feat(security-apps): add kyverno and kyverno-policies deployments (#1056

)
adfinis · Jun 21, 2023 · 084b2cc · 084b2cc
1 parent cd315cb
commit 084b2cc
Show file tree

Hide file tree

Showing 7 changed files with 160 additions and 36 deletions.
diff --git a/charts/security-apps/Chart.yaml b/charts/security-apps/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: security-apps
 description: Argo CD app-of-apps config for security applications
 type: application
-version: 0.74.0
+version: 0.75.0
 home: https://github.com/adfinis/helm-charts/tree/main/charts/security-apps
 sources:
   - https://github.com/adfinis/helm-charts
@@ -16,37 +16,8 @@ dependencies:
     repository: https://charts.adfinis.com
 annotations:
   artifacthub.io/changes: |
-    - kind: changed
-      description: |
-        vault: update upstream components
-
-        * csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872)
-        * Earliest Kubernetes version tested is now 1.22
-        * `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863)
-        * `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868)
-        * `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
-        * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841)
-        * server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831)
-        * injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852)
-        * csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
-        * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806)
-        * server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
-        * server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
-        * server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813)
-        * server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810)
+    - kind: added
+      description: Add Kyverno, the Kubernetes native policy management engine/framework
       links:
-        - name: Changelog for 0.24.1
-          url: https://github.com/hashicorp/vault-helm/blob/main/CHANGELOG.md#0241-april-17-2023
-        - name: Changelog for 0.24.0
-          url: https://github.com/hashicorp/vault-helm/blob/main/CHANGELOG.md#0240-april-6-2023
-        - name: Changelog for 0.23.0
-          url: https://github.com/hashicorp/vault-helm/blob/main/CHANGELOG.md#0230-november-28th-2022
-    - kind: changed
-      description: "vault: update charts from 0.22.* to 0.24.1"
-      links:
-        - name: "fix: chart version for 0.24.1 release"
-          url: https://github.com/hashicorp/vault-helm/pull/880
-        - name: "chore: Prepare for 0.24.0 release"
-          url: https://github.com/hashicorp/vault-helm/pull/868
-        - name: "chore: Prepare for 0.23.0 release"
-          url: https://github.com/hashicorp/vault-helm/pull/814
+        - name: Kyverno
+          url: https://kyverno.io
diff --git a/charts/security-apps/README.md b/charts/security-apps/README.md
diff --git a/charts/security-apps/ci/default-values.yaml b/charts/security-apps/ci/default-values.yaml
@@ -38,6 +38,14 @@ neuvectorMonitor:
   enabled: true
   values: {}
 
-oaut2-proxy:
+oauth2-proxy:
   enabled: true
   values: {}
+
+kyverno:
+  enabled: true
+  values: {}
+
+kyvernoPolicies:
+  enabled: true
+  values: ()
diff --git a/charts/security-apps/examples/kyverno.yaml b/charts/security-apps/examples/kyverno.yaml
@@ -0,0 +1,19 @@
+# Simple Kyverno deployment
+#
+# This prepares everything for enabling Kyverno policies
+# but only enables sane defaults and in audit mode and
+# not enforce mode.
+
+kyverno:
+  enabled: true
+  values:
+    replicas: 3
+    grafana:
+      # create a ConfigMap containing a Grafana dashboard
+      enabled: true
+
+kyvernoPolicies:
+  enabled: true
+  values:
+    # uncomment the following line to enable enforcing policy
+    #validationFailureAction: Enforce
diff --git a/charts/security-apps/templates/kyverno-policies.yaml b/charts/security-apps/templates/kyverno-policies.yaml
@@ -0,0 +1,33 @@
+{{ if .Values.kyvernoPolicies.enabled }}
+{{ template "argoconfig.application" (list . "security-apps.kyvernoPolicies") }}
+{{ end }}
+
+{{- define "security-apps.kyvernoPolicies" -}}{{- $app := unset .Values.kyvernoPolicies "enabled" -}}{{- $name := default $app.destination.namespace $app.name -}}
+metadata:
+  name: {{ template "common.fullname" . }}-{{ $name }}
+spec:
+  {{- if $app.project }}
+  project: {{ $app.project | quote }}
+  {{- end }}
+  source:
+    repoURL: {{ $app.repoURL | quote }}
+    chart: {{ $app.chart | quote }}
+    targetRevision: {{ $app.targetRevision | quote }}
+    helm:
+      releaseName: {{ $name | quote }}
+      values: |-
+        nameOverride: {{ $name | quote }}
+        {{- $app.values | toYaml | nindent 8 }}
+  {{- if $app.destination }}
+  destination:
+    {{ $app.destination | toYaml | nindent 4 }}
+  {{- end }}
+  {{- if $app.syncPolicy }}
+  syncPolicy:
+    {{ $app.syncPolicy | toYaml | nindent 4 }}
+  {{- end }}
+  {{- if $app.ignoreDifferences }}
+  ignoreDifferences:
+    {{ $app.ignoreDifferences | toYaml | nindent 4 }}
+  {{- end }}
+{{- end -}}
diff --git a/charts/security-apps/templates/kyverno.yaml b/charts/security-apps/templates/kyverno.yaml
@@ -0,0 +1,33 @@
+{{ if .Values.kyverno.enabled }}
+{{ template "argoconfig.application" (list . "security-apps.kyverno") }}
+{{ end }}
+
+{{- define "security-apps.kyverno" -}}{{- $app := unset .Values.kyverno "enabled" -}}{{- $name := default $app.destination.namespace $app.name -}}
+metadata:
+  name: {{ template "common.fullname" . }}-{{ $name }}
+spec:
+  {{- if $app.project }}
+  project: {{ $app.project | quote }}
+  {{- end }}
+  source:
+    repoURL: {{ $app.repoURL | quote }}
+    chart: {{ $app.chart | quote }}
+    targetRevision: {{ $app.targetRevision | quote }}
+    helm:
+      releaseName: {{ $name | quote }}
+      values: |-
+        nameOverride: {{ $name | quote }}
+        {{- $app.values | toYaml | nindent 8 }}
+  {{- if $app.destination }}
+  destination:
+    {{ $app.destination | toYaml | nindent 4 }}
+  {{- end }}
+  {{- if $app.syncPolicy }}
+  syncPolicy:
+    {{ $app.syncPolicy | toYaml | nindent 4 }}
+  {{- end }}
+  {{- if $app.ignoreDifferences }}
+  ignoreDifferences:
+    {{ $app.ignoreDifferences | toYaml | nindent 4 }}
+  {{- end }}
+{{- end -}}
diff --git a/charts/security-apps/values.yaml b/charts/security-apps/values.yaml
@@ -287,3 +287,47 @@ oauth2Proxy:
   # -- Helm values
   # @default -- [upstream values](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/values.yaml)
   values: {}
+
+# -- [Kyverno](https://kyverno.io)
+# @default -- [example](./examples/kyverno.yaml)
+kyverno:
+  # -- Enable kyverno
+  enabled: false
+  name: kyverno
+  # -- Annotations for kyverno
+  annotations: {}
+  destination:
+  # -- Namespace
+    namespace: infra-kyverno
+  # -- Repo URL
+  # @default -- [repo](https://kyverno.github.io/kyverno/)
+  repoURL: https://kyverno.github.io/kyverno/
+  # -- Chart
+  chart: kyverno
+  # -- [kyverno Helm chart](https://github.com/kyverno/kyverno/tree/main/charts/kyverno)
+  targetRevision: 3.0.1
+  # -- Helm values
+  # @default -- [upstream values](https://github.com/kyverno/kyverno/blob/main/charts/kyverno/values.yaml)
+  values: {}
+
+# -- [Kyverno Policies](https://kyverno.io)
+# @default -- [example](./examples/kyverno.yaml)
+kyvernoPolicies:
+  # -- Enable kyverno-policies
+  enabled: false
+  name: kyverno-policies
+  # -- Annotations for kyverno
+  annotations: {}
+  destination:
+  # -- Namespace
+    namespace: infra-kyverno
+  # -- Repo URL
+  # @default -- [repo](https://kyverno.github.io/kyverno/)
+  repoURL: https://kyverno.github.io/kyverno/
+  # -- Chart
+  chart: kyverno-policies
+  # -- [kyverno Helm chart](https://github.com/kyverno/kyverno/tree/main/charts/kyverno-policies)
+  targetRevision: 3.0.0
+  # -- Helm values
+  # @default -- [upstream values](https://github.com/kyverno/kyverno/blob/main/charts/kyverno-policies/values.yaml)
+  values: {}