Skip to content

Commit

Permalink
fix: embed upstream (#22)
Browse files Browse the repository at this point in the history
* fix: embed upstream

Signed-off-by: Vishal Choudhary <[email protected]>

* fix: update config

Signed-off-by: Vishal Choudhary <[email protected]>

---------

Signed-off-by: Vishal Choudhary <[email protected]>
  • Loading branch information
vishal-chdhry authored Nov 4, 2024
1 parent 3aa71ad commit 0d85004
Show file tree
Hide file tree
Showing 36 changed files with 1,202 additions and 1,457 deletions.
3 changes: 3 additions & 0 deletions .github/kind.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ nodes:
- containerPort: 443
hostPort: 443
protocol: TCP
extraMounts:
- hostPath: /home/tmp
containerPath: /data
- role: worker
- role: worker
- role: worker
8 changes: 6 additions & 2 deletions .github/workflows/codeql.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
with:
fetch-depth: 0
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
scan-type: fs
ignore-unfixed: false
Expand All @@ -37,8 +37,12 @@ jobs:
scanners: vuln,secret
exit-code: '0'
vuln-type: os,library
env:
# Trivy is returning TOOMANYREQUESTS
# See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
with:
sarif_file: trivy-results.sarif
category: code
category: code
8 changes: 6 additions & 2 deletions .github/workflows/conformance-tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,11 @@ jobs:
- name: Install latest kyverno
run: |
set -e
kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml
set -e
export HELM=${{ steps.helm.outputs.helm-path }}
helm repo add kyverno https://kyverno.github.io/kyverno/
kubectl create namespace kyverno
helm install kyverno --namespace kyverno kyverno/kyverno --set features.policyExceptions.enabled=true --set features.policyExceptions.namespace='*'
- name: Wait for kyverno ready
run: |
set -e
Expand All @@ -96,7 +100,7 @@ jobs:
set -e
kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io
- name: Install Chainsaw
uses: kyverno/action-install-chainsaw@d1a61148c0437a66760d11d8575332305c2234cb # v0.2.10
uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11
- name: Test with Chainsaw
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down
9 changes: 6 additions & 3 deletions .github/workflows/migration-tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -74,10 +74,13 @@ jobs:
run: |
set -e
kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml
- name: Install kyverno v1.12.4
- name: Install kyverno
run: |
set -e
kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml
export HELM=${{ steps.helm.outputs.helm-path }}
helm repo add kyverno https://kyverno.github.io/kyverno/
kubectl create namespace kyverno
helm install kyverno --namespace kyverno kyverno/kyverno --set features.policyExceptions.enabled=true --set features.policyExceptions.namespace='*'
- name: Wait for kyverno ready
run: |
set -e
Expand Down Expand Up @@ -111,7 +114,7 @@ jobs:
set -e
kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io
- name: Install Chainsaw
uses: kyverno/action-install-chainsaw@d1a61148c0437a66760d11d8575332305c2234cb # v0.2.10
uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11
- name: Test with Chainsaw
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down
14 changes: 7 additions & 7 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -164,23 +164,23 @@ codegen-install-manifest: $(HELM) ## Create install manifest
| $(SED) -e '/^#.*/d' \
> ./config/install.yaml

codegen-install-manifest-inmemory: $(HELM) ## Create install manifest without postgres
codegen-install-manifest-etcd: $(HELM) ## Create install manifest without postgres
@echo Generate latest install manifest... >&2
@$(HELM) template reports-server --namespace reports-server ./charts/reports-server/ \
--set apiServicesManagement.installApiServices.enabled=true \
--set image.tag=latest \
--set config.debug=true \
--set config.etcd.enabled=true \
--set postgresql.enabled=false \
--set templating.enabled=true \
| $(SED) -e '/^#.*/d' \
> ./config/install-inmemory.yaml
> ./config/install-etcd.yaml

.PHONY: codegen
codegen: ## Rebuild all generated code and docs
codegen: codegen-helm-docs
codegen: codegen-openapi
codegen: codegen-install-manifest
codegen: codegen-install-manifest-inmemory
codegen: codegen-install-manifest-etcd

.PHONY: verify-codegen
verify-codegen: codegen ## Verify all generated code and docs are up to date
Expand Down Expand Up @@ -220,12 +220,12 @@ kind-install: $(HELM) kind-load ## Build image, load it in kind cluster and depl
--set image.repository=$(PACKAGE) \
--set image.tag=$(GIT_SHA)

.PHONY: kind-install-inmemory
kind-install-inmemory: $(HELM) kind-load ## Build image, load it in kind cluster and deploy helm chart
.PHONY: kind-install-etcd
kind-install-etcd: $(HELM) kind-load ## Build image, load it in kind cluster and deploy helm chart
@echo Install chart... >&2
@$(HELM) upgrade --install reports-server --namespace reports-server --create-namespace --wait ./charts/reports-server \
--set image.registry=$(KO_REGISTRY) \
--set config.debug=true \
--set config.etcd.enabled=true \
--set postgresql.enabled=false \
--set image.repository=$(PACKAGE) \
--set image.tag=$(GIT_SHA)
Expand Down
4 changes: 2 additions & 2 deletions charts/reports-server/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: v2
name: reports-server
type: application
version: 0.1.3
appVersion: v0.1.3
version: 0.1.4-alpha.0
appVersion: v0.1.4-alpha.0
keywords:
- kubernetes
- policy reports storage
Expand Down
8 changes: 5 additions & 3 deletions charts/reports-server/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# reports-server

![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.3](https://img.shields.io/badge/AppVersion-v0.1.3-informational?style=flat-square)
![Version: 0.1.4-alpha.0](https://img.shields.io/badge/Version-0.1.4--alpha.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.4-alpha.0](https://img.shields.io/badge/AppVersion-v0.1.4--alpha.0-informational?style=flat-square)

TODO

Expand All @@ -23,7 +23,7 @@ helm install reports-server --namespace reports-server --create-namespace report
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| cloudnative-pg.crds.create | bool | `false` | |
| postgresql.enabled | bool | `true` | Deploy postgresql dependency chart |
| postgresql.enabled | bool | `false` | Deploy postgresql dependency chart |
| postgresql.auth.postgresPassword | string | `"reports"` | |
| postgresql.auth.database | string | `"reportsdb"` | |
| nameOverride | string | `""` | Name override |
Expand Down Expand Up @@ -62,7 +62,9 @@ helm install reports-server --namespace reports-server --create-namespace report
| affinity | object | `{}` | Affinity |
| service.type | string | `"ClusterIP"` | Service type |
| service.port | int | `443` | Service port |
| config.debug | bool | `false` | Enable debug (to use inmemorydatabase) |
| config.etcd.enabled | bool | `true` | |
| config.etcd.endpoints | string | `nil` | |
| config.etcd.insecure | bool | `true` | |
| config.db.secretName | string | `""` | If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`. |
| config.db.host | string | `"reports-server-cluster-rw.reports-server"` | Database host |
| config.db.hostSecretKeyName | string | `"host"` | The database host will be read from this `key` in the specified Secret, when `db.secretName` is set. |
Expand Down
14 changes: 9 additions & 5 deletions charts/reports-server/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,12 @@ spec:
containers:
- name: reports-server
args:
{{- if .Values.config.debug }}
- --debug
{{- if .Values.config.etcd.enabled }}
- --etcd
{{- if .Values.config.etcd.insecure }}
- --etcdSkipTLS
{{- end }}
- --etcdEndpoints=https://etcd-0.etcd.{{ $.Release.Namespace }}:2379,https://etcd-1.etcd.{{ $.Release.Namespace }}:2379,https://etcd-2.etcd.{{ $.Release.Namespace }}:2379
{{- else }}
- --dbhost={{ include "reports-server.dbHost" . }}
- --dbname={{ include "reports-server.dbName" . }}
Expand Down Expand Up @@ -79,15 +83,15 @@ spec:
{{- end}}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
volumeMounts:
- mountPath: /tmp
name: tmp-dir
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: https
containerPort: 4443
protocol: TCP
volumeMounts:
- mountPath: /tmp
name: tmp-dir
{{- with .Values.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
Expand Down
170 changes: 170 additions & 0 deletions charts/reports-server/templates/etcd.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
{{- if .Values.config.etcd.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: etcd
namespace: {{ $.Release.Namespace }}
labels:
app: etcd-reports-server
{{- include "reports-server.labels" . | nindent 4 }}
spec:
type: ClusterIP
clusterIP: None
selector:
app: etcd-reports-server
publishNotReadyAddresses: true
ports:
- name: etcd-client
port: 2379
- name: etcd-server
port: 2380
- name: etcd-metrics
port: 8080
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
namespace: {{ include "reports-server.fullname" . }}
name: etcd
labels:
app: etcd-reports-server
{{- include "reports-server.labels" . | nindent 4 }}
spec:
serviceName: etcd
replicas: 3
podManagementPolicy: Parallel
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app: etcd-reports-server
template:
metadata:
labels:
app: etcd-reports-server
annotations:
serviceName: etcd
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- etcd-reports-server
topologyKey: "kubernetes.io/hostname"
containers:
- name: etcd
image: quay.io/coreos/etcd:v3.5.15
imagePullPolicy: IfNotPresent
ports:
- name: etcd-client
containerPort: 2379
- name: etcd-server
containerPort: 2380
- name: etcd-metrics
containerPort: 8080
readinessProbe:
httpGet:
path: /readyz
port: 8080
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 30
livenessProbe:
httpGet:
path: /livez
port: 8080
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
env:
- name: K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: SERVICE_NAME
valueFrom:
fieldRef:
fieldPath: metadata.annotations['serviceName']
- name: ETCDCTL_ENDPOINTS
value: $(HOSTNAME).$(SERVICE_NAME):2379
## TLS client configuration for etcdctl in the container.
## These files paths are part of the "etcd-client-certs" volume mount.
# - name: ETCDCTL_KEY
# value: /etc/etcd/certs/client/tls.key
# - name: ETCDCTL_CERT
# value: /etc/etcd/certs/client/tls.crt
# - name: ETCDCTL_CACERT
# value: /etc/etcd/certs/client/ca.crt
##
## Use this URI_SCHEME value for non-TLS clusters.
- name: URI_SCHEME
value: "http"
## TLS: Use this URI_SCHEME for TLS clusters.
# - name: URI_SCHEME
# value: "https"
command:
- /usr/local/bin/etcd
args:
- --name=$(HOSTNAME)
- --data-dir=/data
- --wal-dir=/data/wal
- --listen-peer-urls=$(URI_SCHEME)://0.0.0.0:2380
- --listen-client-urls=$(URI_SCHEME)://0.0.0.0:2379
- --advertise-client-urls=$(URI_SCHEME)://$(HOSTNAME).$(SERVICE_NAME):2379
- --initial-cluster-state=new
- --initial-cluster-token=etcd-$(K8S_NAMESPACE)
- --initial-cluster=etcd-0=$(URI_SCHEME)://etcd-0.$(SERVICE_NAME):2380,etcd-1=$(URI_SCHEME)://etcd-1.$(SERVICE_NAME):2380,etcd-2=$(URI_SCHEME)://etcd-2.$(SERVICE_NAME):2380
- --initial-advertise-peer-urls=$(URI_SCHEME)://$(HOSTNAME).$(SERVICE_NAME):2380
- --listen-metrics-urls=http://0.0.0.0:8080
# - --auto-compaction-mode=periodic
# - --auto-compaction-retention=10m
# - --client-cert-auth
# - --trusted-ca-file=$(ETCDCTL_CACERT)
# - --cert-file=$(ETCDCTL_CERT)
# - --key-file=$(ETCDCTL_KEY)
# - --peer-client-cert-auth
# - --peer-trusted-ca-file=/etc/etcd/certs/server/ca.crt
# - --peer-cert-file=/etc/etcd/certs/server/tls.crt
# - --peer-key-file=/etc/etcd/certs/server/tls.key
volumeMounts:
- name: etcd-data
mountPath: /data
# - name: etcd-client-tls
# mountPath: "/etc/etcd/certs/client"
# readOnly: true
# - name: etcd-server-tls
# mountPath: "/etc/etcd/certs/server"
# readOnly: true
volumes:
# - name: etcd-client-tls
# secret:
# secretName: etcd-client-tls
# optional: false
# - name: etcd-server-tls
# secret:
# secretName: etcd-server-tls
# optional: false
volumeClaimTemplates:
- metadata:
name: etcd-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
{{- end }}

8 changes: 5 additions & 3 deletions charts/reports-server/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ cloudnative-pg:
postgresql:

# -- Deploy postgresql dependency chart
enabled: true
enabled: false

auth:

Expand Down Expand Up @@ -166,8 +166,10 @@ service:

config:

# -- Enable debug (to use inmemorydatabase)
debug: false
etcd:
enabled: true
endpoints: ~
insecure: true

db:
# -- If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`.
Expand Down
Loading

0 comments on commit 0d85004

Please sign in to comment.