From 0cab3a970fa61d6584e5d74508b507f4262ed7a5 Mon Sep 17 00:00:00 2001
From: Rafael da Fonseca <rsafonseca@gmail.com>
Date: Fri, 7 Feb 2025 15:29:54 +0000
Subject: [PATCH 01/14] Fix outdated/removed python version (#245)

* Fix outdated/removed python version

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>

* Fix outdated/removed python version

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>

---------

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>
---
 .github/workflows/ct-lint.yaml      | 2 +-
 .github/workflows/helm-release.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ct-lint.yaml b/.github/workflows/ct-lint.yaml
index 03f59ea5..5aba207f 100644
--- a/.github/workflows/ct-lint.yaml
+++ b/.github/workflows/ct-lint.yaml
@@ -26,7 +26,7 @@ jobs:
       - name: Setup python
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
-          python-version: 3.8
+          python-version: 3.12
       - name: Set up chart-testing
         uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
       - name: Add missing Helm repositories
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
index 570273d3..ea541ca4 100644
--- a/.github/workflows/helm-release.yaml
+++ b/.github/workflows/helm-release.yaml
@@ -21,7 +21,7 @@ jobs:
         uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
       - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
-          python-version: 3.8
+          python-version: 3.12
       - name: Set up chart-testing
         uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
       - name: Run chart-testing (lint)

From 746b4ddda300e958a4ee48282ac5423870274a2f Mon Sep 17 00:00:00 2001
From: Rafael da Fonseca <rsafonseca@gmail.com>
Date: Fri, 7 Feb 2025 16:28:03 +0000
Subject: [PATCH 02/14] feat: Add PodDisruptionBudget to helm chart (#246)

* feat: Add PodDisruptionBudget to helm chart

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>

* Specify namespace in pdb

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>

* Fix outdated/removed python version (#245)

* Fix outdated/removed python version

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>

* Fix outdated/removed python version

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>

---------

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>

* fix: codegen

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>

---------

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 charts/reports-server/README.md                  |  4 ++++
 .../templates/pod-disruption-budget.yaml         | 16 ++++++++++++++++
 charts/reports-server/values.yaml                | 10 ++++++++++
 config/install-etcd.yaml                         | 11 +++++++++++
 config/install.yaml                              | 11 +++++++++++
 5 files changed, 52 insertions(+)
 create mode 100644 charts/reports-server/templates/pod-disruption-budget.yaml

diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md
index b2603e51..0550a8a6 100644
--- a/charts/reports-server/README.md
+++ b/charts/reports-server/README.md
@@ -58,6 +58,10 @@ helm install reports-server --namespace reports-server --create-namespace report
 | autoscaling.maxReplicas | int | `100` | Max number of replicas |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilisation |
 | autoscaling.targetMemoryUtilizationPercentage | string | `nil` | Target Memory utilisation |
+| pdb | object | `{"enabled":true,"maxUnavailable":"50%","minAvailable":null}` | Using a PDB is highly recommended for highly available deployments. Defaults to enabled. The default configuration doesn't prevent disruption when using a single replica |
+| pdb.enabled | bool | `true` | Enable PodDisruptionBudget |
+| pdb.minAvailable | string | `nil` | minAvailable pods for PDB, cannot be used together with maxUnavailable |
+| pdb.maxUnavailable | string | `"50%"` | maxUnavailable pods for PDB, will take precedence over minAvailable if both are defined |
 | nodeSelector | object | `{}` | Node selector |
 | tolerations | list | `[]` | Tolerations |
 | affinity | object | `{}` | Affinity |
diff --git a/charts/reports-server/templates/pod-disruption-budget.yaml b/charts/reports-server/templates/pod-disruption-budget.yaml
new file mode 100644
index 00000000..df35a9e5
--- /dev/null
+++ b/charts/reports-server/templates/pod-disruption-budget.yaml
@@ -0,0 +1,16 @@
+{{- if eq .Values.pdb.enabled true }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "reports-server.fullname" . }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "reports-server.name" . }}
+  {{- if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- else if .Values.pdb.minAvailable }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- end }}
+{{- end }}
diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml
index 96b74992..0e8814a0 100644
--- a/charts/reports-server/values.yaml
+++ b/charts/reports-server/values.yaml
@@ -148,6 +148,16 @@ autoscaling:
   # -- Target Memory utilisation
   targetMemoryUtilizationPercentage: ~
 
+
+# -- Using a PDB is highly recommended for highly available deployments. Defaults to enabled. The default configuration doesn't prevent disruption when using a single replica
+pdb:
+  # -- Enable PodDisruptionBudget
+  enabled: true
+  # -- minAvailable pods for PDB, cannot be used together with maxUnavailable
+  minAvailable: ~
+  # -- maxUnavailable pods for PDB, will take precedence over minAvailable if both are defined
+  maxUnavailable: 50%
+
 # -- Node selector
 nodeSelector: {}
 
diff --git a/config/install-etcd.yaml b/config/install-etcd.yaml
index 2d123ddd..7b9ef1e1 100644
--- a/config/install-etcd.yaml
+++ b/config/install-etcd.yaml
@@ -4,6 +4,17 @@ kind: Namespace
 metadata:
   name: reports-server
 ---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: reports-server
+  namespace: reports-server
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: reports-server
+  maxUnavailable: 50%
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
diff --git a/config/install.yaml b/config/install.yaml
index 2d123ddd..7b9ef1e1 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -4,6 +4,17 @@ kind: Namespace
 metadata:
   name: reports-server
 ---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: reports-server
+  namespace: reports-server
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: reports-server
+  maxUnavailable: 50%
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:

From 91911d68ff5327bc9f0423f5a7bca63d7d8fd968 Mon Sep 17 00:00:00 2001
From: Rafael da Fonseca <rsafonseca@gmail.com>
Date: Fri, 7 Feb 2025 16:44:55 +0000
Subject: [PATCH 03/14] Add env options (#247)

* Add GOMEMLIMIT by default

* Add GOMEMLIMIT by default, allow user to configure additional env variables on the deployment

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>

---------

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>
Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 charts/reports-server/README.md                 |  1 +
 charts/reports-server/templates/deployment.yaml | 11 ++++++++++-
 charts/reports-server/values.yaml               |  3 +++
 config/install-etcd.yaml                        |  6 ++++++
 config/install.yaml                             |  6 ++++++
 5 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md
index 0550a8a6..4e8bc02d 100644
--- a/charts/reports-server/README.md
+++ b/charts/reports-server/README.md
@@ -41,6 +41,7 @@ helm install reports-server --namespace reports-server --create-namespace report
 | serviceAccount.name | string | `""` | Service account name (required if `serviceAccount.create` is `false`) |
 | podAnnotations | object | `{}` | Pod annotations |
 | podSecurityContext | object | `{"fsGroup":2000}` | Pod security context |
+| podEnv | object | `{}` | Provide additional environment variables to the pods. Map with the same format as kubernetes deployment spec's env. |
 | securityContext | object | See [values.yaml](values.yaml) | Container security context |
 | livenessProbe | object | `{"failureThreshold":10,"httpGet":{"path":"/livez","port":"https","scheme":"HTTPS"},"initialDelaySeconds":20,"periodSeconds":10}` | Liveness probe |
 | readinessProbe | object | `{"failureThreshold":10,"httpGet":{"path":"/readyz","port":"https","scheme":"HTTPS"},"initialDelaySeconds":30,"periodSeconds":10}` | Readiness probe |
diff --git a/charts/reports-server/templates/deployment.yaml b/charts/reports-server/templates/deployment.yaml
index 5cb9489f..b33f6b5a 100644
--- a/charts/reports-server/templates/deployment.yaml
+++ b/charts/reports-server/templates/deployment.yaml
@@ -1,3 +1,4 @@
+{{- $env := .Values.podEnv }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -58,8 +59,16 @@ spec:
             {{- if .Values.metrics.enabled }}
             - --authorization-always-allow-paths=/metrics
             {{- end }}
-          {{- if .Values.config.db.secretName }}
           env:
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+          {{- with $env }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.config.db.secretName }}
             - name: DB_HOST
               valueFrom:
                 secretKeyRef:
diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml
index 0e8814a0..03289442 100644
--- a/charts/reports-server/values.yaml
+++ b/charts/reports-server/values.yaml
@@ -60,6 +60,9 @@ podAnnotations: {}
 podSecurityContext:
   fsGroup: 2000
 
+# -- Provide additional environment variables to the pods. Map with the same format as kubernetes deployment spec's env.
+podEnv: {}
+
 # -- Container security context
 # @default -- See [values.yaml](values.yaml)
 securityContext:
diff --git a/config/install-etcd.yaml b/config/install-etcd.yaml
index 7b9ef1e1..4d97afd4 100644
--- a/config/install-etcd.yaml
+++ b/config/install-etcd.yaml
@@ -277,6 +277,12 @@ spec:
             - --cert-dir=/tmp
             - --secure-port=4443
             - --authorization-always-allow-paths=/metrics
+          env:
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
diff --git a/config/install.yaml b/config/install.yaml
index 7b9ef1e1..4d97afd4 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -277,6 +277,12 @@ spec:
             - --cert-dir=/tmp
             - --secure-port=4443
             - --authorization-always-allow-paths=/metrics
+          env:
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:

From 4c248c9f59d25c468209db38e945ca2caf0182cb Mon Sep 17 00:00:00 2001
From: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>
Date: Sat, 8 Feb 2025 04:24:49 +0000
Subject: [PATCH 04/14] Allow using secret injection on env vars, e.g. using
 vault-env (#248)

* Allow using secret injection on env vars, e.g. using vault-env

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>

* Fix report-server init when reading from env vars

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>

---------

Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>
---
 charts/reports-server/templates/_helpers.tpl  | 57 +++++++++++++------
 .../reports-server/templates/deployment.yaml  | 39 +++++--------
 config/install-etcd.yaml                      | 10 ++++
 config/install.yaml                           | 22 ++++++-
 4 files changed, 83 insertions(+), 45 deletions(-)

diff --git a/charts/reports-server/templates/_helpers.tpl b/charts/reports-server/templates/_helpers.tpl
index fd749890..e2b1af74 100644
--- a/charts/reports-server/templates/_helpers.tpl
+++ b/charts/reports-server/templates/_helpers.tpl
@@ -62,37 +62,60 @@ Create the name of the service account to use
 {{- end }}
 
 {{/*
-Database config is injected into the environment, if a secret ref is set. Otherwise, Helm values are used directly.
+Database config is injected into the environment and passed to the command line from there, if secretName is set, the values will be read from there .
 */}}
 {{- define "reports-server.dbHost" -}}
-{{- if .Values.config.db.secretName }}
-{{- printf "%s" "$(DB_HOST)" }}
-{{- else }}
-{{- default (printf "%s-postgresql.%s" $.Release.Name $.Release.Namespace ) .Values.config.db.host }}
+{{- if .Values.config.db.secretName -}}
+valueFrom:
+  secretKeyRef:
+    key: {{ .Values.config.db.hostSecretKeyName }}
+    name: {{ .Values.config.db.secretName }}
+{{- else -}}
+value: {{ default (printf "%s-postgresql.%s" $.Release.Name $.Release.Namespace ) .Values.config.db.host | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "reports-server.dbPort" -}}
+{{- if .Values.config.db.secretName -}}
+valueFrom:
+  secretKeyRef:
+    key: {{ .Values.config.db.portSecretKeyName }}
+    name: {{ .Values.config.db.secretName }}
+{{- else -}}
+value: {{ .Values.config.db.port | quote }}
 {{- end }}
 {{- end }}
 
 {{- define "reports-server.dbName" -}}
-{{- if .Values.config.db.secretName }}
-{{- printf "%s" "$(DB_DATABASE)" }}
-{{- else }}
-{{- .Values.config.db.name }}
+{{- if .Values.config.db.secretName -}}
+valueFrom:
+  secretKeyRef:
+    key: {{ .Values.config.db.dbNameSecretKeyName }}
+    name: {{ .Values.config.db.secretName }}
+{{- else -}}
+value: {{ .Values.config.db.name | quote }}
 {{- end }}
 {{- end }}
 
 {{- define "reports-server.dbUser" -}}
-{{- if .Values.config.db.secretName }}
-{{- printf "%s" "$(DB_USER)" }}
-{{- else }}
-{{- .Values.config.db.user }}
+{{- if .Values.config.db.secretName -}}
+valueFrom:
+  secretKeyRef:
+    key: {{ .Values.config.db.userSecretKeyName }}
+    name: {{ .Values.config.db.secretName }}
+{{- else -}}
+value: {{ .Values.config.db.user | quote }}
 {{- end }}
 {{- end }}
 
 {{- define "reports-server.dbPassword" -}}
-{{- if .Values.config.db.secretName }}
-{{- printf "%s" "$(DB_PASSWORD)" }}
-{{- else }}
-{{- .Values.config.db.password }}
+{{- if .Values.config.db.secretName -}}
+valueFrom:
+  secretKeyRef:
+    key: {{ .Values.config.db.passwordSecretKeyName }}
+    name: {{ .Values.config.db.secretName }}
+{{- else -}}
+value: {{ .Values.config.db.password | quote }}
 {{- end }}
 {{- end }}
 
diff --git a/charts/reports-server/templates/deployment.yaml b/charts/reports-server/templates/deployment.yaml
index b33f6b5a..d3cad1d1 100644
--- a/charts/reports-server/templates/deployment.yaml
+++ b/charts/reports-server/templates/deployment.yaml
@@ -45,10 +45,11 @@ spec:
             {{- end }}
             - --etcdEndpoints=https://etcd-0.etcd.{{ $.Release.Namespace }}:2379,https://etcd-1.etcd.{{ $.Release.Namespace }}:2379,https://etcd-2.etcd.{{ $.Release.Namespace }}:2379
             {{- else }}
-            - --dbhost={{ include "reports-server.dbHost" . }}
-            - --dbname={{ include "reports-server.dbName" . }}
-            - --dbuser={{ include "reports-server.dbUser" . }}
-            - --dbpassword={{ include "reports-server.dbPassword" . }}
+            - --dbhost=$(DB_HOST)
+            - --dbport=$(DB_PORT)
+            - --dbuser=$(DB_USER)
+            - --dbpassword=$(DB_PASSWORD)
+            - --dbname=$(DB_DATABASE)
             - --dbsslmode={{ .Values.config.db.sslmode }}
             - --dbsslrootcert={{ .Values.config.db.sslrootcert }}
             - --dbsslkey={{ .Values.config.db.sslkey }}
@@ -65,31 +66,19 @@ spec:
                 resourceFieldRef:
                   resource: limits.memory
                   divisor: '1'
-          {{- with $env }}
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- if .Values.config.db.secretName }}
             - name: DB_HOST
-              valueFrom:
-                secretKeyRef:
-                  key: {{ .Values.config.db.hostSecretKeyName }}
-                  name: {{ .Values.config.db.secretName }}
+              {{- include "reports-server.dbHost" . | nindent 14 }}
+            - name: DB_PORT
+              {{- include "reports-server.dbPort" . | nindent 14 }}
             - name: DB_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  key: {{ .Values.config.db.dbNameSecretKeyName }}
-                  name: {{ .Values.config.db.secretName }}
+              {{- include "reports-server.dbName" . | nindent 14 }}
             - name: DB_USER
-              valueFrom:
-                secretKeyRef:
-                  key: {{ .Values.config.db.userSecretKeyName }}
-                  name: {{ .Values.config.db.secretName }}
+              {{- include "reports-server.dbUser" . | nindent 14 }}
             - name: DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: {{ .Values.config.db.passwordSecretKeyName }}
-                  name: {{ .Values.config.db.secretName }}
-          {{- end}}
+              {{- include "reports-server.dbPassword" . | nindent 14 }}
+          {{- with $env }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           volumeMounts:
diff --git a/config/install-etcd.yaml b/config/install-etcd.yaml
index 4d97afd4..6671f960 100644
--- a/config/install-etcd.yaml
+++ b/config/install-etcd.yaml
@@ -283,6 +283,16 @@ spec:
                 resourceFieldRef:
                   resource: limits.memory
                   divisor: '1'
+            - name: DB_HOST
+              value: "reports-server-postgresql.reports-server"
+            - name: DB_PORT
+              value: "5432"
+            - name: DB_DATABASE
+              value: "reportsdb"
+            - name: DB_USER
+              value: "postgres"
+            - name: DB_PASSWORD
+              value: "reports"
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
diff --git a/config/install.yaml b/config/install.yaml
index 4d97afd4..c76756df 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -271,9 +271,15 @@ spec:
       containers:
         - name: reports-server
           args:
-            - --etcd
-            - --etcdSkipTLS
-            - --etcdEndpoints=https://etcd-0.etcd.reports-server:2379,https://etcd-1.etcd.reports-server:2379,https://etcd-2.etcd.reports-server:2379
+            - --dbhost=$(DB_HOST)
+            - --dbport=$(DB_PORT)
+            - --dbuser=$(DB_USER)
+            - --dbpassword=$(DB_PASSWORD)
+            - --dbname=$(DB_DATABASE)
+            - --dbsslmode=disable
+            - --dbsslrootcert=
+            - --dbsslkey=
+            - --dbsslcert=
             - --cert-dir=/tmp
             - --secure-port=4443
             - --authorization-always-allow-paths=/metrics
@@ -283,6 +289,16 @@ spec:
                 resourceFieldRef:
                   resource: limits.memory
                   divisor: '1'
+            - name: DB_HOST
+              value: "reports-server-postgresql.reports-server"
+            - name: DB_PORT
+              value: "5432"
+            - name: DB_DATABASE
+              value: "reportsdb"
+            - name: DB_USER
+              value: "postgres"
+            - name: DB_PASSWORD
+              value: "reports"
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:

From 3219ef0eab3e6c2ce923796dc43533f36833001b Mon Sep 17 00:00:00 2001
From: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>
Date: Thu, 13 Feb 2025 13:06:09 +0000
Subject: [PATCH 05/14] =?UTF-8?q?Fix=20variable=20injection,=20add=20commo?=
 =?UTF-8?q?n=20labels=20to=20all=20resources,=20fix=20requi=E2=80=A6=20(#2?=
 =?UTF-8?q?56)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Fix variable injection, add common labels to all resources, fix required options not being passed when etcd is enabled, fix apiservice management always required in clusterrole
Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>

Fix: allow env variable injection to work for database secrets
Fix: Add missing labels to pdb
Fix: apiservice management permissions
should always be required due to automatic migration code
Fix: some required command line options were not being added when using etcd as a database
Feat: Add commonLabels input variable, which allows adding arbitrary labels to all resources managed by the chart
---
 .golangci.yml                                 | 13 +++++----
 charts/reports-server/README.md               |  7 +++--
 charts/reports-server/templates/_helpers.tpl  | 12 ++++++++
 .../templates/cluster-roles.yaml              |  8 ++++--
 .../reports-server/templates/deployment.yaml  |  7 +----
 .../hooks/pre-delete-api-service-cleanup.yaml |  3 +-
 .../templates/pod-disruption-budget.yaml      |  2 ++
 charts/reports-server/values.yaml             |  5 +++-
 config/install-etcd.yaml                      | 13 +++++++++
 config/install.yaml                           | 14 ++++++----
 pkg/app/opts/options.go                       | 28 +++++++++++++++----
 11 files changed, 84 insertions(+), 28 deletions(-)

diff --git a/.golangci.yml b/.golangci.yml
index 67ed877a..c5cbe30f 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -5,12 +5,12 @@ linters:
     - bidichk
     - bodyclose
     - containedctx
+    - copyloopvar
     - decorder
     - dogsled
     - durationcheck
     - errcheck
     - errname
-    - exportloopref
     - gci
     # - gochecknoinits
     - gofmt
@@ -30,20 +30,23 @@ linters:
     - nosprintfhostport
     # - paralleltest
     - staticcheck
-    - tenv
     - thelper
     - tparallel
     - typecheck
     - unconvert
     - unused
+    - usetesting
     - wastedassign
     - whitespace
 
 run:
   timeout: 15m
-  skip-files:
+
+issues:
+  exclude-files:
     - ".+\\.generated.go"
 
 output:
-  format: colored-line-number
-  sort-results: true
\ No newline at end of file
+  formats:
+    - format: colored-line-number
+  sort-results: true
diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md
index 4e8bc02d..3d12b477 100644
--- a/charts/reports-server/README.md
+++ b/charts/reports-server/README.md
@@ -40,6 +40,7 @@ helm install reports-server --namespace reports-server --create-namespace report
 | serviceAccount.annotations | object | `{}` | Service account annotations |
 | serviceAccount.name | string | `""` | Service account name (required if `serviceAccount.create` is `false`) |
 | podAnnotations | object | `{}` | Pod annotations |
+| commonLabels | object | `{}` | Labels to add to resources managed by the chart |
 | podSecurityContext | object | `{"fsGroup":2000}` | Pod security context |
 | podEnv | object | `{}` | Provide additional environment variables to the pods. Map with the same format as kubernetes deployment spec's env. |
 | securityContext | object | See [values.yaml](values.yaml) | Container security context |
@@ -84,9 +85,9 @@ helm install reports-server --namespace reports-server --create-namespace report
 | config.db.sslrootcert | string | `""` | Database SSL root cert |
 | config.db.sslkey | string | `""` | Database SSL key |
 | config.db.sslcert | string | `""` | Database SSL cert |
-| apiServicesManagement.enabled | bool | `true` | Create a helm hooks to install and delete api services |
-| apiServicesManagement.installApiServices | object | `{"enabled":false,"installEphemeralReportsService":true}` | Install api services in manifest |
-| apiServicesManagement.installApiServices.enabled | bool | `false` | Store reports in reports-server |
+| apiServicesManagement.enabled | bool | `true` | Create a helm hooks to delete api services on uninstall |
+| apiServicesManagement.installApiServices | object | `{"enabled":true,"installEphemeralReportsService":true}` | Install api services in manifest |
+| apiServicesManagement.installApiServices.enabled | bool | `true` | Store reports in reports-server |
 | apiServicesManagement.installApiServices.installEphemeralReportsService | bool | `true` | Store ephemeral reports in reports-server |
 | apiServicesManagement.image.registry | string | `"ghcr.io"` | Image registry |
 | apiServicesManagement.image.repository | string | `"nirmata/kubectl"` | Image repository |
diff --git a/charts/reports-server/templates/_helpers.tpl b/charts/reports-server/templates/_helpers.tpl
index e2b1af74..94def42e 100644
--- a/charts/reports-server/templates/_helpers.tpl
+++ b/charts/reports-server/templates/_helpers.tpl
@@ -35,6 +35,9 @@ Common labels
 */}}
 {{- define "reports-server.labels" -}}
 helm.sh/chart: {{ include "reports-server.chart" . }}
+{{- if .Values.commonLabels }}
+{{ include "reports-server.commonLabels" . }}
+{{- end }}
 {{ include "reports-server.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
@@ -50,6 +53,15 @@ app.kubernetes.io/name: {{ include "reports-server.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Common labels
+*/}}
+{{- define "reports-server.commonLabels" -}}
+{{- with .Values.commonLabels }}
+{{- toYaml . }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create the name of the service account to use
 */}}
diff --git a/charts/reports-server/templates/cluster-roles.yaml b/charts/reports-server/templates/cluster-roles.yaml
index e574b52f..7f63f889 100644
--- a/charts/reports-server/templates/cluster-roles.yaml
+++ b/charts/reports-server/templates/cluster-roles.yaml
@@ -29,7 +29,12 @@ rules:
     - update
     - watch
     - deletecollection
-{{- if .Values.apiServicesManagement.enabled }}
+- apiGroups:
+    - ""
+  resources:
+    - namespaces
+  verbs:
+    - get
 - apiGroups:
     - apiregistration.k8s.io
   resources:
@@ -48,7 +53,6 @@ rules:
   resourceNames:
     - v1.reports.kyverno.io
     - v1alpha2.wgpolicyk8s.io
-{{- end }}
 - apiGroups:
     - wgpolicyk8s.io
   resources:
diff --git a/charts/reports-server/templates/deployment.yaml b/charts/reports-server/templates/deployment.yaml
index d3cad1d1..493ce555 100644
--- a/charts/reports-server/templates/deployment.yaml
+++ b/charts/reports-server/templates/deployment.yaml
@@ -23,7 +23,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        {{- include "reports-server.selectorLabels" . | nindent 8 }}
+        {{- include "reports-server.labels" . | nindent 8 }}
     spec:
       {{- with .Values.priorityClassName }}
       priorityClassName: {{ . }}
@@ -45,11 +45,6 @@ spec:
             {{- end }}
             - --etcdEndpoints=https://etcd-0.etcd.{{ $.Release.Namespace }}:2379,https://etcd-1.etcd.{{ $.Release.Namespace }}:2379,https://etcd-2.etcd.{{ $.Release.Namespace }}:2379
             {{- else }}
-            - --dbhost=$(DB_HOST)
-            - --dbport=$(DB_PORT)
-            - --dbuser=$(DB_USER)
-            - --dbpassword=$(DB_PASSWORD)
-            - --dbname=$(DB_DATABASE)
             - --dbsslmode={{ .Values.config.db.sslmode }}
             - --dbsslrootcert={{ .Values.config.db.sslrootcert }}
             - --dbsslkey={{ .Values.config.db.sslkey }}
diff --git a/charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml b/charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml
index 0f1f9783..fc624f10 100644
--- a/charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml
+++ b/charts/reports-server/templates/hooks/pre-delete-api-service-cleanup.yaml
@@ -19,10 +19,11 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.apiServicesManagement.podLabels }}
       labels:
+      {{- with .Values.apiServicesManagement.podLabels }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- include "reports-server.labels" . | nindent 8 }}
     spec:
       serviceAccount: {{ include "reports-server.serviceAccountName" . }}
       {{- with .Values.apiServicesManagement.podSecurityContext }}
diff --git a/charts/reports-server/templates/pod-disruption-budget.yaml b/charts/reports-server/templates/pod-disruption-budget.yaml
index df35a9e5..d94cb510 100644
--- a/charts/reports-server/templates/pod-disruption-budget.yaml
+++ b/charts/reports-server/templates/pod-disruption-budget.yaml
@@ -4,6 +4,8 @@ kind: PodDisruptionBudget
 metadata:
   name: {{ include "reports-server.fullname" . }}
   namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "reports-server.labels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:
diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml
index 03289442..a403207b 100644
--- a/charts/reports-server/values.yaml
+++ b/charts/reports-server/values.yaml
@@ -56,6 +56,9 @@ serviceAccount:
 # -- Pod annotations
 podAnnotations: {}
 
+# -- Labels to add to resources managed by the chart
+commonLabels: {}
+
 # -- Pod security context
 podSecurityContext:
   fsGroup: 2000
@@ -223,7 +226,7 @@ config:
     sslcert: ""
 
 apiServicesManagement:
-  # -- Create a helm hooks to install and delete api services
+  # -- Create a helm hooks to delete api services on uninstall
   enabled: true
 
   # -- Install api services in manifest
diff --git a/config/install-etcd.yaml b/config/install-etcd.yaml
index 6671f960..555270d5 100644
--- a/config/install-etcd.yaml
+++ b/config/install-etcd.yaml
@@ -9,6 +9,12 @@ kind: PodDisruptionBudget
 metadata:
   name: reports-server
   namespace: reports-server
+  labels:
+    helm.sh/chart: reports-server-0.1.3
+    app.kubernetes.io/name: reports-server
+    app.kubernetes.io/instance: reports-server
+    app.kubernetes.io/version: "v0.1.3"
+    app.kubernetes.io/managed-by: Helm
 spec:
   selector:
     matchLabels:
@@ -261,8 +267,11 @@ spec:
   template:
     metadata:
       labels:
+        helm.sh/chart: reports-server-0.1.3
         app.kubernetes.io/name: reports-server
         app.kubernetes.io/instance: reports-server
+        app.kubernetes.io/version: "v0.1.3"
+        app.kubernetes.io/managed-by: Helm
     spec:
       priorityClassName: system-cluster-critical
       serviceAccountName: reports-server
@@ -274,6 +283,10 @@ spec:
             - --etcd
             - --etcdSkipTLS
             - --etcdEndpoints=https://etcd-0.etcd.reports-server:2379,https://etcd-1.etcd.reports-server:2379,https://etcd-2.etcd.reports-server:2379
+            - --servicename=reports-server
+            - --servicens=reports-server
+            - --storereports=true
+            - --storeephemeralreports=true
             - --cert-dir=/tmp
             - --secure-port=4443
             - --authorization-always-allow-paths=/metrics
diff --git a/config/install.yaml b/config/install.yaml
index c76756df..76325e7a 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -9,6 +9,12 @@ kind: PodDisruptionBudget
 metadata:
   name: reports-server
   namespace: reports-server
+  labels:
+    helm.sh/chart: reports-server-0.1.3
+    app.kubernetes.io/name: reports-server
+    app.kubernetes.io/instance: reports-server
+    app.kubernetes.io/version: "v0.1.3"
+    app.kubernetes.io/managed-by: Helm
 spec:
   selector:
     matchLabels:
@@ -261,8 +267,11 @@ spec:
   template:
     metadata:
       labels:
+        helm.sh/chart: reports-server-0.1.3
         app.kubernetes.io/name: reports-server
         app.kubernetes.io/instance: reports-server
+        app.kubernetes.io/version: "v0.1.3"
+        app.kubernetes.io/managed-by: Helm
     spec:
       priorityClassName: system-cluster-critical
       serviceAccountName: reports-server
@@ -271,11 +280,6 @@ spec:
       containers:
         - name: reports-server
           args:
-            - --dbhost=$(DB_HOST)
-            - --dbport=$(DB_PORT)
-            - --dbuser=$(DB_USER)
-            - --dbpassword=$(DB_PASSWORD)
-            - --dbname=$(DB_DATABASE)
             - --dbsslmode=disable
             - --dbsslrootcert=
             - --dbsslkey=
diff --git a/pkg/app/opts/options.go b/pkg/app/opts/options.go
index 62a23b09..31de84d2 100644
--- a/pkg/app/opts/options.go
+++ b/pkg/app/opts/options.go
@@ -3,6 +3,8 @@ package opts
 import (
 	"fmt"
 	"net"
+	"os"
+	"strconv"
 	"strings"
 
 	"github.com/kyverno/reports-server/pkg/api"
@@ -75,11 +77,6 @@ func (o *Options) Flags() (fs flag.NamedFlagSets) {
 	msfs.BoolVar(&o.EtcdConfig.Insecure, "etcdSkipTLS", true, "Skip TLS verification when connecting to etcd")
 	msfs.BoolVar(&o.ShowVersion, "version", false, "Show version")
 	msfs.StringVar(&o.Kubeconfig, "kubeconfig", o.Kubeconfig, "The path to the kubeconfig used to connect to the Kubernetes API server and the Kubelets (defaults to in-cluster config)")
-	msfs.StringVar(&o.DBHost, "dbhost", "reportsdb.kyverno", "Host url of postgres instance")
-	msfs.IntVar(&o.DBPort, "dbport", 5432, "Port of the postgres instance")
-	msfs.StringVar(&o.DBUser, "dbuser", "postgres", "Username to login into postgres")
-	msfs.StringVar(&o.DBPassword, "dbpassword", "password", "Password to login into postgres")
-	msfs.StringVar(&o.DBName, "dbname", "reportsdb", "Name of the database to store policy reports in")
 	msfs.StringVar(&o.DBSSLMode, "dbsslmode", "disable", "SSL mode of the postgres database.")
 	msfs.StringVar(&o.DBSSLRootCert, "dbsslrootcert", "", "Path to database root cert.")
 	msfs.StringVar(&o.DBSSLKey, "dbsslkey", "", "Path to database ssl key.")
@@ -116,6 +113,10 @@ func (o Options) ServerConfig() (*server.Config, error) {
 	if err != nil {
 		return nil, err
 	}
+	err = o.dbConfig()
+	if err != nil {
+		return nil, err
+	}
 
 	dbconfig := &db.PostgresConfig{
 		Host:        o.DBHost,
@@ -199,3 +200,20 @@ func (o Options) restConfig() (*rest.Config, error) {
 	}
 	return config, nil
 }
+
+// dbConfig reads the database configuration directly from environment variables
+// because these configurations contain sensitive data, this is not read directly from command line input,
+// to enable usecases of env variable injection, such as using vault-env
+func (o *Options) dbConfig() error {
+	o.DBHost = os.Getenv("DB_HOST")
+	o.DBName = os.Getenv("DB_DATABASE")
+	o.DBUser = os.Getenv("DB_USER")
+	o.DBPassword = os.Getenv("DB_PASSWORD")
+	dbPort, err := strconv.Atoi(os.Getenv("DB_PORT"))
+	if err != nil {
+		return err
+	} else {
+		o.DBPort = dbPort
+	}
+	return nil
+}

From b6c872e4a517c95fbd86e8f3b8f6aff3a76d2bfb Mon Sep 17 00:00:00 2001
From: Amit Tiwari <amit.tiwari@nirmata.com>
Date: Tue, 18 Feb 2025 15:32:14 +0530
Subject: [PATCH 06/14] remove db migration flags

---
 config/install-etcd.yaml | 254 +++++++++++++++++++--------------------
 1 file changed, 125 insertions(+), 129 deletions(-)

diff --git a/config/install-etcd.yaml b/config/install-etcd.yaml
index 555270d5..8e9cdfd8 100644
--- a/config/install-etcd.yaml
+++ b/config/install-etcd.yaml
@@ -48,74 +48,74 @@ metadata:
     app.kubernetes.io/managed-by: Helm
 rules:
 - apiGroups:
-    - ''
+  - ''
   resources:
-    - namespaces
+  - namespaces
   verbs:
-    - get
-    - list
+  - get
+  - list
 - apiGroups:
-    - reports.kyverno.io
+  - reports.kyverno.io
   resources:
-    - ephemeralreports
-    - clusterephemeralreports
+  - ephemeralreports
+  - clusterephemeralreports
   verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-    - deletecollection
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+  - deletecollection
 - apiGroups:
-    - apiregistration.k8s.io
+  - apiregistration.k8s.io
   resources:
-    - apiservices
+  - apiservices
   verbs:
-    - create
+  - create
 - apiGroups:
-    - apiregistration.k8s.io
+  - apiregistration.k8s.io
   resources:
-    - apiservices
+  - apiservices
   verbs:
-    - get
-    - delete
-    - update
-    - patch
+  - get
+  - delete
+  - update
+  - patch
   resourceNames:
-    - v1.reports.kyverno.io
-    - v1alpha2.wgpolicyk8s.io
+  - v1.reports.kyverno.io
+  - v1alpha2.wgpolicyk8s.io
 - apiGroups:
-    - wgpolicyk8s.io
+  - wgpolicyk8s.io
   resources:
-    - policyreports
-    - policyreports/status
-    - clusterpolicyreports
-    - clusterpolicyreports/status
+  - policyreports
+  - policyreports/status
+  - clusterpolicyreports
+  - clusterpolicyreports/status
   verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-    - deletecollection
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+  - deletecollection
 - apiGroups:
-    - ''
-    - events.k8s.io
+  - ''
+  - events.k8s.io
   resources:
-    - events
+  - events
   verbs:
-    - create
-    - patch
+  - create
+  - patch
 - apiGroups:
-    - authorization.k8s.io
+  - authorization.k8s.io
   resources:
-    - subjectaccessreviews
+  - subjectaccessreviews
   verbs:
-    - create
+  - create
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -149,12 +149,12 @@ metadata:
     app.kubernetes.io/managed-by: Helm
 rules:
 - apiGroups:
-    - ''
+  - ''
   resources:
-    - pods
+  - pods
   verbs:
-    - get
-    - list
+  - get
+  - list
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -278,73 +278,69 @@ spec:
       securityContext:
         fsGroup: 2000
       containers:
-        - name: reports-server
-          args:
-            - --etcd
-            - --etcdSkipTLS
-            - --etcdEndpoints=https://etcd-0.etcd.reports-server:2379,https://etcd-1.etcd.reports-server:2379,https://etcd-2.etcd.reports-server:2379
-            - --servicename=reports-server
-            - --servicens=reports-server
-            - --storereports=true
-            - --storeephemeralreports=true
-            - --cert-dir=/tmp
-            - --secure-port=4443
-            - --authorization-always-allow-paths=/metrics
-          env:
-            - name: GOMEMLIMIT
-              valueFrom:
-                resourceFieldRef:
-                  resource: limits.memory
-                  divisor: '1'
-            - name: DB_HOST
-              value: "reports-server-postgresql.reports-server"
-            - name: DB_PORT
-              value: "5432"
-            - name: DB_DATABASE
-              value: "reportsdb"
-            - name: DB_USER
-              value: "postgres"
-            - name: DB_PASSWORD
-              value: "reports"
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            privileged: false
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            runAsUser: 1000
-            seccompProfile:
-              type: RuntimeDefault
-          volumeMounts:
-            - mountPath: /tmp
-              name: tmp-dir
-          image: "reg.nirmata.io/nirmata/reports-server:latest"
-          imagePullPolicy: IfNotPresent
-          ports:
-            - name: https
-              containerPort: 4443
-              protocol: TCP
-          livenessProbe:
-            failureThreshold: 10
-            httpGet:
-              path: /livez
-              port: https
-              scheme: HTTPS
-            initialDelaySeconds: 20
-            periodSeconds: 10
-          readinessProbe:
-            failureThreshold: 10
-            httpGet:
-              path: /readyz
-              port: https
-              scheme: HTTPS
-            initialDelaySeconds: 30
-            periodSeconds: 10
-          resources:
-            limits: null
-            requests: null
+      - name: reports-server
+        args:
+        - --etcd
+        - --etcdSkipTLS
+        - --etcdEndpoints=https://etcd-0.etcd.reports-server:2379,https://etcd-1.etcd.reports-server:2379,https://etcd-2.etcd.reports-server:2379
+        - --cert-dir=/tmp
+        - --secure-port=4443
+        - --authorization-always-allow-paths=/metrics
+        env:
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+              divisor: '1'
+        - name: DB_HOST
+          value: "reports-server-postgresql.reports-server"
+        - name: DB_PORT
+          value: "5432"
+        - name: DB_DATABASE
+          value: "reportsdb"
+        - name: DB_USER
+          value: "postgres"
+        - name: DB_PASSWORD
+          value: "reports"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp-dir
+        image: "reg.nirmata.io/nirmata/reports-server:latest"
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: https
+          containerPort: 4443
+          protocol: TCP
+        livenessProbe:
+          failureThreshold: 10
+          httpGet:
+            path: /livez
+            port: https
+            scheme: HTTPS
+          initialDelaySeconds: 20
+          periodSeconds: 10
+        readinessProbe:
+          failureThreshold: 10
+          httpGet:
+            path: /readyz
+            port: https
+            scheme: HTTPS
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        resources:
+          limits: null
+          requests: null
       volumes:
       - emptyDir: {}
         name: tmp-dir
@@ -421,11 +417,11 @@ spec:
         - name: K8S_NAMESPACE
           valueFrom:
             fieldRef:
-             fieldPath: metadata.namespace
+              fieldPath: metadata.namespace
         - name: HOSTNAME
           valueFrom:
             fieldRef:
-             fieldPath: metadata.name
+              fieldPath: metadata.name
         - name: SERVICE_NAME
           valueFrom:
             fieldRef:
@@ -481,19 +477,19 @@ spec:
         #   mountPath: "/etc/etcd/certs/server"
         #   readOnly: true
       volumes:
-      # - name: etcd-client-tls
-      #   secret:
-      #     secretName: etcd-client-tls
-      #     optional: false
-      # - name: etcd-server-tls
-      #   secret:
-      #     secretName: etcd-server-tls
-      #     optional: false
+        # - name: etcd-client-tls
+        #   secret:
+        #     secretName: etcd-client-tls
+        #     optional: false
+        # - name: etcd-server-tls
+        #   secret:
+        #     secretName: etcd-server-tls
+        #     optional: false
   volumeClaimTemplates:
   - metadata:
       name: etcd-data
     spec:
-      accessModes: ["ReadWriteOnce"]
+      accessModes: [ "ReadWriteOnce" ]
       resources:
         requests:
           storage: 1Gi

From a2bc5a0e5968bc82f21d5a4d76859068d96391b7 Mon Sep 17 00:00:00 2001
From: Amit Tiwari <amit.tiwari@nirmata.com>
Date: Tue, 18 Feb 2025 15:34:58 +0530
Subject: [PATCH 07/14] remove extra spaces

---
 config/install-etcd.yaml | 250 +++++++++++++++++++--------------------
 1 file changed, 125 insertions(+), 125 deletions(-)

diff --git a/config/install-etcd.yaml b/config/install-etcd.yaml
index 8e9cdfd8..1bb4ca97 100644
--- a/config/install-etcd.yaml
+++ b/config/install-etcd.yaml
@@ -48,74 +48,74 @@ metadata:
     app.kubernetes.io/managed-by: Helm
 rules:
 - apiGroups:
-  - ''
+    - ''
   resources:
-  - namespaces
+    - namespaces
   verbs:
-  - get
-  - list
+    - get
+    - list
 - apiGroups:
-  - reports.kyverno.io
+    - reports.kyverno.io
   resources:
-  - ephemeralreports
-  - clusterephemeralreports
+    - ephemeralreports
+    - clusterephemeralreports
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-  - deletecollection
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+    - deletecollection
 - apiGroups:
-  - apiregistration.k8s.io
+    - apiregistration.k8s.io
   resources:
-  - apiservices
+    - apiservices
   verbs:
-  - create
+    - create
 - apiGroups:
-  - apiregistration.k8s.io
+    - apiregistration.k8s.io
   resources:
-  - apiservices
+    - apiservices
   verbs:
-  - get
-  - delete
-  - update
-  - patch
+    - get
+    - delete
+    - update
+    - patch
   resourceNames:
-  - v1.reports.kyverno.io
-  - v1alpha2.wgpolicyk8s.io
+    - v1.reports.kyverno.io
+    - v1alpha2.wgpolicyk8s.io
 - apiGroups:
-  - wgpolicyk8s.io
+    - wgpolicyk8s.io
   resources:
-  - policyreports
-  - policyreports/status
-  - clusterpolicyreports
-  - clusterpolicyreports/status
+    - policyreports
+    - policyreports/status
+    - clusterpolicyreports
+    - clusterpolicyreports/status
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-  - deletecollection
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+    - deletecollection
 - apiGroups:
-  - ''
-  - events.k8s.io
+    - ''
+    - events.k8s.io
   resources:
-  - events
+    - events
   verbs:
-  - create
-  - patch
+    - create
+    - patch
 - apiGroups:
-  - authorization.k8s.io
+    - authorization.k8s.io
   resources:
-  - subjectaccessreviews
+    - subjectaccessreviews
   verbs:
-  - create
+    - create
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -149,12 +149,12 @@ metadata:
     app.kubernetes.io/managed-by: Helm
 rules:
 - apiGroups:
-  - ''
+    - ''
   resources:
-  - pods
+    - pods
   verbs:
-  - get
-  - list
+    - get
+    - list
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -278,69 +278,69 @@ spec:
       securityContext:
         fsGroup: 2000
       containers:
-      - name: reports-server
-        args:
-        - --etcd
-        - --etcdSkipTLS
-        - --etcdEndpoints=https://etcd-0.etcd.reports-server:2379,https://etcd-1.etcd.reports-server:2379,https://etcd-2.etcd.reports-server:2379
-        - --cert-dir=/tmp
-        - --secure-port=4443
-        - --authorization-always-allow-paths=/metrics
-        env:
-        - name: GOMEMLIMIT
-          valueFrom:
-            resourceFieldRef:
-              resource: limits.memory
-              divisor: '1'
-        - name: DB_HOST
-          value: "reports-server-postgresql.reports-server"
-        - name: DB_PORT
-          value: "5432"
-        - name: DB_DATABASE
-          value: "reportsdb"
-        - name: DB_USER
-          value: "postgres"
-        - name: DB_PASSWORD
-          value: "reports"
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          privileged: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsUser: 1000
-          seccompProfile:
-            type: RuntimeDefault
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp-dir
-        image: "reg.nirmata.io/nirmata/reports-server:latest"
-        imagePullPolicy: IfNotPresent
-        ports:
-        - name: https
-          containerPort: 4443
-          protocol: TCP
-        livenessProbe:
-          failureThreshold: 10
-          httpGet:
-            path: /livez
-            port: https
-            scheme: HTTPS
-          initialDelaySeconds: 20
-          periodSeconds: 10
-        readinessProbe:
-          failureThreshold: 10
-          httpGet:
-            path: /readyz
-            port: https
-            scheme: HTTPS
-          initialDelaySeconds: 30
-          periodSeconds: 10
-        resources:
-          limits: null
-          requests: null
+        - name: reports-server
+          args:
+            - --etcd
+            - --etcdSkipTLS
+            - --etcdEndpoints=https://etcd-0.etcd.reports-server:2379,https://etcd-1.etcd.reports-server:2379,https://etcd-2.etcd.reports-server:2379
+            - --cert-dir=/tmp
+            - --secure-port=4443
+            - --authorization-always-allow-paths=/metrics
+          env:
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+            - name: DB_HOST
+              value: "reports-server-postgresql.reports-server"
+            - name: DB_PORT
+              value: "5432"
+            - name: DB_DATABASE
+              value: "reportsdb"
+            - name: DB_USER
+              value: "postgres"
+            - name: DB_PASSWORD
+              value: "reports"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp-dir
+          image: "reg.nirmata.io/nirmata/reports-server:latest"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: https
+              containerPort: 4443
+              protocol: TCP
+          livenessProbe:
+            failureThreshold: 10
+            httpGet:
+              path: /livez
+              port: https
+              scheme: HTTPS
+            initialDelaySeconds: 20
+            periodSeconds: 10
+          readinessProbe:
+            failureThreshold: 10
+            httpGet:
+              path: /readyz
+              port: https
+              scheme: HTTPS
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          resources:
+            limits: null
+            requests: null
       volumes:
       - emptyDir: {}
         name: tmp-dir
@@ -417,11 +417,11 @@ spec:
         - name: K8S_NAMESPACE
           valueFrom:
             fieldRef:
-              fieldPath: metadata.namespace
+             fieldPath: metadata.namespace
         - name: HOSTNAME
           valueFrom:
             fieldRef:
-              fieldPath: metadata.name
+             fieldPath: metadata.name
         - name: SERVICE_NAME
           valueFrom:
             fieldRef:
@@ -477,19 +477,19 @@ spec:
         #   mountPath: "/etc/etcd/certs/server"
         #   readOnly: true
       volumes:
-        # - name: etcd-client-tls
-        #   secret:
-        #     secretName: etcd-client-tls
-        #     optional: false
-        # - name: etcd-server-tls
-        #   secret:
-        #     secretName: etcd-server-tls
-        #     optional: false
+      # - name: etcd-client-tls
+      #   secret:
+      #     secretName: etcd-client-tls
+      #     optional: false
+      # - name: etcd-server-tls
+      #   secret:
+      #     secretName: etcd-server-tls
+      #     optional: false
   volumeClaimTemplates:
   - metadata:
       name: etcd-data
     spec:
-      accessModes: [ "ReadWriteOnce" ]
+      accessModes: ["ReadWriteOnce"]
       resources:
         requests:
           storage: 1Gi

From 0d2496ed06a2701f7c99a4fbeedc0c171a482b89 Mon Sep 17 00:00:00 2001
From: Amit Tiwari <amit.tiwari@nirmata.com>
Date: Tue, 18 Feb 2025 16:05:36 +0530
Subject: [PATCH 08/14] fix for nil DBPORT

---
 pkg/app/opts/options.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/pkg/app/opts/options.go b/pkg/app/opts/options.go
index 31de84d2..d534cd66 100644
--- a/pkg/app/opts/options.go
+++ b/pkg/app/opts/options.go
@@ -209,10 +209,15 @@ func (o *Options) dbConfig() error {
 	o.DBName = os.Getenv("DB_DATABASE")
 	o.DBUser = os.Getenv("DB_USER")
 	o.DBPassword = os.Getenv("DB_PASSWORD")
-	dbPort, err := strconv.Atoi(os.Getenv("DB_PORT"))
-	if err != nil {
-		return err
+	// Get DB_PORT and provide a default if it's empty
+	dbPortStr := os.Getenv("DB_PORT")
+	if dbPortStr == "" {
+		o.DBPort = 5432 // Default to PostgreSQL's default port; change as needed
 	} else {
+		dbPort, err := strconv.Atoi(dbPortStr)
+		if err != nil {
+			return fmt.Errorf("invalid DB_PORT: %v", err)
+		}
 		o.DBPort = dbPort
 	}
 	return nil

From 705f52afde650c8e07c56faf140471c19986502f Mon Sep 17 00:00:00 2001
From: Amit Tiwari <amit.tiwari@nirmata.com>
Date: Tue, 18 Feb 2025 16:19:57 +0530
Subject: [PATCH 09/14] make codegen

---
 charts/reports-server/README.md |  4 ++--
 config/install-etcd.yaml        | 22 ++++++++++++++--------
 config/install.yaml             | 29 +++++++++++++++++------------
 pkg/app/opts/options.go         |  4 ++++
 4 files changed, 37 insertions(+), 22 deletions(-)

diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md
index 3d12b477..a70bb7cc 100644
--- a/charts/reports-server/README.md
+++ b/charts/reports-server/README.md
@@ -86,8 +86,8 @@ helm install reports-server --namespace reports-server --create-namespace report
 | config.db.sslkey | string | `""` | Database SSL key |
 | config.db.sslcert | string | `""` | Database SSL cert |
 | apiServicesManagement.enabled | bool | `true` | Create a helm hooks to delete api services on uninstall |
-| apiServicesManagement.installApiServices | object | `{"enabled":true,"installEphemeralReportsService":true}` | Install api services in manifest |
-| apiServicesManagement.installApiServices.enabled | bool | `true` | Store reports in reports-server |
+| apiServicesManagement.installApiServices | object | `{"enabled":false,"installEphemeralReportsService":true}` | Install api services in manifest |
+| apiServicesManagement.installApiServices.enabled | bool | `false` | Store reports in reports-server |
 | apiServicesManagement.installApiServices.installEphemeralReportsService | bool | `true` | Store ephemeral reports in reports-server |
 | apiServicesManagement.image.registry | string | `"ghcr.io"` | Image registry |
 | apiServicesManagement.image.repository | string | `"nirmata/kubectl"` | Image repository |
diff --git a/config/install-etcd.yaml b/config/install-etcd.yaml
index 1bb4ca97..837dbdf1 100644
--- a/config/install-etcd.yaml
+++ b/config/install-etcd.yaml
@@ -10,10 +10,10 @@ metadata:
   name: reports-server
   namespace: reports-server
   labels:
-    helm.sh/chart: reports-server-0.1.3
+    helm.sh/chart: reports-server-0.1.7-rc.2
     app.kubernetes.io/name: reports-server
     app.kubernetes.io/instance: reports-server
-    app.kubernetes.io/version: "v0.1.3"
+    app.kubernetes.io/version: "v0.1.7-rc.2"
     app.kubernetes.io/managed-by: Helm
 spec:
   selector:
@@ -68,6 +68,12 @@ rules:
     - update
     - watch
     - deletecollection
+- apiGroups:
+    - ""
+  resources:
+    - namespaces
+  verbs:
+    - get
 - apiGroups:
     - apiregistration.k8s.io
   resources:
@@ -267,10 +273,10 @@ spec:
   template:
     metadata:
       labels:
-        helm.sh/chart: reports-server-0.1.3
+        helm.sh/chart: reports-server-0.1.7-rc.2
         app.kubernetes.io/name: reports-server
         app.kubernetes.io/instance: reports-server
-        app.kubernetes.io/version: "v0.1.3"
+        app.kubernetes.io/version: "v0.1.7-rc.2"
         app.kubernetes.io/managed-by: Helm
     spec:
       priorityClassName: system-cluster-critical
@@ -293,15 +299,15 @@ spec:
                   resource: limits.memory
                   divisor: '1'
             - name: DB_HOST
-              value: "reports-server-postgresql.reports-server"
+              value: "reports-server-cluster-rw.reports-server"
             - name: DB_PORT
-              value: "5432"
+              value: 
             - name: DB_DATABASE
               value: "reportsdb"
             - name: DB_USER
-              value: "postgres"
+              value: "app"
             - name: DB_PASSWORD
-              value: "reports"
+              value: "password"
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
diff --git a/config/install.yaml b/config/install.yaml
index 76325e7a..837dbdf1 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -10,10 +10,10 @@ metadata:
   name: reports-server
   namespace: reports-server
   labels:
-    helm.sh/chart: reports-server-0.1.3
+    helm.sh/chart: reports-server-0.1.7-rc.2
     app.kubernetes.io/name: reports-server
     app.kubernetes.io/instance: reports-server
-    app.kubernetes.io/version: "v0.1.3"
+    app.kubernetes.io/version: "v0.1.7-rc.2"
     app.kubernetes.io/managed-by: Helm
 spec:
   selector:
@@ -68,6 +68,12 @@ rules:
     - update
     - watch
     - deletecollection
+- apiGroups:
+    - ""
+  resources:
+    - namespaces
+  verbs:
+    - get
 - apiGroups:
     - apiregistration.k8s.io
   resources:
@@ -267,10 +273,10 @@ spec:
   template:
     metadata:
       labels:
-        helm.sh/chart: reports-server-0.1.3
+        helm.sh/chart: reports-server-0.1.7-rc.2
         app.kubernetes.io/name: reports-server
         app.kubernetes.io/instance: reports-server
-        app.kubernetes.io/version: "v0.1.3"
+        app.kubernetes.io/version: "v0.1.7-rc.2"
         app.kubernetes.io/managed-by: Helm
     spec:
       priorityClassName: system-cluster-critical
@@ -280,10 +286,9 @@ spec:
       containers:
         - name: reports-server
           args:
-            - --dbsslmode=disable
-            - --dbsslrootcert=
-            - --dbsslkey=
-            - --dbsslcert=
+            - --etcd
+            - --etcdSkipTLS
+            - --etcdEndpoints=https://etcd-0.etcd.reports-server:2379,https://etcd-1.etcd.reports-server:2379,https://etcd-2.etcd.reports-server:2379
             - --cert-dir=/tmp
             - --secure-port=4443
             - --authorization-always-allow-paths=/metrics
@@ -294,15 +299,15 @@ spec:
                   resource: limits.memory
                   divisor: '1'
             - name: DB_HOST
-              value: "reports-server-postgresql.reports-server"
+              value: "reports-server-cluster-rw.reports-server"
             - name: DB_PORT
-              value: "5432"
+              value: 
             - name: DB_DATABASE
               value: "reportsdb"
             - name: DB_USER
-              value: "postgres"
+              value: "app"
             - name: DB_PASSWORD
-              value: "reports"
+              value: "password"
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
diff --git a/pkg/app/opts/options.go b/pkg/app/opts/options.go
index d534cd66..47399b01 100644
--- a/pkg/app/opts/options.go
+++ b/pkg/app/opts/options.go
@@ -205,6 +205,10 @@ func (o Options) restConfig() (*rest.Config, error) {
 // because these configurations contain sensitive data, this is not read directly from command line input,
 // to enable usecases of env variable injection, such as using vault-env
 func (o *Options) dbConfig() error {
+	
+	if o.Etcd == true {
+		return nil
+	}
 	o.DBHost = os.Getenv("DB_HOST")
 	o.DBName = os.Getenv("DB_DATABASE")
 	o.DBUser = os.Getenv("DB_USER")

From 69a2a6239c9d869018fe35f639a45de29833bfb3 Mon Sep 17 00:00:00 2001
From: Amit Tiwari <amit.tiwari@nirmata.com>
Date: Tue, 18 Feb 2025 16:24:16 +0530
Subject: [PATCH 10/14] remove nil check for dbport

---
 pkg/app/opts/options.go | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/pkg/app/opts/options.go b/pkg/app/opts/options.go
index 47399b01..3ba00577 100644
--- a/pkg/app/opts/options.go
+++ b/pkg/app/opts/options.go
@@ -213,15 +213,10 @@ func (o *Options) dbConfig() error {
 	o.DBName = os.Getenv("DB_DATABASE")
 	o.DBUser = os.Getenv("DB_USER")
 	o.DBPassword = os.Getenv("DB_PASSWORD")
-	// Get DB_PORT and provide a default if it's empty
-	dbPortStr := os.Getenv("DB_PORT")
-	if dbPortStr == "" {
-		o.DBPort = 5432 // Default to PostgreSQL's default port; change as needed
+	dbPort, err := strconv.Atoi(os.Getenv("DB_PORT"))
+	if err != nil {
+		return err
 	} else {
-		dbPort, err := strconv.Atoi(dbPortStr)
-		if err != nil {
-			return fmt.Errorf("invalid DB_PORT: %v", err)
-		}
 		o.DBPort = dbPort
 	}
 	return nil

From 20432a843690279c05e6facd7d2dad086743d40b Mon Sep 17 00:00:00 2001
From: Amit Tiwari <amit.tiwari@nirmata.com>
Date: Tue, 18 Feb 2025 17:01:59 +0530
Subject: [PATCH 11/14] add dbport in values.yaml

---
 charts/reports-server/values.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml
index a403207b..5fcec754 100644
--- a/charts/reports-server/values.yaml
+++ b/charts/reports-server/values.yaml
@@ -195,6 +195,11 @@ config:
     host: reports-server-cluster-rw.reports-server
     # -- The database host will be read from this `key` in the specified Secret, when `db.secretName` is set.
     hostSecretKeyName: "host"
+             
+    # -- Database port                                                                                                                                                                         
+    port: 5432     
+    # -- The database port will be read from this `key` in the specified Secret, when `db.secretName` is set.
+    portSecretKeyName: "port"
 
     # -- Database name
     name: reportsdb

From 39d94af213c011d2ee083d3cd061a949c3ff2e79 Mon Sep 17 00:00:00 2001
From: Amit Tiwari <amit.tiwari@nirmata.com>
Date: Tue, 18 Feb 2025 17:04:57 +0530
Subject: [PATCH 12/14] make codegen for db port change

---
 charts/reports-server/README.md | 2 ++
 config/install-etcd.yaml        | 2 +-
 config/install.yaml             | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md
index a70bb7cc..32aee08f 100644
--- a/charts/reports-server/README.md
+++ b/charts/reports-server/README.md
@@ -75,6 +75,8 @@ helm install reports-server --namespace reports-server --create-namespace report
 | config.db.secretName | string | `""` | If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`. |
 | config.db.host | string | `"reports-server-cluster-rw.reports-server"` | Database host |
 | config.db.hostSecretKeyName | string | `"host"` | The database host will be read from this `key` in the specified Secret, when `db.secretName` is set. |
+| config.db.port | int | `5432` | Database port                                                                                                                                                                          |
+| config.db.portSecretKeyName | string | `"port"` | The database port will be read from this `key` in the specified Secret, when `db.secretName` is set. |
 | config.db.name | string | `"reportsdb"` | Database name |
 | config.db.dbNameSecretKeyName | string | `"dbname"` | The database name will be read from this `key` in the specified Secret, when `db.secretName` is set. |
 | config.db.user | string | `"app"` | Database user |
diff --git a/config/install-etcd.yaml b/config/install-etcd.yaml
index 837dbdf1..45b48279 100644
--- a/config/install-etcd.yaml
+++ b/config/install-etcd.yaml
@@ -301,7 +301,7 @@ spec:
             - name: DB_HOST
               value: "reports-server-cluster-rw.reports-server"
             - name: DB_PORT
-              value: 
+              value: "5432"
             - name: DB_DATABASE
               value: "reportsdb"
             - name: DB_USER
diff --git a/config/install.yaml b/config/install.yaml
index 837dbdf1..45b48279 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -301,7 +301,7 @@ spec:
             - name: DB_HOST
               value: "reports-server-cluster-rw.reports-server"
             - name: DB_PORT
-              value: 
+              value: "5432"
             - name: DB_DATABASE
               value: "reportsdb"
             - name: DB_USER

From a65a13a0704528f5d583857db6286ff80259f80f Mon Sep 17 00:00:00 2001
From: Amit Tiwari <amit.tiwari@nirmata.com>
Date: Tue, 18 Feb 2025 17:11:17 +0530
Subject: [PATCH 13/14] fix lint errro

---
 charts/reports-server/values.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml
index 5fcec754..54696a1e 100644
--- a/charts/reports-server/values.yaml
+++ b/charts/reports-server/values.yaml
@@ -195,9 +195,9 @@ config:
     host: reports-server-cluster-rw.reports-server
     # -- The database host will be read from this `key` in the specified Secret, when `db.secretName` is set.
     hostSecretKeyName: "host"
-             
-    # -- Database port                                                                                                                                                                         
-    port: 5432     
+
+    # -- Database port
+    port: 5432
     # -- The database port will be read from this `key` in the specified Secret, when `db.secretName` is set.
     portSecretKeyName: "port"
 

From 00f5168a6d2b03c802fc280f89740cab7aa716fa Mon Sep 17 00:00:00 2001
From: Amit Tiwari <amit.tiwari@nirmata.com>
Date: Tue, 18 Feb 2025 17:40:53 +0530
Subject: [PATCH 14/14] lint fix

---
 pkg/app/opts/options.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/app/opts/options.go b/pkg/app/opts/options.go
index 3ba00577..7cefe556 100644
--- a/pkg/app/opts/options.go
+++ b/pkg/app/opts/options.go
@@ -206,7 +206,7 @@ func (o Options) restConfig() (*rest.Config, error) {
 // to enable usecases of env variable injection, such as using vault-env
 func (o *Options) dbConfig() error {
 	
-	if o.Etcd == true {
+	if o.Etcd {
 		return nil
 	}
 	o.DBHost = os.Getenv("DB_HOST")