enable fips for reports-server (#523)

* enable fips for reports-server

* remove chart.lock

* feat: added rc charts for v1.13.4-n4k.nirmata.1

Signed-off-by: VedRatan <[email protected]>

* fix: lint

Signed-off-by: VedRatan <[email protected]>

* fix: lint

Signed-off-by: VedRatan <[email protected]>

---------

Signed-off-by: VedRatan <[email protected]>
Co-authored-by: VedRatan <[email protected]>

charts/nirmata/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 type: application
 name: kyverno
-version: 3.3.4
-appVersion: v1.13.2-n4k.nirmata.4
+version: 3.3.5-rc1
+appVersion: v1.13.4-n4k.nirmata.1-rc1
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Native Policy Management
 keywords:
@@ -45,12 +45,12 @@ annotations:
       description: ImagePullSecrets made configurable for tests
 dependencies:
 - name: reports-server
-  version: 0.1.6
+  version: 0.1.7-rc.7
   condition: reports-server.enabled
   repository: https://nirmata.github.io/reports-server
 - name: grafana
-  version: 3.3.4
+  version: 3.3.6
   condition: grafana.enabled
 - name: crds
-  version: 3.3.4
+  version: 3.3.6
   condition: crds.install

charts/nirmata/README.md

@@ -2,7 +2,7 @@
 
 Kubernetes Native Policy Management
 
-![Version: 3.3.4](https://img.shields.io/badge/Version-3.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.13.2](https://img.shields.io/badge/AppVersion-v1.13.2-informational?style=flat-square)
+![Version: 3.3.6](https://img.shields.io/badge/Version-3.3.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.13.2](https://img.shields.io/badge/AppVersion-v1.13.2-informational?style=flat-square)
 
 ## About
 
@@ -843,8 +843,8 @@ Kubernetes: `>=1.25.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-|  | crds | 3.3.4 |
-|  | grafana | 3.3.4 |
+|  | crds | 3.3.6 |
+|  | grafana | 3.3.6 |
 
 ## Maintainers
 

charts/nirmata/charts/crds/Chart.yaml

@@ -1,3 +1,3 @@
 apiVersion: v2
 name: crds
-version: 3.3.4
+version: 3.3.6

charts/nirmata/charts/crds/README.md

@@ -1,6 +1,6 @@
 # crds
 
-![Version: 3.3.4](https://img.shields.io/badge/Version-3.3.4-informational?style=flat-square)
+![Version: 3.3.6](https://img.shields.io/badge/Version-3.3.6-informational?style=flat-square)
 
 ## Values
 

charts/nirmata/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml

@@ -10381,6 +10381,12 @@ spec:
                   Optional. Default value is "true". The value must be set to "false" if the policy rule
                   uses variables that are only available in the admission review request (e.g. user name).
                 type: boolean
+              emitWarning:
+                default: false
+                description: |-
+                  EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+                  Enabling this option will extend admission request processing times. The default value is "false".
+                type: boolean
               failurePolicy:
                 description: Deprecated, use failurePolicy under the webhookConfiguration
                   instead.

charts/nirmata/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml

@@ -10384,6 +10384,12 @@ spec:
                   Optional. Default value is "true". The value must be set to "false" if the policy rule
                   uses variables that are only available in the admission review request (e.g. user name).
                 type: boolean
+              emitWarning:
+                default: false
+                description: |-
+                  EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
+                  Enabling this option will extend admission request processing times. The default value is "false".
+                type: boolean
               failurePolicy:
                 description: Deprecated, use failurePolicy under the webhookConfiguration
                   instead.

charts/nirmata/charts/grafana/Chart.yaml

@@ -1,3 +1,3 @@
 apiVersion: v2
 name: grafana
-version: 3.3.4
+version: 3.3.6

charts/nirmata/charts/grafana/README.md

@@ -1,6 +1,6 @@
 # grafana
 
-![Version: 3.3.4](https://img.shields.io/badge/Version-3.3.4-informational?style=flat-square)
+![Version: 3.3.6](https://img.shields.io/badge/Version-3.3.6-informational?style=flat-square)
 
 ## Values
 

charts/nirmata/templates/_helpers/_image.tpl

@@ -5,7 +5,7 @@
 {{- if not (typeIs "string" $tag) -}}
   {{ fail "Image tags must be strings." }}
 {{- end -}}
-{{- $imageRegistry := default .image.registry .globalRegistry -}}
+{{- $imageRegistry := default (default .image.defaultRegistry .globalRegistry) .image.registry -}}
 {{- $fipsEnabled := .fipsEnabled -}}
 {{- if $imageRegistry -}}
   {{- if $fipsEnabled -}}

charts/nirmata/templates/admission-controller/deployment.yaml

@@ -94,7 +94,7 @@ spec:
           image: {{ include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag) "fipsEnabled" .Values.fipsEnabled) | quote }}
           imagePullPolicy: {{ default .Values.admissionController.container.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }}
           args:
-            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride)
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.admissionController.featuresOverride)
               "logging"
             ) | nindent 12 }}
             {{- range $key, $value := .Values.admissionController.initContainer.extraArgs }}

charts/nirmata/templates/background-controller/_helpers.tpl

@@ -20,7 +20,7 @@
 
 {{- define "kyverno.background-controller.image" -}}
 {{- $tag := default .defaultTag .image.tag -}}
-{{- $imageRegistry := default .image.registry .globalRegistry -}}
+{{- $imageRegistry := default (default .image.defaultRegistry .globalRegistry) .image.registry -}}
 {{- $fipsEnabled := .fipsEnabled -}}
 {{- if $imageRegistry -}}
     {{- if $fipsEnabled -}}

charts/nirmata/templates/background-controller/deployment.yaml

@@ -119,7 +119,7 @@ spec:
             - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
             {{- end }}
             - --resyncPeriod={{ .Values.backgroundController.resyncPeriod | default .Values.global.resyncPeriod }}
-            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.backgroundController.featuresOverride)
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.backgroundController.featuresOverride)
               "reporting"
               "configMapCaching"
               "deferredLoading"

charts/nirmata/templates/cleanup-controller/_helpers.tpl

@@ -20,7 +20,7 @@
 
 {{- define "kyverno.cleanup-controller.image" -}}
 {{- $tag := default .defaultTag  .image.tag -}}
-{{- $imageRegistry := default .image.registry .globalRegistry -}}
+{{- $imageRegistry := default (default .image.defaultRegistry .globalRegistry) .image.registry -}}
 {{- $fipsEnabled := .fipsEnabled -}}
 {{- if $imageRegistry -}}
   {{- if $fipsEnabled -}}

charts/nirmata/templates/cleanup-controller/deployment.yaml

@@ -131,7 +131,7 @@ spec:
             - --transportCreds={{ . }}
             {{- end }}
             {{- end }}
-            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.cleanupController.featuresOverride)
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.cleanupController.featuresOverride)
               "deferredLoading"
               "dumpPayload"
               "globalContext"

charts/nirmata/templates/config/_helpers.tpl

@@ -56,14 +56,27 @@
 
 {{- define "kyverno.config.webhooks" -}}
 {{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
-{{- $newWebhook := list }}
-{{- range $webhook := .Values.config.webhooks }}
-  {{- $namespaceSelector := default dict $webhook.namespaceSelector }}
-  {{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
+{{- $webhooks := .Values.config.webhooks -}}
+{{- if $webhooks | typeIs "slice" -}}
+  {{- $newWebhooks := dict -}}
+  {{- range $index, $webhook := $webhooks -}}
+    {{- if $webhook.namespaceSelector -}}
+      {{- $namespaceSelector := $webhook.namespaceSelector }}
+      {{- $matchExpressions := default (list) $namespaceSelector.matchExpressions }}
+      {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
+      {{- $newWebhook := merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector) }}
+      {{- $newWebhooks = merge $newWebhooks (dict $webhook.name $newWebhook) }}
+    {{- end -}}
+  {{- end -}}
+  {{- $newWebhooks | toJson }}
+{{- else -}}
+  {{- $webhook := $webhooks }}
+  {{- $namespaceSelector := default (dict) $webhook.namespaceSelector }}
+  {{- $matchExpressions := default (list) $namespaceSelector.matchExpressions }}
   {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
-  {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
-{{- end }}
-{{- $newWebhook | toJson }}
+  {{- $newWebhook := merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector) }}
+  {{- $newWebhook | toJson }}
+{{- end -}}
 {{- end -}}
 
 {{- define "kyverno.config.imagePullSecret" -}}

charts/nirmata/templates/hooks/pre-delete-configmap.yaml

@@ -8,7 +8,7 @@ metadata:
   labels:
     {{- include "kyverno.hooks.labels" . | nindent 4 }}
   annotations:
-    helm.sh/hook: pre-delete
+    helm.sh/hook: post-delete
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
     helm.sh/hook-weight: "0"
 rules:
@@ -29,7 +29,7 @@ metadata:
   labels:
     {{- include "kyverno.hooks.labels" . | nindent 4 }}
   annotations:
-    helm.sh/hook: pre-delete
+    helm.sh/hook: post-delete
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
     helm.sh/hook-weight: "0"
 roleRef:
@@ -49,7 +49,7 @@ metadata:
   labels:
     {{- include "kyverno.hooks.labels" . | nindent 4 }}
   annotations:
-    helm.sh/hook: pre-delete
+    helm.sh/hook: post-delete
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
     helm.sh/hook-weight: "0"
 ---
@@ -61,7 +61,7 @@ metadata:
   labels:
     {{- include "kyverno.hooks.labels" . | nindent 4 }}
   annotations:
-    helm.sh/hook: pre-delete
+    helm.sh/hook: post-delete
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
     helm.sh/hook-weight: "10"
 spec:

charts/nirmata/templates/reports-controller/_helpers.tpl

@@ -20,7 +20,7 @@
 
 {{- define "kyverno.reports-controller.image" -}}
 {{- $tag := default .defaultTag .image.tag -}}
-{{- $imageRegistry := default .image.registry .globalRegistry -}}
+{{- $imageRegistry := default (default .image.defaultRegistry .globalRegistry) .image.registry -}}
 {{- $fipsEnabled := .fipsEnabled -}}
 {{- if $imageRegistry -}}
     {{- if $fipsEnabled -}}

charts/nirmata/templates/reports-controller/deployment.yaml

@@ -119,7 +119,7 @@ spec:
             - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
             {{- end }}
             - --resyncPeriod={{ .Values.reportsController.resyncPeriod | default .Values.global.resyncPeriod }}
-            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.reportsController.featuresOverride)
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.reportsController.featuresOverride)
               "reporting"
               "admissionReports"
               "aggregateReports"

charts/nirmata/values.yaml

@@ -121,7 +121,8 @@ crds:
 
     image:
       # -- (string) Image registry
-      registry: reg.nirmata.io
+      registry: ~
+      defaultRegistry: reg.nirmata.io
       # -- (string) Image repository
       repository: nirmata/kyverno-cli
       # -- (string) Image tag
@@ -323,18 +324,16 @@ config:
   # -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies.
   updateRequestThreshold: 1000
 
-  # -- Defines the `namespaceSelector` in the webhook configurations.
-  # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
-  # will be forwarded to the webhook configurations.
+  # -- Defines the `namespaceSelector`/`objectSelector` in the webhook configurations.
   # The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
   webhooks:
     # Exclude namespaces
-    - namespaceSelector:
-        matchExpressions:
-        - key: kubernetes.io/metadata.name
-          operator: NotIn
-          values:
-            - kube-system
+    namespaceSelector:
+      matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: NotIn
+        values:
+          - kube-system
     # Exclude objects
     # - objectSelector:
     #     matchExpressions:
@@ -970,7 +969,8 @@ admissionController:
 
     image:
       # -- Image registry
-      registry: reg.nirmata.io
+      registry: ~
+      defaultRegistry: reg.nirmata.io
       # -- Image repository
       repository: nirmata/kyvernopre
       # -- (string) Image tag
@@ -1016,7 +1016,8 @@ admissionController:
 
     image:
       # -- Image registry
-      registry: reg.nirmata.io
+      registry: ~
+      defaultRegistry: reg.nirmata.io
       # -- Image repository
       repository: nirmata/kyverno
       # -- (string) Image tag
@@ -1233,7 +1234,8 @@ backgroundController:
 
   image:
     # -- Image registry
-    registry: reg.nirmata.io
+    registry: ~
+    defaultRegistry: reg.nirmata.io
     # -- Image repository
     repository: nirmata/background-controller
     # -- Image tag
@@ -1499,7 +1501,8 @@ cleanupController:
 
   image:
     # -- Image registry
-    registry: reg.nirmata.io
+    registry: ~
+    defaultRegistry: reg.nirmata.io
     # -- Image repository
     repository: nirmata/cleanup-controller
     # -- (string) Image tag
@@ -1815,7 +1818,8 @@ reportsController:
 
   image:
     # -- Image registry
-    registry: reg.nirmata.io
+    registry: ~
+    defaultRegistry: reg.nirmata.io
     # -- Image repository
     repository: nirmata/reports-controller
     # -- (string) Image tag
@@ -2071,6 +2075,7 @@ reportsController:
 
 reports-server:
   enabled: false
+  fipsEnabled: false
   # -- Internal settings used with `helm template` to generate install manifest
   # @ignored
   templating:
@@ -2347,3 +2352,6 @@ reports-server:
         - ALL
       seccompProfile:
         type: RuntimeDefault
+
+  # -- Enable sanity check for reports CRDs
+  sanityChecks: true