feat: add kyverno-authz-server chart (#145)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

.github/workflows/tests.yaml

@@ -79,6 +79,6 @@ jobs:
         run: |
           set -e
           make kind-create-cluster
-          make chart-install
+          make install-kyverno-envoy-plugin
       - name: Run Chainsaw Tests
         run: chainsaw test tests/e2e-test

Makefile

@@ -203,18 +203,30 @@ istio-install: $(HELM)
 # HELM #
 ########
 
-.PHONY: chart-install
-chart-install: ## Install chart
-chart-install: kind-load-image
-chart-install: $(HELM)
-	@echo Build helm dependecy... >&2
+.PHONY: install-kyverno-envoy-plugin
+install-kyverno-envoy-plugin: ## Install kyverno-envoy-plugin chart
+install-kyverno-envoy-plugin: kind-load-image
+install-kyverno-envoy-plugin: $(HELM)
+	@echo Build kyverno-envoy-plugin dependecy... >&2
 	@$(HELM) dependency build --skip-refresh ./charts/kyverno-envoy-plugin
-	@echo Install helm chart... >&2
+	@echo Install kyverno-envoy-plugin chart... >&2
 	@$(HELM) upgrade --install kyverno-envoy-plugin --namespace kyverno --create-namespace --wait ./charts/kyverno-envoy-plugin \
 		--set sidecarInjector.containers.injector.image.registry=$(KO_REGISTRY) \
 		--set sidecarInjector.containers.injector.image.repository=$(PACKAGE) \
 		--set sidecarInjector.containers.injector.image.tag=$(GIT_SHA)
 
+.PHONY: install-kyverno-authz-server
+install-kyverno-authz-server: ## Install kyverno-authz-server chart
+install-kyverno-authz-server: kind-load-image
+install-kyverno-authz-server: $(HELM)
+	@echo Build kyverno-authz-server dependecy... >&2
+	@$(HELM) dependency build --skip-refresh ./charts/kyverno-authz-server
+	@echo Install kyverno-authz-server chart... >&2
+	@$(HELM) upgrade --install kyverno-envoy-plugin --namespace kyverno --create-namespace --wait ./charts/kyverno-authz-server \
+		--set containers.server.image.registry=$(KO_REGISTRY) \
+		--set containers.server.image.repository=$(PACKAGE) \
+		--set containers.server.image.tag=$(GIT_SHA)
+
 ########
 # HELP #
 ########

charts/kyverno-authz-server/.helmignore

@@ -0,0 +1,3 @@
+.helmignore
+ci/
+README.md.gotmpl

charts/kyverno-authz-server/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: kyverno-lib
+  repository: file://../kyverno-lib
+  version: 0.0.0
+digest: sha256:74ae1b7230d94ccd45ed668b489009ead0c031c8240e8b76cd05a31f95e679c2
+generated: "2024-10-25T21:56:51.136355+02:00"

charts/kyverno-authz-server/Chart.yaml

@@ -0,0 +1,31 @@
+apiVersion: v2
+name: kyverno-authz-server
+description: Kyverno policies based authorization plugin for Envoy ❤️
+icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
+home: https://kyverno.github.io/kyverno-envoy-plugin
+
+type: application
+version: 0.0.0
+appVersion: latest
+kubeVersion: ">=1.25.0-0"
+
+keywords:
+  - kubernetes
+  - kyverno
+  - authz
+  - policy
+  - envoy
+  - istio
+  - security
+
+sources:
+  - https://github.com/kyverno/kyverno-envoy-plugin
+
+maintainers:
+  - name: Kyverno
+    url: https://kyverno.io/
+
+dependencies:
+- name: kyverno-lib
+  version: 0.0.0
+  repository: file://../kyverno-lib

charts/kyverno-authz-server/templates/NOTES.txt

@@ -0,0 +1 @@
+Chart version: {{ .Chart.Version }}

charts/kyverno-authz-server/templates/_helpers.tpl

@@ -0,0 +1,31 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno-authz-server.name" -}}
+{{ template "kyverno.lib.names.name" . }}
+{{- end -}}
+
+{{- define "kyverno-authz-server.labels" -}}
+{{- template "kyverno.lib.labels.merge" (list
+  (include "kyverno.lib.labels.common" .)
+  (include "kyverno-authz-server.labels.selector" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno-authz-server.labels.selector" -}}
+{{- template "kyverno.lib.labels.merge" (list
+  (include "kyverno.lib.labels.common.selector" .)
+  (include "kyverno.lib.labels.component" "authz-server")
+) -}}
+{{- end -}}
+
+{{- define "kyverno-authz-server.service-account.name" -}}
+{{- if .Values.rbac.create -}}
+    {{- default (include "kyverno-authz-server.name" .) .Values.rbac.serviceAccount.name -}}
+{{- else -}}
+    {{- required "A service account name is required when `rbac.create` is set to `false`" .Values.rbac.serviceAccount.name -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno-authz-server.image" -}}
+{{- printf "%s/%s:%s" .registry .repository (default "latest" .tag) -}}
+{{- end -}}

charts/kyverno-authz-server/templates/deployment.yaml

@@ -0,0 +1,111 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyverno-authz-server.name" . }}
+  namespace: {{ template "kyverno.lib.namespace" . }}
+  labels:
+    {{- include "kyverno-authz-server.labels" . | nindent 4 }}
+  {{- with .Values.deployment.annotations }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.deployment.replicas }}
+  replicas: {{ . }}
+  {{- end }}
+  revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
+  {{- with .Values.deployment.updateStrategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kyverno-authz-server.labels.selector" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyverno-authz-server.labels" . | nindent 8 }}
+        {{- with .Values.pod.labels }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
+        {{- end }}
+      {{- with .Values.pod.annotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.pod.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.pod.securityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.pod.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.pod.tolerations }}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.pod.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.pod.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.pod.hostNetwork }}
+      hostNetwork: {{ . }}
+      {{- end }}
+      {{- with .Values.pod.dnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      affinity:
+        {{- with .Values.pod.antiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.pod.affinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.pod.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      serviceAccountName: {{ template "kyverno-authz-server.service-account.name" . }}
+      containers:
+        {{- with .Values.containers.server }}
+        - name: server
+          image: {{ include "kyverno-authz-server.image" .image }}
+          imagePullPolicy: {{ .image.pullPolicy }}
+          {{- with .resources }}
+          resources:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .startupProbe }}
+          startupProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .livenessProbe }}
+          livenessProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .readinessProbe }}
+          readinessProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .ports }}
+          ports:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .args }}
+          args:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+        {{- end }}

charts/kyverno-authz-server/templates/service-account.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.rbac.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno-authz-server.service-account.name" . }}
+  namespace: {{ template "kyverno.lib.namespace" . }}
+  labels:
+    {{- include "kyverno-authz-server.labels" . | nindent 4 }}
+  {{- with .Values.rbac.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

charts/kyverno-authz-server/templates/service.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno-authz-server.name" . }}
+  namespace: {{ template "kyverno.lib.namespace" . }}
+  labels:
+    {{- include "kyverno-authz-server.labels" . | nindent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+  - name: http
+    port: {{ .Values.service.port }}
+    protocol: TCP
+    appProtocol: http
+    targetPort: http
+    {{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }}
+    nodePort: {{ .Values.service.nodePort }}
+    {{- end }}
+  - name: grpc
+    port: {{ .Values.service.port }}
+    protocol: TCP
+    targetPort: grpc
+    {{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }}
+    nodePort: {{ .Values.service.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno-authz-server.labels.selector" . | nindent 4 }}