | nindent 4 }} - {{- with .Values.sidecarInjector.deployment.annotations }} + {{- with .Values.deployment.annotations }} annotations: {{- tpl (toYaml .) $ | nindent 4 }} {{- end }} spec: - {{- with .Values.sidecarInjector.deployment.replicas }} + {{- with .Values.deployment.replicas }} replicas: {{ . }} {{- end }} - revisionHistoryLimit: {{ .Values.sidecarInjector.deployment.revisionHistoryLimit }} - {{- with .Values.sidecarInjector.deployment.updateStrategy }} + revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }} + {{- with .Values.deployment.updateStrategy }} strategy: {{- toYaml . | nindent 4 }} {{- end }} selector: matchLabels: - {{- include "sidecar-injector.labels.match" . | nindent 6 }} + {{- include "sidecar-injector.labels.selector" . | nindent 6 }} template: metadata: labels: {{- include "sidecar-injector.labels" . | nindent 8 }} - {{- with .Values.sidecarInjector.pod.labels }} + {{- with .Values.pod.labels }} {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.sidecarInjector.pod.annotations }} + {{- with .Values.pod.annotations }} annotations: {{ tpl (toYaml .) $ | nindent 8 }} {{- end }} spec: - {{- with .Values.sidecarInjector.pod.imagePullSecrets }} + {{- with .Values.pod.imagePullSecrets }} imagePullSecrets: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.sidecarInjector.pod.securityContext }} + {{- with .Values.pod.securityContext }} securityContext: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.sidecarInjector.pod.nodeSelector }} + {{- with .Values.pod.nodeSelector }} nodeSelector: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.sidecarInjector.pod.tolerations }} + {{- with .Values.pod.tolerations }} tolerations: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.sidecarInjector.pod.topologySpreadConstraints }} + {{- with .Values.pod.topologySpreadConstraints }} topologySpreadConstraints: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.sidecarInjector.pod.priorityClassName }} + {{- with .Values.pod.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} - {{- with .Values.sidecarInjector.pod.hostNetwork }} + {{- with .Values.pod.hostNetwork }} hostNetwork: {{ . }} {{- end }} - {{- with .Values.sidecarInjector.pod.dnsPolicy }} + {{- with .Values.pod.dnsPolicy }} dnsPolicy: {{ . }} {{- end }} affinity: - {{- with .Values.sidecarInjector.pod.antiAffinity }} + {{- with .Values.pod.antiAffinity }} podAntiAffinity: {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} - {{- with .Values.sidecarInjector.pod.affinity }} + {{- with .Values.pod.affinity }} podAffinity: {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} - {{- with .Values.sidecarInjector.pod.nodeAffinity }} + {{- with .Values.pod.nodeAffinity }} nodeAffinity: {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} @@ -81,7 +80,7 @@ spec: secret: secretName: {{ template "sidecar-injector.name" . }} containers: - {{- with .Values.sidecarInjector.containers.injector }} + {{- with .Values.containers.injector }} - name: injector image: {{ include "sidecar-injector.image" .image }} imagePullPolicy: {{ .image.pullPolicy }} @@ -118,4 +117,3 @@ spec: mountPath: /opt/kubernetes-sidecar-injector/certs readOnly: true {{- end }} -{{- end -}} diff --git a/charts/kyverno-sidecar-injector/templates/rbac.yaml b/charts/kyverno-sidecar-injector/templates/rbac.yaml new file mode 100644 index 0000000..f83a65b --- /dev/null +++ b/charts/kyverno-sidecar-injector/templates/rbac.yaml @@ -0,0 +1,13 @@ +{{- if .Values.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "sidecar-injector.service-account.name" . }} + namespace: {{ template "kyverno.lib.namespace" . }} + labels: + {{- include "sidecar-injector.labels" . | nindent 4 }} + {{- with .Values.rbac.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/kyverno-sidecar-injector/templates/service.yaml b/charts/kyverno-sidecar-injector/templates/service.yaml new file mode 100644 index 0000000..84821cb --- /dev/null +++ b/charts/kyverno-sidecar-injector/templates/service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "sidecar-injector.service-account.name" . }} + namespace: {{ template "kyverno.lib.namespace" . }} + labels: + {{- include "sidecar-injector.labels" . | nindent 4 }} + {{- with .Values.service.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - name: https + port: {{ .Values.service.port }} + protocol: TCP + appProtocol: https + targetPort: https + {{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + selector: + {{- include "sidecar-injector.labels.selector" . | nindent 4 }} diff --git a/charts/kyverno-sidecar-injector/values.yaml b/charts/kyverno-sidecar-injector/values.yaml new file mode 100644 index 0000000..baf0294 --- /dev/null +++ b/charts/kyverno-sidecar-injector/values.yaml @@ -0,0 +1,244 @@ +# -- Internal settings used with `helm template` to generate install manifest +# @ignored +templating: + enabled: false + debug: false + version: ~ + +# -- (string) Override the name of the chart +nameOverride: ~ + +# -- (string) Override the expanded name of the chart +fullnameOverride: ~ + +rbac: + + # -- Create RBAC resources + create: true + + serviceAccount: + + # -- The ServiceAccount name + name: + + # -- Annotations for the ServiceAccount + annotations: {} + # example.com/annotation: value + +certificates: + + # -- Create self-signed certificates at deployment time. + # The certificates won't be automatically renewed if this is set to `true`. + selfSigned: true + +deployment: + + # -- (int) Desired number of pods + replicas: ~ + + # -- The number of revisions to keep + revisionHistoryLimit: 10 + + # -- Deployment annotations. + annotations: {} + + # -- Deployment update strategy. + # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # @default -- See [values.yaml](values.yaml) + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + +pod: + + # -- Additional labels to add to each pod + labels: {} + # example.com/label: foo + + # -- Additional annotations to add to each pod + annotations: {} + # example.com/annotation: foo + + # -- Image pull secrets + imagePullSecrets: [] + # - secretName + + # -- Security context + securityContext: {} + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + # -- Topology spread constraints. + topologySpreadConstraints: [] + + # -- Optional priority class + priorityClassName: '' + + # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. + # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. + # Update the `dnsPolicy` accordingly as well to suit the host network mode. + hostNetwork: false + + # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. + # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. + dnsPolicy: ClusterFirst + + # -- Pod anti affinity constraints. + # @default -- See [values.yaml](values.yaml) + antiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - admission-controller + topologyKey: kubernetes.io/hostname + + # -- Pod affinity constraints. + affinity: {} + + # -- Node affinity constraints. + nodeAffinity: {} + +containers: + + injector: + + image: + + # -- Image registry + registry: ghcr.io + + # -- Image repository + repository: kyverno/kyverno-envoy-plugin + + # -- (string) Image tag + # Defaults to appVersion in Chart.yaml if omitted + tag: ~ + + # -- Image pull policy + pullPolicy: IfNotPresent + + resources: + + # -- Pod resource limits + limits: + memory: 384Mi + + # -- Pod resource requests + requests: + cpu: 100m + memory: 128Mi + + # -- Container security context + securityContext: + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + # -- Startup probe. + # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + startupProbe: + httpGet: + path: /livez + port: 9443 + scheme: HTTPS + failureThreshold: 20 + initialDelaySeconds: 2 + periodSeconds: 6 + + # -- Liveness probe. + # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + livenessProbe: + httpGet: + path: /livez + port: 9443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 2 + successThreshold: 1 + + # -- Readiness Probe. + # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + readinessProbe: + httpGet: + path: /readyz + port: 9443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + # -- Container ports. + ports: + - containerPort: 9443 + name: https + protocol: TCP + + # -- Container args. + args: + - sidecar-injector + - --address=:9443 + - --cert-file=/opt/kubernetes-sidecar-injector/certs/tls.crt + - --key-file=/opt/kubernetes-sidecar-injector/certs/tls.key + +service: + + # -- Service port. + port: 443 + + # -- Service type. + type: ClusterIP + + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + + # -- Service annotations. + annotations: {} + +webhook: + + # -- Webhook annotations + annotations: {} + # example.com/annotation: value + + # -- Webhook object selector + objectSelector: ~ + + # -- Webhook failure policy + failurePolicy: Fail + + # -- Webhook namespace selector + namespaceSelector: + matchExpressions: + - key: kyverno-injection + operator: In + values: + - enabled