Merge pull request #43 from nirmata/cherry-pick-246

Cherry pick 246

.github/workflows/ct-lint.yaml

@@ -26,7 +26,7 @@ jobs:
       - name: Setup python
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
-          python-version: 3.8
+          python-version: 3.12
       - name: Set up chart-testing
         uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
       - name: Add missing Helm repositories

.github/workflows/helm-release.yaml

@@ -21,7 +21,7 @@ jobs:
         uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
       - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
-          python-version: 3.8
+          python-version: 3.12
       - name: Set up chart-testing
         uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
       - name: Run chart-testing (lint)

.golangci.yml

@@ -5,12 +5,12 @@ linters:
     - bidichk
     - bodyclose
     - containedctx
+    - copyloopvar
     - decorder
     - dogsled
     - durationcheck
     - errcheck
     - errname
-    - exportloopref
     - gci
     # - gochecknoinits
     - gofmt
@@ -30,20 +30,23 @@ linters:
     - nosprintfhostport
     # - paralleltest
     - staticcheck
-    - tenv
     - thelper
     - tparallel
     - typecheck
     - unconvert
     - unused
+    - usetesting
     - wastedassign
     - whitespace
 
 run:
   timeout: 15m
-  skip-files:
+
+issues:
+  exclude-files:
     - ".+\\.generated.go"
 
 output:
-  format: colored-line-number
-  sort-results: true
+  formats:
+    - format: colored-line-number
+  sort-results: true

charts/reports-server/README.md

@@ -40,7 +40,9 @@ helm install reports-server --namespace reports-server --create-namespace report
 | serviceAccount.annotations | object | `{}` | Service account annotations |
 | serviceAccount.name | string | `""` | Service account name (required if `serviceAccount.create` is `false`) |
 | podAnnotations | object | `{}` | Pod annotations |
+| commonLabels | object | `{}` | Labels to add to resources managed by the chart |
 | podSecurityContext | object | `{"fsGroup":2000}` | Pod security context |
+| podEnv | object | `{}` | Provide additional environment variables to the pods. Map with the same format as kubernetes deployment spec's env. |
 | securityContext | object | See [values.yaml](values.yaml) | Container security context |
 | livenessProbe | object | `{"failureThreshold":10,"httpGet":{"path":"/livez","port":"https","scheme":"HTTPS"},"initialDelaySeconds":20,"periodSeconds":10}` | Liveness probe |
 | readinessProbe | object | `{"failureThreshold":10,"httpGet":{"path":"/readyz","port":"https","scheme":"HTTPS"},"initialDelaySeconds":30,"periodSeconds":10}` | Readiness probe |
@@ -58,6 +60,10 @@ helm install reports-server --namespace reports-server --create-namespace report
 | autoscaling.maxReplicas | int | `100` | Max number of replicas |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilisation |
 | autoscaling.targetMemoryUtilizationPercentage | string | `nil` | Target Memory utilisation |
+| pdb | object | `{"enabled":true,"maxUnavailable":"50%","minAvailable":null}` | Using a PDB is highly recommended for highly available deployments. Defaults to enabled. The default configuration doesn't prevent disruption when using a single replica |
+| pdb.enabled | bool | `true` | Enable PodDisruptionBudget |
+| pdb.minAvailable | string | `nil` | minAvailable pods for PDB, cannot be used together with maxUnavailable |
+| pdb.maxUnavailable | string | `"50%"` | maxUnavailable pods for PDB, will take precedence over minAvailable if both are defined |
 | nodeSelector | object | `{}` | Node selector |
 | tolerations | list | `[]` | Tolerations |
 | affinity | object | `{}` | Affinity |
@@ -69,6 +75,8 @@ helm install reports-server --namespace reports-server --create-namespace report
 | config.db.secretName | string | `""` | If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`. |
 | config.db.host | string | `"reports-server-cluster-rw.reports-server"` | Database host |
 | config.db.hostSecretKeyName | string | `"host"` | The database host will be read from this `key` in the specified Secret, when `db.secretName` is set. |
+| config.db.port | int | `5432` | Database port                                                                                                                                                                          |
+| config.db.portSecretKeyName | string | `"port"` | The database port will be read from this `key` in the specified Secret, when `db.secretName` is set. |
 | config.db.name | string | `"reportsdb"` | Database name |
 | config.db.dbNameSecretKeyName | string | `"dbname"` | The database name will be read from this `key` in the specified Secret, when `db.secretName` is set. |
 | config.db.user | string | `"app"` | Database user |
@@ -79,7 +87,7 @@ helm install reports-server --namespace reports-server --create-namespace report
 | config.db.sslrootcert | string | `""` | Database SSL root cert |
 | config.db.sslkey | string | `""` | Database SSL key |
 | config.db.sslcert | string | `""` | Database SSL cert |
-| apiServicesManagement.enabled | bool | `true` | Create a helm hooks to install and delete api services |
+| apiServicesManagement.enabled | bool | `true` | Create a helm hooks to delete api services on uninstall |
 | apiServicesManagement.installApiServices | object | `{"enabled":false,"installEphemeralReportsService":true}` | Install api services in manifest |
 | apiServicesManagement.installApiServices.enabled | bool | `false` | Store reports in reports-server |
 | apiServicesManagement.installApiServices.installEphemeralReportsService | bool | `true` | Store ephemeral reports in reports-server |

charts/reports-server/templates/_helpers.tpl

@@ -35,6 +35,9 @@ Common labels
 */}}
 {{- define "reports-server.labels" -}}
 helm.sh/chart: {{ include "reports-server.chart" . }}
+{{- if .Values.commonLabels }}
+{{ include "reports-server.commonLabels" . }}
+{{- end }}
 {{ include "reports-server.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
@@ -50,6 +53,15 @@ app.kubernetes.io/name: {{ include "reports-server.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Common labels
+*/}}
+{{- define "reports-server.commonLabels" -}}
+{{- with .Values.commonLabels }}
+{{- toYaml . }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create the name of the service account to use
 */}}
@@ -62,37 +74,60 @@ Create the name of the service account to use
 {{- end }}
 
 {{/*
-Database config is injected into the environment, if a secret ref is set. Otherwise, Helm values are used directly.
+Database config is injected into the environment and passed to the command line from there, if secretName is set, the values will be read from there .
 */}}
 {{- define "reports-server.dbHost" -}}
-{{- if .Values.config.db.secretName }}
-{{- printf "%s" "$(DB_HOST)" }}
-{{- else }}
-{{- default (printf "%s-postgresql.%s" $.Release.Name $.Release.Namespace ) .Values.config.db.host }}
+{{- if .Values.config.db.secretName -}}
+valueFrom:
+  secretKeyRef:
+    key: {{ .Values.config.db.hostSecretKeyName }}
+    name: {{ .Values.config.db.secretName }}
+{{- else -}}
+value: {{ default (printf "%s-postgresql.%s" $.Release.Name $.Release.Namespace ) .Values.config.db.host | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "reports-server.dbPort" -}}
+{{- if .Values.config.db.secretName -}}
+valueFrom:
+  secretKeyRef:
+    key: {{ .Values.config.db.portSecretKeyName }}
+    name: {{ .Values.config.db.secretName }}
+{{- else -}}
+value: {{ .Values.config.db.port | quote }}
 {{- end }}
 {{- end }}
 
 {{- define "reports-server.dbName" -}}
-{{- if .Values.config.db.secretName }}
-{{- printf "%s" "$(DB_DATABASE)" }}
-{{- else }}
-{{- .Values.config.db.name }}
+{{- if .Values.config.db.secretName -}}
+valueFrom:
+  secretKeyRef:
+    key: {{ .Values.config.db.dbNameSecretKeyName }}
+    name: {{ .Values.config.db.secretName }}
+{{- else -}}
+value: {{ .Values.config.db.name | quote }}
 {{- end }}
 {{- end }}
 
 {{- define "reports-server.dbUser" -}}
-{{- if .Values.config.db.secretName }}
-{{- printf "%s" "$(DB_USER)" }}
-{{- else }}
-{{- .Values.config.db.user }}
+{{- if .Values.config.db.secretName -}}
+valueFrom:
+  secretKeyRef:
+    key: {{ .Values.config.db.userSecretKeyName }}
+    name: {{ .Values.config.db.secretName }}
+{{- else -}}
+value: {{ .Values.config.db.user | quote }}
 {{- end }}
 {{- end }}
 
 {{- define "reports-server.dbPassword" -}}
-{{- if .Values.config.db.secretName }}
-{{- printf "%s" "$(DB_PASSWORD)" }}
-{{- else }}
-{{- .Values.config.db.password }}
+{{- if .Values.config.db.secretName -}}
+valueFrom:
+  secretKeyRef:
+    key: {{ .Values.config.db.passwordSecretKeyName }}
+    name: {{ .Values.config.db.secretName }}
+{{- else -}}
+value: {{ .Values.config.db.password | quote }}
 {{- end }}
 {{- end }}
 

charts/reports-server/templates/cluster-roles.yaml

@@ -29,7 +29,12 @@ rules:
     - update
     - watch
     - deletecollection
-{{- if .Values.apiServicesManagement.enabled }}
+- apiGroups:
+    - ""
+  resources:
+    - namespaces
+  verbs:
+    - get
 - apiGroups:
     - apiregistration.k8s.io
   resources:
@@ -48,7 +53,6 @@ rules:
   resourceNames:
     - v1.reports.kyverno.io
     - v1alpha2.wgpolicyk8s.io
-{{- end }}
 - apiGroups:
     - wgpolicyk8s.io
   resources:

charts/reports-server/templates/deployment.yaml

@@ -1,3 +1,4 @@
+{{- $env := .Values.podEnv }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -22,7 +23,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        {{- include "reports-server.selectorLabels" . | nindent 8 }}
+        {{- include "reports-server.labels" . | nindent 8 }}
     spec:
       {{- with .Values.priorityClassName }}
       priorityClassName: {{ . }}
@@ -44,10 +45,6 @@ spec:
             {{- end }}
             - --etcdEndpoints=https://etcd-0.etcd.{{ $.Release.Namespace }}:2379,https://etcd-1.etcd.{{ $.Release.Namespace }}:2379,https://etcd-2.etcd.{{ $.Release.Namespace }}:2379
             {{- else }}
-            - --dbhost={{ include "reports-server.dbHost" . }}
-            - --dbname={{ include "reports-server.dbName" . }}
-            - --dbuser={{ include "reports-server.dbUser" . }}
-            - --dbpassword={{ include "reports-server.dbPassword" . }}
             - --dbsslmode={{ .Values.config.db.sslmode }}
             - --dbsslrootcert={{ .Values.config.db.sslrootcert }}
             - --dbsslkey={{ .Values.config.db.sslkey }}
@@ -58,29 +55,25 @@ spec:
             {{- if .Values.metrics.enabled }}
             - --authorization-always-allow-paths=/metrics
             {{- end }}
-          {{- if .Values.config.db.secretName }}
           env:
-            - name: DB_HOST
+            - name: GOMEMLIMIT
               valueFrom:
-                secretKeyRef:
-                  key: {{ .Values.config.db.hostSecretKeyName }}
-                  name: {{ .Values.config.db.secretName }}
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+            - name: DB_HOST
+              {{- include "reports-server.dbHost" . | nindent 14 }}
+            - name: DB_PORT
+              {{- include "reports-server.dbPort" . | nindent 14 }}
             - name: DB_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  key: {{ .Values.config.db.dbNameSecretKeyName }}
-                  name: {{ .Values.config.db.secretName }}
+              {{- include "reports-server.dbName" . | nindent 14 }}
             - name: DB_USER
-              valueFrom:
-                secretKeyRef:
-                  key: {{ .Values.config.db.userSecretKeyName }}
-                  name: {{ .Values.config.db.secretName }}
+              {{- include "reports-server.dbUser" . | nindent 14 }}
             - name: DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: {{ .Values.config.db.passwordSecretKeyName }}
-                  name: {{ .Values.config.db.secretName }}
-          {{- end}}
+              {{- include "reports-server.dbPassword" . | nindent 14 }}
+          {{- with $env }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           volumeMounts:

charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml

@@ -19,10 +19,11 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.apiServicesManagement.podLabels }}
       labels:
+      {{- with .Values.apiServicesManagement.podLabels }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "reports-server.labels" . | nindent 8 }}
     spec:
       serviceAccount: {{ include "reports-server.serviceAccountName" . }}
       {{- with .Values.apiServicesManagement.podSecurityContext }}

charts/reports-server/templates/pod-disruption-budget.yaml

@@ -0,0 +1,18 @@
+{{- if eq .Values.pdb.enabled true }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "reports-server.fullname" . }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "reports-server.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "reports-server.name" . }}
+  {{- if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- else if .Values.pdb.minAvailable }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- end }}
+{{- end }}

charts/reports-server/values.yaml

@@ -56,10 +56,16 @@ serviceAccount:
 # -- Pod annotations
 podAnnotations: {}
 
+# -- Labels to add to resources managed by the chart
+commonLabels: {}
+
 # -- Pod security context
 podSecurityContext:
   fsGroup: 2000
 
+# -- Provide additional environment variables to the pods. Map with the same format as kubernetes deployment spec's env.
+podEnv: {}
+
 # -- Container security context
 # @default -- See [values.yaml](values.yaml)
 securityContext:
@@ -148,6 +154,16 @@ autoscaling:
   # -- Target Memory utilisation
   targetMemoryUtilizationPercentage: ~
 
+
+# -- Using a PDB is highly recommended for highly available deployments. Defaults to enabled. The default configuration doesn't prevent disruption when using a single replica
+pdb:
+  # -- Enable PodDisruptionBudget
+  enabled: true
+  # -- minAvailable pods for PDB, cannot be used together with maxUnavailable
+  minAvailable: ~
+  # -- maxUnavailable pods for PDB, will take precedence over minAvailable if both are defined
+  maxUnavailable: 50%
+
 # -- Node selector
 nodeSelector: {}
 
@@ -180,6 +196,11 @@ config:
     # -- The database host will be read from this `key` in the specified Secret, when `db.secretName` is set.
     hostSecretKeyName: "host"
 
+    # -- Database port
+    port: 5432
+    # -- The database port will be read from this `key` in the specified Secret, when `db.secretName` is set.
+    portSecretKeyName: "port"
+
     # -- Database name
     name: reportsdb
     # -- The database name will be read from this `key` in the specified Secret, when `db.secretName` is set.
@@ -210,7 +231,7 @@ config:
     sslcert: ""
 
 apiServicesManagement:
-  # -- Create a helm hooks to install and delete api services
+  # -- Create a helm hooks to delete api services on uninstall
   enabled: true
 
   # -- Install api services in manifest