nirmata · vishal-chdhry · Nov 4, 2024 · Nov 4, 2024 · Nov 4, 2024
diff --git a/.github/kind.yml b/.github/kind.yml
@@ -31,6 +31,9 @@ nodes:
       - containerPort: 443
         hostPort: 443
         protocol: TCP
+    extraMounts:
+      - hostPath: /home/tmp
+        containerPath: /data
   - role: worker
   - role: worker
   - role: worker
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -27,7 +27,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
         with:
           scan-type: fs
           ignore-unfixed: false
@@ -37,8 +37,12 @@ jobs:
           scanners: vuln,secret
           exit-code: '0'
           vuln-type: os,library
+        env:
+          # Trivy is returning TOOMANYREQUESTS
+          # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
+          TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
         with:
           sarif_file: trivy-results.sarif
-          category: code
+          category: code
diff --git a/.github/workflows/conformance-tests.yaml b/.github/workflows/conformance-tests.yaml
@@ -86,7 +86,11 @@ jobs:
       - name: Install latest kyverno
         run: |
           set -e
-          kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml
+          set -e
+          export HELM=${{ steps.helm.outputs.helm-path }}
+          helm repo add kyverno https://kyverno.github.io/kyverno/
+          kubectl create namespace kyverno
+          helm install kyverno --namespace kyverno kyverno/kyverno --set features.policyExceptions.enabled=true --set features.policyExceptions.namespace='*'
       - name: Wait for kyverno ready
         run: |
           set -e
@@ -96,7 +100,7 @@ jobs:
           set -e
           kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io
       - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@d1a61148c0437a66760d11d8575332305c2234cb # v0.2.10
+        uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11
       - name: Test with Chainsaw
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/migration-tests.yaml b/.github/workflows/migration-tests.yaml
@@ -74,10 +74,13 @@ jobs:
         run: |
           set -e
           kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml
-      - name: Install kyverno v1.12.4
+      - name: Install kyverno
         run: |
           set -e
-          kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml
+          export HELM=${{ steps.helm.outputs.helm-path }}
+          helm repo add kyverno https://kyverno.github.io/kyverno/
+          kubectl create namespace kyverno
+          helm install kyverno --namespace kyverno kyverno/kyverno --set features.policyExceptions.enabled=true --set features.policyExceptions.namespace='*'
       - name: Wait for kyverno ready
         run: |
           set -e
@@ -111,7 +114,7 @@ jobs:
           set -e
           kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io
       - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@d1a61148c0437a66760d11d8575332305c2234cb # v0.2.10
+        uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11
       - name: Test with Chainsaw
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/Makefile b/Makefile
@@ -164,23 +164,23 @@ codegen-install-manifest: $(HELM) ## Create install manifest
  		| $(SED) -e '/^#.*/d' \
 		> ./config/install.yaml
 
-codegen-install-manifest-inmemory: $(HELM) ## Create install manifest without postgres
+codegen-install-manifest-etcd: $(HELM) ## Create install manifest without postgres
 	@echo Generate latest install manifest... >&2
 	@$(HELM) template reports-server --namespace reports-server ./charts/reports-server/ \
 		--set apiServicesManagement.installApiServices.enabled=true \
 		--set image.tag=latest \
-		--set config.debug=true \
+		--set config.etcd.enabled=true \
 		--set postgresql.enabled=false \
 		--set templating.enabled=true \
  		| $(SED) -e '/^#.*/d' \
-		> ./config/install-inmemory.yaml
+		> ./config/install-etcd.yaml
 
 .PHONY: codegen
 codegen: ## Rebuild all generated code and docs
 codegen: codegen-helm-docs
 codegen: codegen-openapi
 codegen: codegen-install-manifest
-codegen: codegen-install-manifest-inmemory
+codegen: codegen-install-manifest-etcd
 
 .PHONY: verify-codegen
 verify-codegen: codegen ## Verify all generated code and docs are up to date
@@ -220,12 +220,12 @@ kind-install: $(HELM) kind-load ## Build image, load it in kind cluster and depl
 		--set image.repository=$(PACKAGE) \
 		--set image.tag=$(GIT_SHA)
 
-.PHONY: kind-install-inmemory
-kind-install-inmemory: $(HELM) kind-load ## Build image, load it in kind cluster and deploy helm chart
+.PHONY: kind-install-etcd
+kind-install-etcd: $(HELM) kind-load ## Build image, load it in kind cluster and deploy helm chart
 	@echo Install chart... >&2
 	@$(HELM) upgrade --install reports-server --namespace reports-server --create-namespace --wait ./charts/reports-server \
 		--set image.registry=$(KO_REGISTRY) \
-		--set config.debug=true \
+		--set config.etcd.enabled=true \
 		--set postgresql.enabled=false \
 		--set image.repository=$(PACKAGE) \
 		--set image.tag=$(GIT_SHA)

diff --git a/charts/reports-server/Chart.yaml b/charts/reports-server/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
 name: reports-server
 type: application
-version: 0.1.3
-appVersion: v0.1.3
+version: 0.1.4-alpha.0
+appVersion: v0.1.4-alpha.0
 keywords:
   - kubernetes
   - policy reports storage

diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md
@@ -1,6 +1,6 @@
 # reports-server
 
-![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.3](https://img.shields.io/badge/AppVersion-v0.1.3-informational?style=flat-square)
+![Version: 0.1.4-alpha.0](https://img.shields.io/badge/Version-0.1.4--alpha.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.4-alpha.0](https://img.shields.io/badge/AppVersion-v0.1.4--alpha.0-informational?style=flat-square)
 
 TODO
 
@@ -23,7 +23,7 @@ helm install reports-server --namespace reports-server --create-namespace report
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | cloudnative-pg.crds.create | bool | `false` |  |
-| postgresql.enabled | bool | `true` | Deploy postgresql dependency chart |
+| postgresql.enabled | bool | `false` | Deploy postgresql dependency chart |
 | postgresql.auth.postgresPassword | string | `"reports"` |  |
 | postgresql.auth.database | string | `"reportsdb"` |  |
 | nameOverride | string | `""` | Name override |
@@ -62,7 +62,9 @@ helm install reports-server --namespace reports-server --create-namespace report
 | affinity | object | `{}` | Affinity |
 | service.type | string | `"ClusterIP"` | Service type |
 | service.port | int | `443` | Service port |
-| config.debug | bool | `false` | Enable debug (to use inmemorydatabase) |
+| config.etcd.enabled | bool | `true` |  |
+| config.etcd.endpoints | string | `nil` |  |
+| config.etcd.insecure | bool | `true` |  |
 | config.db.secretName | string | `""` | If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`. |
 | config.db.host | string | `"reports-server-cluster-rw.reports-server"` | Database host |
 | config.db.hostSecretKeyName | string | `"host"` | The database host will be read from this `key` in the specified Secret, when `db.secretName` is set. |

diff --git a/charts/reports-server/templates/deployment.yaml b/charts/reports-server/templates/deployment.yaml
@@ -37,8 +37,12 @@ spec:
       containers:
         - name: reports-server
           args:
-            {{- if .Values.config.debug }}
-            - --debug
+            {{- if .Values.config.etcd.enabled }}
+            - --etcd
+            {{- if .Values.config.etcd.insecure }}
+            - --etcdSkipTLS
+            {{- end }}
+            - --etcdEndpoints=https://etcd-0.etcd.{{ $.Release.Namespace }}:2379,https://etcd-1.etcd.{{ $.Release.Namespace }}:2379,https://etcd-2.etcd.{{ $.Release.Namespace }}:2379
             {{- else }}
             - --dbhost={{ include "reports-server.dbHost" . }}
             - --dbname={{ include "reports-server.dbName" . }}
@@ -79,15 +83,15 @@ spec:
           {{- end}}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp-dir
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: https
               containerPort: 4443
               protocol: TCP
-          volumeMounts:
-            - mountPath: /tmp
-              name: tmp-dir
           {{- with .Values.livenessProbe }}
           livenessProbe:
             {{- toYaml . | nindent 12 }}

diff --git a/charts/reports-server/templates/etcd.yaml b/charts/reports-server/templates/etcd.yaml
@@ -0,0 +1,170 @@
+{{- if .Values.config.etcd.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: etcd
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app: etcd-reports-server
+    {{- include "reports-server.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    app: etcd-reports-server
+  publishNotReadyAddresses: true
+  ports:
+  - name: etcd-client
+    port: 2379
+  - name: etcd-server
+    port: 2380
+  - name: etcd-metrics
+    port: 8080
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  namespace: {{ include "reports-server.fullname" . }}
+  name: etcd
+  labels:
+    app: etcd-reports-server
+    {{- include "reports-server.labels" . | nindent 4 }}
+spec:
+  serviceName: etcd
+  replicas: 3
+  podManagementPolicy: Parallel
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: etcd-reports-server
+  template:
+    metadata:
+      labels:
+        app: etcd-reports-server
+      annotations:
+        serviceName: etcd
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 1
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - etcd-reports-server
+              topologyKey: "kubernetes.io/hostname"
+      containers:
+      - name: etcd
+        image: quay.io/coreos/etcd:v3.5.15
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: etcd-client
+          containerPort: 2379
+        - name: etcd-server
+          containerPort: 2380
+        - name: etcd-metrics
+          containerPort: 8080
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8080
+          initialDelaySeconds: 10
+          periodSeconds: 5
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 30
+        livenessProbe:
+          httpGet:
+            path: /livez
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+        env:
+        - name: K8S_NAMESPACE
+          valueFrom:
+            fieldRef:
+             fieldPath: metadata.namespace
+        - name: HOSTNAME
+          valueFrom:
+            fieldRef:
+             fieldPath: metadata.name
+        - name: SERVICE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.annotations['serviceName']
+        - name: ETCDCTL_ENDPOINTS
+          value: $(HOSTNAME).$(SERVICE_NAME):2379
+        ## TLS client configuration for etcdctl in the container.
+        ## These files paths are part of the "etcd-client-certs" volume mount.
+        # - name: ETCDCTL_KEY
+        #   value: /etc/etcd/certs/client/tls.key
+        # - name: ETCDCTL_CERT
+        #   value: /etc/etcd/certs/client/tls.crt
+        # - name: ETCDCTL_CACERT
+        #   value: /etc/etcd/certs/client/ca.crt
+        ##
+        ## Use this URI_SCHEME value for non-TLS clusters.
+        - name: URI_SCHEME
+          value: "http"
+        ## TLS: Use this URI_SCHEME for TLS clusters.
+        # - name: URI_SCHEME
+        # value: "https"
+        command:
+        - /usr/local/bin/etcd
+        args:
+        - --name=$(HOSTNAME)
+        - --data-dir=/data
+        - --wal-dir=/data/wal
+        - --listen-peer-urls=$(URI_SCHEME)://0.0.0.0:2380
+        - --listen-client-urls=$(URI_SCHEME)://0.0.0.0:2379
+        - --advertise-client-urls=$(URI_SCHEME)://$(HOSTNAME).$(SERVICE_NAME):2379
+        - --initial-cluster-state=new
+        - --initial-cluster-token=etcd-$(K8S_NAMESPACE)
+        - --initial-cluster=etcd-0=$(URI_SCHEME)://etcd-0.$(SERVICE_NAME):2380,etcd-1=$(URI_SCHEME)://etcd-1.$(SERVICE_NAME):2380,etcd-2=$(URI_SCHEME)://etcd-2.$(SERVICE_NAME):2380
+        - --initial-advertise-peer-urls=$(URI_SCHEME)://$(HOSTNAME).$(SERVICE_NAME):2380
+        - --listen-metrics-urls=http://0.0.0.0:8080
+        # - --auto-compaction-mode=periodic
+        # - --auto-compaction-retention=10m
+        # - --client-cert-auth
+        # - --trusted-ca-file=$(ETCDCTL_CACERT)
+        # - --cert-file=$(ETCDCTL_CERT)
+        # - --key-file=$(ETCDCTL_KEY)
+        # - --peer-client-cert-auth
+        # - --peer-trusted-ca-file=/etc/etcd/certs/server/ca.crt
+        # - --peer-cert-file=/etc/etcd/certs/server/tls.crt
+        # - --peer-key-file=/etc/etcd/certs/server/tls.key
+        volumeMounts:
+        - name: etcd-data
+          mountPath: /data
+        # - name: etcd-client-tls
+        #   mountPath: "/etc/etcd/certs/client"
+        #   readOnly: true
+        # - name: etcd-server-tls
+        #   mountPath: "/etc/etcd/certs/server"
+        #   readOnly: true
+      volumes:
+      # - name: etcd-client-tls
+      #   secret:
+      #     secretName: etcd-client-tls
+      #     optional: false
+      # - name: etcd-server-tls
+      #   secret:
+      #     secretName: etcd-server-tls
+      #     optional: false
+  volumeClaimTemplates:
+  - metadata:
+      name: etcd-data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 1Gi
+{{- end }}
+
diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml
@@ -10,7 +10,7 @@ cloudnative-pg:
 postgresql:
 
   # -- Deploy postgresql dependency chart
-  enabled: true
+  enabled: false
 
   auth:
 
@@ -166,8 +166,10 @@ service:
 
 config:
 
-  # -- Enable debug (to use inmemorydatabase)
-  debug: false
+  etcd:
+    enabled: true
+    endpoints: ~
+    insecure: true
 
   db:
     # -- If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`.