diff --git a/charts/security-apps/Chart.yaml b/charts/security-apps/Chart.yaml index f9972bd2e..38bb554f5 100644 --- a/charts/security-apps/Chart.yaml +++ b/charts/security-apps/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: security-apps description: Argo CD app-of-apps config for security applications type: application -version: 0.74.0 +version: 0.75.0 home: https://github.com/adfinis/helm-charts/tree/main/charts/security-apps sources: - https://github.com/adfinis/helm-charts @@ -16,37 +16,8 @@ dependencies: repository: https://charts.adfinis.com annotations: artifacthub.io/changes: | - - kind: changed - description: | - vault: update upstream components - - * csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872) - * Earliest Kubernetes version tested is now 1.22 - * `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863) - * `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868) - * `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749) - * server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) - * server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831) - * injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) - * csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749) - * server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) - * server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) - * server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) - * server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813) - * server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) + - kind: added + description: Add Kyverno, the Kubernetes native policy management engine/framework links: - - name: Changelog for 0.24.1 - url: https://github.com/hashicorp/vault-helm/blob/main/CHANGELOG.md#0241-april-17-2023 - - name: Changelog for 0.24.0 - url: https://github.com/hashicorp/vault-helm/blob/main/CHANGELOG.md#0240-april-6-2023 - - name: Changelog for 0.23.0 - url: https://github.com/hashicorp/vault-helm/blob/main/CHANGELOG.md#0230-november-28th-2022 - - kind: changed - description: "vault: update charts from 0.22.* to 0.24.1" - links: - - name: "fix: chart version for 0.24.1 release" - url: https://github.com/hashicorp/vault-helm/pull/880 - - name: "chore: Prepare for 0.24.0 release" - url: https://github.com/hashicorp/vault-helm/pull/868 - - name: "chore: Prepare for 0.23.0 release" - url: https://github.com/hashicorp/vault-helm/pull/814 + - name: Kyverno + url: https://kyverno.io diff --git a/charts/security-apps/README.md b/charts/security-apps/README.md index 1a56c0328..b11bf9ebf 100644 --- a/charts/security-apps/README.md +++ b/charts/security-apps/README.md @@ -1,6 +1,6 @@ # security-apps -![Version: 0.74.0](https://img.shields.io/badge/Version-0.74.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.75.0](https://img.shields.io/badge/Version-0.75.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Argo CD app-of-apps config for security applications @@ -66,6 +66,22 @@ This chart is maintained by [Adfinis](https://adfinis.com/?pk_campaign=github&pk | gatekeeper.repoURL | string | [repo](https://open-policy-agent.github.io/gatekeeper/charts) | Repo URL | | gatekeeper.targetRevision | string | `"3.10.0"` | [gatekeeper Helm chart](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) version | | gatekeeper.values | object | [upstream values](https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/values.yaml) | Helm values | +| kyverno | object | [example](./examples/kyverno.yaml) | [Kyverno](https://kyverno.io) | +| kyverno.annotations | object | `{}` | Annotations for kyverno | +| kyverno.chart | string | `"kyverno"` | Chart | +| kyverno.destination.namespace | string | `"infra-kyverno"` | Namespace | +| kyverno.enabled | bool | `false` | Enable kyverno | +| kyverno.repoURL | string | [repo](https://kyverno.github.io/kyverno/) | Repo URL | +| kyverno.targetRevision | string | `"3.0.1"` | [kyverno Helm chart](https://github.com/kyverno/kyverno/tree/main/charts/kyverno) | +| kyverno.values | object | [upstream values](https://github.com/kyverno/kyverno/blob/main/charts/kyverno/values.yaml) | Helm values | +| kyvernoPolicies | object | [example](./examples/kyverno.yaml) | [Kyverno Policies](https://kyverno.io) | +| kyvernoPolicies.annotations | object | `{}` | Annotations for kyverno | +| kyvernoPolicies.chart | string | `"kyverno-policies"` | Chart | +| kyvernoPolicies.destination.namespace | string | `"infra-kyverno"` | Namespace | +| kyvernoPolicies.enabled | bool | `false` | Enable kyverno-policies | +| kyvernoPolicies.repoURL | string | [repo](https://kyverno.github.io/kyverno/) | Repo URL | +| kyvernoPolicies.targetRevision | string | `"3.0.0"` | [kyverno Helm chart](https://github.com/kyverno/kyverno/tree/main/charts/kyverno-policies) | +| kyvernoPolicies.values | object | [upstream values](https://github.com/kyverno/kyverno/blob/main/charts/kyverno-policies/values.yaml) | Helm values | | neuvector | object | - | [NeuVector](https://github.com/neuvector/neuvector) ([example](./example/neuvector.yaml)) | | neuvector.chart | string | `"core"` | Chart | | neuvector.destination.namespace | string | `"infra-neuvector"` | Namespace | diff --git a/charts/security-apps/ci/default-values.yaml b/charts/security-apps/ci/default-values.yaml index a8a3de616..dd081eb29 100644 --- a/charts/security-apps/ci/default-values.yaml +++ b/charts/security-apps/ci/default-values.yaml @@ -38,6 +38,14 @@ neuvectorMonitor: enabled: true values: {} -oaut2-proxy: +oauth2-proxy: enabled: true values: {} + +kyverno: + enabled: true + values: {} + +kyvernoPolicies: + enabled: true + values: () diff --git a/charts/security-apps/examples/kyverno.yaml b/charts/security-apps/examples/kyverno.yaml new file mode 100644 index 000000000..c388c9e2d --- /dev/null +++ b/charts/security-apps/examples/kyverno.yaml @@ -0,0 +1,19 @@ +# Simple Kyverno deployment +# +# This prepares everything for enabling Kyverno policies +# but only enables sane defaults and in audit mode and +# not enforce mode. + +kyverno: + enabled: true + values: + replicas: 3 + grafana: + # create a ConfigMap containing a Grafana dashboard + enabled: true + +kyvernoPolicies: + enabled: true + values: + # uncomment the following line to enable enforcing policy + #validationFailureAction: Enforce diff --git a/charts/security-apps/templates/kyverno-policies.yaml b/charts/security-apps/templates/kyverno-policies.yaml new file mode 100644 index 000000000..38a3cad69 --- /dev/null +++ b/charts/security-apps/templates/kyverno-policies.yaml @@ -0,0 +1,33 @@ +{{ if .Values.kyvernoPolicies.enabled }} +{{ template "argoconfig.application" (list . "security-apps.kyvernoPolicies") }} +{{ end }} + +{{- define "security-apps.kyvernoPolicies" -}}{{- $app := unset .Values.kyvernoPolicies "enabled" -}}{{- $name := default $app.destination.namespace $app.name -}} +metadata: + name: {{ template "common.fullname" . }}-{{ $name }} +spec: + {{- if $app.project }} + project: {{ $app.project | quote }} + {{- end }} + source: + repoURL: {{ $app.repoURL | quote }} + chart: {{ $app.chart | quote }} + targetRevision: {{ $app.targetRevision | quote }} + helm: + releaseName: {{ $name | quote }} + values: |- + nameOverride: {{ $name | quote }} + {{- $app.values | toYaml | nindent 8 }} + {{- if $app.destination }} + destination: + {{ $app.destination | toYaml | nindent 4 }} + {{- end }} + {{- if $app.syncPolicy }} + syncPolicy: + {{ $app.syncPolicy | toYaml | nindent 4 }} + {{- end }} + {{- if $app.ignoreDifferences }} + ignoreDifferences: + {{ $app.ignoreDifferences | toYaml | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/security-apps/templates/kyverno.yaml b/charts/security-apps/templates/kyverno.yaml new file mode 100644 index 000000000..db2253c9b --- /dev/null +++ b/charts/security-apps/templates/kyverno.yaml @@ -0,0 +1,33 @@ +{{ if .Values.kyverno.enabled }} +{{ template "argoconfig.application" (list . "security-apps.kyverno") }} +{{ end }} + +{{- define "security-apps.kyverno" -}}{{- $app := unset .Values.kyverno "enabled" -}}{{- $name := default $app.destination.namespace $app.name -}} +metadata: + name: {{ template "common.fullname" . }}-{{ $name }} +spec: + {{- if $app.project }} + project: {{ $app.project | quote }} + {{- end }} + source: + repoURL: {{ $app.repoURL | quote }} + chart: {{ $app.chart | quote }} + targetRevision: {{ $app.targetRevision | quote }} + helm: + releaseName: {{ $name | quote }} + values: |- + nameOverride: {{ $name | quote }} + {{- $app.values | toYaml | nindent 8 }} + {{- if $app.destination }} + destination: + {{ $app.destination | toYaml | nindent 4 }} + {{- end }} + {{- if $app.syncPolicy }} + syncPolicy: + {{ $app.syncPolicy | toYaml | nindent 4 }} + {{- end }} + {{- if $app.ignoreDifferences }} + ignoreDifferences: + {{ $app.ignoreDifferences | toYaml | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/security-apps/values.yaml b/charts/security-apps/values.yaml index d5e28bbb1..050242788 100644 --- a/charts/security-apps/values.yaml +++ b/charts/security-apps/values.yaml @@ -287,3 +287,47 @@ oauth2Proxy: # -- Helm values # @default -- [upstream values](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/values.yaml) values: {} + +# -- [Kyverno](https://kyverno.io) +# @default -- [example](./examples/kyverno.yaml) +kyverno: + # -- Enable kyverno + enabled: false + name: kyverno + # -- Annotations for kyverno + annotations: {} + destination: + # -- Namespace + namespace: infra-kyverno + # -- Repo URL + # @default -- [repo](https://kyverno.github.io/kyverno/) + repoURL: https://kyverno.github.io/kyverno/ + # -- Chart + chart: kyverno + # -- [kyverno Helm chart](https://github.com/kyverno/kyverno/tree/main/charts/kyverno) + targetRevision: 3.0.1 + # -- Helm values + # @default -- [upstream values](https://github.com/kyverno/kyverno/blob/main/charts/kyverno/values.yaml) + values: {} + +# -- [Kyverno Policies](https://kyverno.io) +# @default -- [example](./examples/kyverno.yaml) +kyvernoPolicies: + # -- Enable kyverno-policies + enabled: false + name: kyverno-policies + # -- Annotations for kyverno + annotations: {} + destination: + # -- Namespace + namespace: infra-kyverno + # -- Repo URL + # @default -- [repo](https://kyverno.github.io/kyverno/) + repoURL: https://kyverno.github.io/kyverno/ + # -- Chart + chart: kyverno-policies + # -- [kyverno Helm chart](https://github.com/kyverno/kyverno/tree/main/charts/kyverno-policies) + targetRevision: 3.0.0 + # -- Helm values + # @default -- [upstream values](https://github.com/kyverno/kyverno/blob/main/charts/kyverno-policies/values.yaml) + values: {}