Test/test argo (#8)

* test: Test Argo

* test: Test Argo

.github/workflows/helm-lint-test.yaml

@@ -34,7 +34,7 @@ jobs:
 
       - name: Run chart-testing (lint)
         if: steps.list-changed.outputs.changed == 'true'
-        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }} --validate-maintainers=false
 
       - name: Create kind cluster
         if: steps.list-changed.outputs.changed == 'true'

charts/test-chart/Chart.yaml

@@ -15,13 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
+version: 0.5.0
 
+# Maintainers
 maintainers:
   - name: Balsir
+    email: [email protected]
+    url: https://somesite.com

charts/test-chart/README.md

@@ -2,11 +2,167 @@
 
 A Helm chart for Kubernetes
 
-![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
-## About
-<$chart-name> Helm chart
-Testiiing
+## Description
+Helm chart to deploy Kyverno policies.
+Policy categories:
+- **podSecurityBaseline** - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
+- **podSecurityRestricted** - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+- **other**
+
+## Installation
+````shell
+helm repo add kyverno-policies https://lablabs.github.io/kyverno-policies/
+helm install kyverno-policies kyverno-policies/kyverno-policies
+````
+
+## How-to
+### Enable or disable policies
+#### Enable a policy
+````yaml
+policies:
+  myPolicy:
+    enabled: true
+````
+#### Enable a category
+````yaml
+# All policies within the category will be deployed
+policyCategories:
+  myCategory:
+    enabled: true
+````
+
+#### Disable a policy or category
+In case you want to deploy an entire category except for just a few policies, you can explicitly disable the unwanted
+policies by setting their `enabled` value to `false`
+````yaml
+# Category myCategory is enabled
+policyCategories:
+  myCategory:
+    enabled: true
+
+# The policy myPolicy is part of myCategory. By setting enabled: false, it will not be deployed even if the category is enabled.
+policies:
+  myPolicy:
+    enabled: false
+````
+The following table shows the results of possible combinations for the `enabled` values on the policy(p) and category(c) level.
+`true` means policy will be deployed, `false` means policy will not be deployed. Policy value has precedence over category value.
+
+| enabled     | true(c) | false(c) | no value(c) |
+|-------------|---------|----------|-------------|
+| true(p)     | true    | true     | true        |
+| false(p)    | false   | false    | false       |
+| no value(p) | true    | false    | false       |
+
+### Set attributes
+#### Set `validationFailureAction for a policy
+````yaml
+policies:
+  myPolicy:
+    validationFailureAction: Enforce
+````
+#### Set validationFailureAction for a category
+````yaml
+policyCategories:
+  myCategory:
+    validationFailureAction: Enforce
+````
+#### Set exclude block for a policy
+````yaml
+# Excludes namespace kube-system from rule validation
+policies:
+  myPolicy:
+    exclude:
+      any:
+        - resources:
+            namespaces:
+              - kube-system
+````
+#### Override policy rules
+In case you want to override the entire `rules` block of a particular policy, set `.Values.policies.myPolicy.rulesOverride`.
+````yaml
+# Excludes namespace kube-system from rule validation
+policies:
+  myPolicy:
+    rulesOverride:
+      - name: my-rule
+        match: ...
+````
+
+### Value priority
+Most values are overridden in the following order of priority, from highest to lowest:
+1. Policy
+2. Category
+3. Chart
+#### Example
+````yaml
+# Chart setting
+validationFailureAction: Audit
+
+# Category setting
+# All policies within myCategory will have validationFailureAction set to Enforce
+policyCategories:
+  myCategory:
+    validationFailureAction: Enforce
+
+# Even if myPolicy is part of myCategory, validationFailureAction will be Audit
+policies:
+  myPolicy:
+    validationFailureAction: Audit
+````
+
+### Deploy custom policie
+If you have custom policie you would like to deploy as part of the Helm release, provide their manifests in `.Values.extraManifests`:
+````yaml
+extraManifests:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    metadata: # metadata
+    spec: # spec
+````
+
+## Adding a new policy
+1. Create your policy manifest. The policy should ideally be a ClusterPolicy
+2. Place the policy template in its appropriate category directory
+3. Override `$name` and `$category` variables. `$name` should match the file name, `category` should match the directory.
+````yaml
+{{- $name := "myPolicy" }}
+{{- $category := "myCategory" }}
+{{- $policyValues := get .Values.policies $name }}
+{{- $categoryValues := get .Values.policyCategories $category }}
+
+{{- if include "kyverno-policies.enabled" (list $name $category $) }}
+# The policy goes here
+{{- end }}
+````
+4. Provide useful [Kyverno annotations](https://github.com/kyverno/policies/wiki/Kyverno-annotations)
+5. [Policy settings](https://kyverno.io/docs/writing-policies/policy-settings/) are rendered via the kyverno-policies.policySettings template within _helpers.tpl. If your policy setting is not listed yet, add it there with appropriate overrides.
+6. Add the `rules` block
+````yaml
+  rules:
+{{- if $policyValues.rulesOverride }}
+{{ toYaml $policyValues.rulesOverride | indent 4 }}
+{{- else }}
+# Your rules go here
+{{- end }}
+````
+7. Allow override of the `exclude` block within your rules (if appropriate)
+````yaml
+{{- if $policyValues.exclude }}
+      exclude: {{ toYaml $policyValues.exclude | nindent 8 }}
+{{- end }}
+````
+8. Add your policy and/or category to values.yaml
+````yaml
+policyCategories:
+  myCategory: {}
+
+policies:
+  myPolicy: {}
+````
+9. Document your changes
 
 ## Values
 
@@ -27,7 +183,7 @@ Testiiing
 
 | Name | Email | Url |
 | ---- | ------ | --- |
-| Balsir |  |  |
+| Balsir | <[email protected]> | <https://somesite.com> |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

charts/test-chart/README.md.gotmpl

@@ -4,9 +4,165 @@
 
 {{ template "chart.badgesSection" . }}
 
-## About
-<$chart-name> Helm chart
-Testiiing
+## Description
+Helm chart to deploy Kyverno policies.
+Policy categories:
+- **podSecurityBaseline** - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
+- **podSecurityRestricted** - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+- **other**
+
+## Installation
+````shell
+helm repo add kyverno-policies https://lablabs.github.io/kyverno-policies/
+helm install kyverno-policies kyverno-policies/kyverno-policies
+````
+
+## How-to
+### Enable or disable policies
+#### Enable a policy
+````yaml
+policies:
+  myPolicy:
+    enabled: true
+````
+#### Enable a category
+````yaml
+# All policies within the category will be deployed
+policyCategories:
+  myCategory:
+    enabled: true
+````
+
+#### Disable a policy or category
+In case you want to deploy an entire category except for just a few policies, you can explicitly disable the unwanted
+policies by setting their `enabled` value to `false`
+````yaml
+# Category myCategory is enabled
+policyCategories:
+  myCategory:
+    enabled: true
+
+# The policy myPolicy is part of myCategory. By setting enabled: false, it will not be deployed even if the category is enabled.
+policies:
+  myPolicy:
+    enabled: false
+````
+The following table shows the results of possible combinations for the `enabled` values on the policy(p) and category(c) level.
+`true` means policy will be deployed, `false` means policy will not be deployed. Policy value has precedence over category value.
+
+| enabled     | true(c) | false(c) | no value(c) |
+|-------------|---------|----------|-------------|
+| true(p)     | true    | true     | true        |
+| false(p)    | false   | false    | false       |
+| no value(p) | true    | false    | false       |
+
+### Set attributes
+#### Set `validationFailureAction for a policy
+````yaml
+policies:
+  myPolicy:
+    validationFailureAction: Enforce
+````
+#### Set validationFailureAction for a category
+````yaml
+policyCategories:
+  myCategory:
+    validationFailureAction: Enforce
+````
+#### Set exclude block for a policy
+````yaml
+# Excludes namespace kube-system from rule validation
+policies:
+  myPolicy:
+    exclude:
+      any:
+        - resources:
+            namespaces:
+              - kube-system
+````
+#### Override policy rules
+In case you want to override the entire `rules` block of a particular policy, set `.Values.policies.myPolicy.rulesOverride`.
+````yaml
+# Excludes namespace kube-system from rule validation
+policies:
+  myPolicy:
+    rulesOverride:
+      - name: my-rule
+        match: ...
+````
+
+### Value priority
+Most values are overridden in the following order of priority, from highest to lowest:
+1. Policy
+2. Category
+3. Chart
+#### Example
+````yaml
+# Chart setting
+validationFailureAction: Audit
+
+# Category setting
+# All policies within myCategory will have validationFailureAction set to Enforce
+policyCategories:
+  myCategory:
+    validationFailureAction: Enforce
+
+# Even if myPolicy is part of myCategory, validationFailureAction will be Audit
+policies:
+  myPolicy:
+    validationFailureAction: Audit
+````
+
+### Deploy custom policie
+If you have custom policie you would like to deploy as part of the Helm release, provide their manifests in `.Values.extraManifests`:
+````yaml
+extraManifests:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    metadata: # metadata
+    spec: # spec
+````
+
+## Adding a new policy
+1. Create your policy manifest. The policy should ideally be a ClusterPolicy
+2. Place the policy template in its appropriate category directory
+3. Override `$name` and `$category` variables. `$name` should match the file name, `category` should match the directory.
+````yaml
+{{`{{- $name := "myPolicy" }}`}}
+{{`{{- $category := "myCategory" }}`}}
+{{`{{- $policyValues := get .Values.policies $name }}`}}
+{{`{{- $categoryValues := get .Values.policyCategories $category }}`}}
+
+{{`{{- if include "kyverno-policies.enabled" (list $name $category $) }}`}}
+# The policy goes here
+{{`{{- end }}`}}
+````
+4. Provide useful [Kyverno annotations](https://github.com/kyverno/policies/wiki/Kyverno-annotations)
+5. [Policy settings](https://kyverno.io/docs/writing-policies/policy-settings/) are rendered via the kyverno-policies.policySettings template within _helpers.tpl. If your policy setting is not listed yet, add it there with appropriate overrides.
+6. Add the `rules` block
+````yaml
+  rules:
+{{`{{- if $policyValues.rulesOverride }}`}}
+{{`{{ toYaml $policyValues.rulesOverride | indent 4 }}`}}
+{{`{{- else }}`}}
+# Your rules go here
+{{`{{- end }}`}}
+````
+7. Allow override of the `exclude` block within your rules (if appropriate)
+````yaml
+{{`{{- if $policyValues.exclude }}`}}
+      exclude: {{`{{ toYaml $policyValues.exclude | nindent 8 }}`}}
+{{`{{- end }}`}}
+````
+8. Add your policy and/or category to values.yaml
+````yaml
+policyCategories:
+  myCategory: {}
+
+policies:
+  myPolicy: {}
+````
+9. Document your changes
 
 {{ template "chart.valuesSection" . }}
 

charts/test-chart/ci/enable-categories-values.yaml

@@ -0,0 +1,7 @@
+policyCategories:
+  podSecurityBaseline:
+    enabled: true
+  podSecurityRestricted:
+    enabled: true
+  other:
+    enabled: true