Merge branch 'main' into codeql

.github/workflows/ah-lint.yaml

@@ -0,0 +1,27 @@
+name: ArtifactHub Lint
+
+# permissions: {}
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  required:
+    runs-on: ubuntu-latest
+    container:
+      image: artifacthub/ah
+      options: --user root
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Run ah lint
+        working-directory: ./charts/
+        run: |
+          set -e
+          ah lint

.github/workflows/ct-lint.yaml

@@ -0,0 +1,33 @@
+name: CT Lint
+
+# permissions: {}
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  required:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+      - name: Set up Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+      - name: Setup python
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        with:
+          python-version: 3.7
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0
+      - name: Run chart-testing (lint)
+        run: |
+          set -e
+          ct lint --target-branch=main --check-version-increment=false

.github/workflows/helm-install.yaml

@@ -0,0 +1,32 @@
+name: Helm install
+
+# permissions: {}
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  required:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Set up Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - name: Create cluster
+        run: |
+          set -e
+          make kind-create
+      - name: Install chart
+        run: |
+          set -e
+          make kind-install

.gitignore

@@ -1,6 +1,6 @@
 .DS_Store
 .tools
 .gopath
-kyverno-json
+/kyverno-json
 website/site
 playground/assets/main.wasm

Makefile

@@ -1,5 +1,24 @@
 .DEFAULT_GOAL := build
 
+##########
+# CONFIG #
+##########
+
+ORG                                ?= kyverno
+PACKAGE                            ?= github.com/$(ORG)/kyverno-json
+KIND_IMAGE                         ?= kindest/node:v1.28.0
+KIND_NAME                          ?= kind
+GIT_SHA                            := $(shell git rev-parse HEAD)
+GOOS                               ?= $(shell go env GOOS)
+GOARCH                             ?= $(shell go env GOARCH)
+REGISTRY                           ?= ghcr.io
+REPO                               ?= kyverno-json
+LOCAL_PLATFORM                     := linux/$(GOARCH)
+KO_REGISTRY                        := ko.local
+KO_PLATFORMS                       := all
+KO_TAGS                            := $(GIT_SHA)
+KO_CACHE                           ?= /tmp/ko-cache
+
 #########
 # TOOLS #
 #########
@@ -17,7 +36,11 @@ REFERENCE_DOCS                     := $(TOOLS_DIR)/genref
 REFERENCE_DOCS_VERSION             := latest
 KIND                               := $(TOOLS_DIR)/kind
 KIND_VERSION                       := v0.20.0
-TOOLS                              := $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(REGISTER_GEN) $(DEEPCOPY_GEN) $(CONTROLLER_GEN) $(REFERENCE_DOCS) $(KIND)
+HELM                               := $(TOOLS_DIR)/helm
+HELM_VERSION                       := v3.10.1
+KO                                 := $(TOOLS_DIR)/ko
+KO_VERSION                         := v0.14.1
+TOOLS                              := $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(REGISTER_GEN) $(DEEPCOPY_GEN) $(CONTROLLER_GEN) $(REFERENCE_DOCS) $(KIND) $(HELM) $(KO)
 PIP                                ?= "pip"
 ifeq ($(GOOS), darwin)
 SED                                := gsed
@@ -58,6 +81,14 @@ $(KIND):
 	@echo Install kind... >&2
 	@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/kind@$(KIND_VERSION)
 
+$(HELM):
+	@echo Install helm... >&2
+	@GOBIN=$(TOOLS_DIR) go install helm.sh/helm/v3/cmd/helm@$(HELM_VERSION)
+
+$(KO):
+	@echo Install ko... >&2
+	@GOBIN=$(TOOLS_DIR) go install github.com/google/ko@$(KO_VERSION)
+
 .PHONY: install-tools
 install-tools: $(TOOLS) ## Install tools
 
@@ -72,7 +103,6 @@ clean-tools: ## Remove installed tools
 
 CLI_BIN        := kyverno-json
 CGO_ENABLED    ?= 0
-GOOS           ?= $(shell go env GOOS)
 ifdef VERSION
 LD_FLAGS       := "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(VERSION)"
 else
@@ -104,17 +134,20 @@ build-wasm: fmt vet ## Build the wasm binary
 serve: build-wasm ## Serve static files.
 	python3 -m http.server -d playground/ 8080
 
+.PHONY: ko-build
+ko-build: $(KO) ## Build image (with ko)
+	@echo Build image with ko... >&2
+	@LDFLAGS=$(LD_FLAGS) KOCACHE=$(KO_CACHE) KO_DOCKER_REPO=$(KO_REGISTRY) \
+		$(KO) build . --preserve-import-paths --tags=$(KO_TAGS) --platform=$(LOCAL_PLATFORM)
+
 ###########
 # CODEGEN #
 ###########
 
-ORG                         ?= kyverno
-PACKAGE                     ?= github.com/$(ORG)/kyverno-json
 GOPATH_SHIM                 := ${PWD}/.gopath
 PACKAGE_SHIM                := $(GOPATH_SHIM)/src/$(PACKAGE)
 INPUT_DIRS                  := $(PACKAGE)/pkg/apis/v1alpha1
 CRDS_PATH                   := ${PWD}/config/crds
-KIND_IMAGE                  ?= kindest/node:v1.28.0
 INPUT_DIRS                  := $(PACKAGE)/pkg/apis/v1alpha1
 OUT_PACKAGE                 := $(PACKAGE)/pkg/client
 CLIENTSET_PACKAGE           := $(OUT_PACKAGE)/clientset
@@ -234,8 +267,29 @@ codegen-schema-json: codegen-schema-openapi ## Generate json schemas
 .PHONY: codegen-schema-all
 codegen-schema-all: codegen-schema-openapi codegen-schema-json ## Generate openapi and json schemas
 
+.PHONY: codegen-helm-crds
+codegen-helm-crds: codegen-crds ## Generate helm CRDs
+	@echo Generate helm crds... >&2
+	@cat $(CRDS_PATH)/* \
+		| $(SED) -e '1i{{- if .Values.crds.install }}' \
+		| $(SED) -e '$$a{{- end }}' \
+		| $(SED) -e '/^  annotations:/a \ \ \ \ {{- end }}' \
+ 		| $(SED) -e '/^  annotations:/a \ \ \ \ {{- toYaml . | nindent 4 }}' \
+		| $(SED) -e '/^  annotations:/a \ \ \ \ {{- with .Values.crds.annotations }}' \
+ 		| $(SED) -e '/^  annotations:/i \ \ labels:' \
+		| $(SED) -e '/^  labels:/a \ \ \ \ {{- end }}' \
+ 		| $(SED) -e '/^  labels:/a \ \ \ \ {{- toYaml . | nindent 4 }}' \
+		| $(SED) -e '/^  labels:/a \ \ \ \ {{- with .Values.crds.labels }}' \
+		| $(SED) -e '/^  labels:/a \ \ \ \ {{- include "kyverno-json.labels" . | nindent 4 }}' \
+ 		> ./charts/kyverno-json/templates/crds.yaml
+
+.PHONY: codegen-helm-docs
+codegen-helm-docs: ## Generate helm docs
+	@echo Generate helm docs... >&2
+	@docker run -v ${PWD}/charts:/work -w /work jnorwood/helm-docs:v1.11.0 -s file
+
 .PHONY: codegen
-codegen: codegen-crds codegen-deepcopy codegen-register codegen-client codegen-docs codegen-mkdocs codegen-schema-all ## Rebuild all generated code and docs
+codegen: codegen-crds codegen-deepcopy codegen-register codegen-client codegen-docs codegen-mkdocs codegen-schema-all codegen-helm-docs ## Rebuild all generated code and docs
 
 .PHONY: verify-codegen
 verify-codegen: codegen ## Verify all generated code and docs are up to date
@@ -258,10 +312,28 @@ tests: $(CLI_BIN) ## Run tests
 # KIND #
 ########
 
-.PHONY: kind-cluster
-kind-cluster: $(KIND) ## Create kind cluster
+.PHONY: kind-create
+kind-create: $(KIND) ## Create kind cluster
 	@echo Create kind cluster... >&2
-	@$(KIND) create cluster --image $(KIND_IMAGE)
+	@$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE)
+
+.PHONY: kind-delete
+kind-delete: $(KIND) ## Delete kind cluster
+	@echo Delete kind cluster... >&2
+	@$(KIND) delete cluster --name $(KIND_NAME)
+
+.PHONY: kind-load
+kind-load: $(KIND) ko-build ## Build image and load in kind cluster
+	@echo Load image... >&2
+	@$(KIND) load docker-image --name $(KIND_NAME) $(KO_REGISTRY)/$(PACKAGE):$(GIT_SHA)
+
+.PHONY: kind-install
+kind-install: $(HELM) kind-load ## Build image, load it in kind cluster and deploy helm chart
+	@echo Install chart... >&2
+	@$(HELM) upgrade --install kyverno-json --namespace kyverno-json --create-namespace --wait ./charts/kyverno-json \
+		--set image.registry=$(KO_REGISTRY) \
+		--set image.repository=$(PACKAGE) \
+		--set image.tag=$(GIT_SHA)
 
 ###########
 # INSTALL #

charts/kyverno-json/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/kyverno-json/Chart.yaml

@@ -0,0 +1,16 @@
+apiVersion: v2
+name: kyverno-json
+type: application
+version: 0.1.0
+appVersion: v0.1.0
+icon: https://github.com/kyverno/kyverno-json/blob/main/website/docs/static/kyverno-json-logo.png
+description: Kyverno for JSON
+keywords:
+  - kubernetes
+  - policy agent
+sources:
+  - https://github.com/kyverno/kyverno-json
+maintainers:
+  - name: Nirmata
+    url: https://kyverno.io/
+kubeVersion: ">=1.16.0-0"

charts/kyverno-json/README.md

@@ -0,0 +1,91 @@
+# kyverno-json
+
+Kyverno for JSON
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.0](https://img.shields.io/badge/AppVersion-v0.1.0-informational?style=flat-square)
+
+## About
+
+TODO
+
+## Features
+
+TODO
+
+## Installing the Chart
+
+Add `kyverno-json` Helm repository:
+
+```shell
+helm repo add kyverno-json https://kyverno.github.io/kyverno-json/
+```
+
+Install `kyverno-json` Helm chart:
+
+```shell
+helm install kyverno-json --namespace kyverno --create-namespace kyverno-json/kyverno-json
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| nameOverride | string | `""` | Name override |
+| fullnameOverride | string | `""` | Full name override |
+| crds.install | bool | `true` | Whether to have Helm install the CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
+| crds.annotations | object | `{}` | Additional CRDs annotations |
+| crds.labels | object | `{}` | Additional CRDs labels |
+| replicaCount | int | `1` | Number of pod replicas |
+| image.registry | string | `"ghcr.io"` | Image registry |
+| image.repository | string | `"kyverno/kyverno-json"` | Image repository |
+| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| image.tag | string | `nil` | Image tag (will default to app version if not set) |
+| imagePullSecrets | list | `[]` | Image pull secrets |
+| priorityClassName | string | `""` | Priority class name |
+| serviceAccount.create | bool | `true` | Create service account |
+| serviceAccount.annotations | object | `{}` | Service account annotations |
+| serviceAccount.name | string | `""` | Service account name (required if `serviceAccount.create` is `false`) |
+| podAnnotations | object | `{}` | Pod annotations |
+| podSecurityContext | object | `{"fsGroup":2000}` | Pod security context |
+| securityContext | object | See [values.yaml](values.yaml) | Container security context |
+| service.type | string | `"ClusterIP"` | Service type |
+| service.port | int | `8080` | Service port |
+| ingress.enabled | bool | `false` | Enable ingress |
+| ingress.className | string | `""` | Ingress class name |
+| ingress.annotations | object | `{}` | Ingress annotations |
+| ingress.hosts | list | `[]` | Ingress hosts |
+| ingress.tls | list | `[]` | Ingress tls |
+| resources.limits | string | `nil` | Container resource limits |
+| resources.requests | string | `nil` | Container resource requests |
+| autoscaling.enabled | bool | `false` | Enable autoscaling |
+| autoscaling.minReplicas | int | `1` | Min number of replicas |
+| autoscaling.maxReplicas | int | `100` | Max number of replicas |
+| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilisation |
+| autoscaling.targetMemoryUtilizationPercentage | string | `nil` | Target Memory utilisation |
+| nodeSelector | object | `{}` | Node selector |
+| tolerations | list | `[]` | Tolerations |
+| affinity | object | `{}` | Affinity |
+| config.gin.mode | string | `"release"` | Gin mode (`release` or `debug`) |
+| config.gin.cors | bool | `false` | Gin cors middleware |
+| config.gin.logger | bool | `false` | Gin logger middleware |
+| config.gin.maxBodySize | int | `2097152` | Gin max body size |
+| config.server.host | string | `"0.0.0.0"` | Server host |
+| config.server.port | int | `8080` | Server port |
+| config.cluster | string | `nil` |  |
+
+## Source Code
+
+* <https://github.com/kyverno/kyverno-json>
+
+## Requirements
+
+Kubernetes: `>=1.16.0-0`
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| Nirmata |  | <https://kyverno.io/> |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)