feat: Test custom resources (#3)

* feat: Test custom resources * chore: Install Kyverno before testing * chore: Install Kyverno before testing
Balsir · May 5, 2023 · cb6d972 · cb6d972
1 parent db7e85f
commit cb6d972
Show file tree

Hide file tree

Showing 14 changed files with 234 additions and 336 deletions.
diff --git a/.github/workflows/helm-lint-test.yaml b/.github/workflows/helm-lint-test.yaml
@@ -40,6 +40,13 @@ jobs:
         if: steps.list-changed.outputs.changed == 'true'
         uses: helm/[email protected]
 
+      - name: Install Kyverno
+        id: install-kyverno
+        if: steps.list-changed.outputs.changed == 'true'
+        run: |
+          helm repo add kyverno https://kyverno.github.io/kyverno/
+          helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace --version 2.7.2
+
       - name: Run chart-testing (install)
         if: steps.list-changed.outputs.changed == 'true'
         run: ct install --target-branch ${{ github.event.repository.default_branch }}
@@ -55,4 +62,3 @@ jobs:
       - name: Run ah lint
         working-directory: ./charts/
         run: ah lint
-
diff --git a/charts/test-chart/Chart.yaml b/charts/test-chart/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/test-chart/README.md b/charts/test-chart/README.md
@@ -1,6 +1,6 @@
 # test-chart
 
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
 
 A Helm chart for Kubernetes
 
@@ -14,36 +14,48 @@ A Helm chart for Kubernetes
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| affinity | object | `{}` |  |
-| autoscaling.enabled | bool | `false` |  |
-| autoscaling.maxReplicas | int | `100` |  |
-| autoscaling.minReplicas | int | `1` |  |
-| autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| background | bool | `true` |  |
+| enableAll | bool | `false` |  |
+| extraManifests | list | `[]` |  |
+| failurePolicy | string | `"Fail"` |  |
 | fullnameOverride | string | `""` |  |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.repository | string | `"nginx"` |  |
-| image.tag | string | `""` |  |
-| imagePullSecrets | list | `[]` |  |
-| ingress.annotations | object | `{}` |  |
-| ingress.className | string | `""` |  |
-| ingress.enabled | bool | `false` |  |
-| ingress.hosts[0].host | string | `"chart-example.local"` |  |
-| ingress.hosts[0].paths[0].path | string | `"/"` |  |
-| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
-| ingress.tls | list | `[]` |  |
 | nameOverride | string | `""` |  |
-| nodeSelector | object | `{}` |  |
-| podAnnotations | object | `{}` |  |
-| podSecurityContext | object | `{}` |  |
-| replicaCount | int | `1` |  |
-| resources | object | `{}` |  |
-| securityContext | object | `{}` |  |
-| service.port | int | `80` |  |
-| service.type | string | `"ClusterIP"` |  |
-| serviceAccount.annotations | object | `{}` |  |
-| serviceAccount.create | bool | `true` |  |
-| serviceAccount.name | string | `""` |  |
-| tolerations | list | `[]` |  |
+| policies.blockStaleImages.enabled | bool | `false` |  |
+| policies.checkServiceAccount.enabled | bool | `false` |  |
+| policies.disableAutomountServiceAccountToken.enabled | bool | `false` |  |
+| policies.disablePodAutomountServiceAccountToken.enabled | bool | `false` |  |
+| policies.disableServiceDiscovery.enabled | bool | `false` |  |
+| policies.disallowAllSecrets.enabled | bool | `false` |  |
+| policies.disallowCapabilitiesStrict.enabled | bool | `false` |  |
+| policies.disallowDefaultNamespace.enabled | bool | `false` |  |
+| policies.disallowEmptyIngressHost.enabled | bool | `false` |  |
+| policies.disallowHostNamespaces.enabled | bool | `false` |  |
+| policies.disallowHostPath.enabled | bool | `false` |  |
+| policies.disallowHostPorts.enabled | bool | `false` |  |
+| policies.disallowPrivilegeEscalation.enabled | bool | `false` |  |
+| policies.disallowPrivilegedContainers.enabled | bool | `false` |  |
+| policies.disallowProcMount.enabled | bool | `false` |  |
+| policies.disallowSELinux.enabled | bool | `false` |  |
+| policies.preventNakedPods.enabled | bool | `false` |  |
+| policies.protectNodeTaints.enabled | bool | `false` |  |
+| policies.requireEncryptionAwsLoadBalancers.enabled | bool | `false` |  |
+| policies.requireLabels.enabled | bool | `false` |  |
+| policies.requireRoRootFs.enabled | bool | `false` |  |
+| policies.requireRunAsNonRoot.enabled | bool | `false` |  |
+| policies.requireRunAsNonRootUser.enabled | bool | `false` |  |
+| policies.restrictAppArmor.enabled | bool | `false` |  |
+| policies.restrictImageRegistries.enabled | bool | `false` |  |
+| policies.restrictIngressWildcard.enabled | bool | `false` |  |
+| policies.restrictNodePort.enabled | bool | `false` |  |
+| policies.restrictSeccompStrict.enabled | bool | `false` |  |
+| policies.restrictServiceExternalIps.enabled | bool | `false` |  |
+| policies.restrictSysctls.enabled | bool | `false` |  |
+| policies.restrictVolumeTypes.enabled | bool | `false` |  |
+| policyCategories.other.enabled | bool | `false` |  |
+| policyCategories.podSecurityBaseline.enabled | bool | `false` |  |
+| policyCategories.podSecurityRestricted.enabled | bool | `false` |  |
+| validationFailureAction | string | `"Audit"` |  |
+| validationFailureActionOverrides | list | `[]` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
diff --git a/charts/test-chart/ci/test-values.yaml b/charts/test-chart/ci/test-values.yaml
@@ -0,0 +1,3 @@
+policies:
+  disallowHostNamespaces:
+    enabled: true
diff --git a/charts/test-chart/templates/NOTES.txt b/charts/test-chart/templates/NOTES.txt
diff --git a/charts/test-chart/templates/_helpers.tpl b/charts/test-chart/templates/_helpers.tpl
@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "test-chart.name" -}}
+{{- define "kyverno-policies.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "test-chart.fullname" -}}
+{{- define "kyverno-policies.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,37 +26,19 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "test-chart.chart" -}}
+{{- define "kyverno-policies.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
-Common labels
+Renders a value that contains template. Based on https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_tplvalues.tpl
+Usage:
+{{ include "kyverno-policies.extraManifests" ( dict "value" .Values.path.to.the.Value "context" $) }}
 */}}
-{{- define "test-chart.labels" -}}
-helm.sh/chart: {{ include "test-chart.chart" . }}
-{{ include "test-chart.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "test-chart.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "test-chart.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "test-chart.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "test-chart.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
+{{- define "kyverno-policies.extraManifests" -}}
+    {{- if typeIs "string" .value }}
+        {{- tpl .value .context }}
+    {{- else }}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end }}
+{{- end -}}
diff --git a/charts/test-chart/templates/deployment.yaml b/charts/test-chart/templates/deployment.yaml
diff --git a/charts/test-chart/templates/extraManifests.yaml b/charts/test-chart/templates/extraManifests.yaml
@@ -0,0 +1,4 @@
+{{- range .Values.extraManifests }}
+---
+{{ include "kyverno-policies.extraManifests" (dict "value" . "context" $) }}
+{{- end }}
diff --git a/charts/test-chart/templates/hpa.yaml b/charts/test-chart/templates/hpa.yaml
diff --git a/charts/test-chart/templates/ingress.yaml b/charts/test-chart/templates/ingress.yaml