(dev-v2.6-archive) Merge pull request #537 from paynejacob/feature/logging-crd-breakout

added crd annotations for logging

(partially cherry picked from commit 8dc1928d82)

packages/rancher-gatekeeper/overlay/CHANGELOG.md

@@ -0,0 +1,17 @@
+# Changelog
+All notable changes from the upstream OPA Gatekeeper chart will be added to this file
+
+## [Package Version 00] - 2020-07-27
+### Added
+- Enabled the CRD chart generator in `package.yaml`
+
+### Modified
+- Updated namespace to `cattle-gatekeeper-system`
+- Updated `rancher/istio-kubectl` image to `1.5.8`
+- Updated for Helm 3 compatibility
+    - Moved crds to `crds` directory
+    - Removed `crd-install` hooks and templates from crds
+
+### Removed
+- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation
+- Removed unnecessary `index.yaml` as we package and host our charts

packages/rancher-gatekeeper/overlay/templates/allowedrepos.yaml

@@ -0,0 +1,35 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sallowedrepos
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAllowedRepos
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          properties:
+            repos:
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sallowedrepos
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.initContainers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }

packages/rancher-gatekeeper/overlay/templates/job-constraints-crd.yaml

@@ -0,0 +1,19 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: gatekeeper-delete-constraints-crd-job
+  annotations:
+    "helm.sh/hook": "pre-delete"
+    "helm.sh/hook-delete-policy": "hook-succeeded, before-hook-creation, hook-failed"
+spec:
+  template:
+    spec:
+      serviceAccountName: gatekeeper-admin
+      containers:
+      - name: gatekeeper-delete-constraints-crd
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        command: ["kubectl",  "delete", "constrainttemplates", "--all"]
+      restartPolicy: Never
+  backoffLimit: 1

packages/rancher-gatekeeper/overlay/templates/requiredlabels.yaml

@@ -0,0 +1,57 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          properties:
+            message:
+              type: string
+            labels:
+              type: array
+              items:
+                type: object
+                properties:
+                  key:
+                    type: string
+                  allowedRegex:
+                    type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8srequiredlabels
+
+        get_message(parameters, _default) = msg {
+          not parameters.message
+          msg := _default
+        }
+
+        get_message(parameters, _default) = msg {
+          msg := parameters.message
+        }
+
+        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
+          provided := {label | input.review.object.metadata.labels[label]}
+          required := {label | label := input.parameters.labels[_].key}
+          missing := required - provided
+          count(missing) > 0
+          def_msg := sprintf("you must provide labels: %v", [missing])
+          msg := get_message(input.parameters, def_msg)
+        }
+
+        violation[{"msg": msg}] {
+          value := input.review.object.metadata.labels[key]
+          expected := input.parameters.labels[_]
+          expected.key == key
+          # do not match if allowedRegex is not defined, or is an empty string
+          expected.allowedRegex != ""
+          not re_match(expected.allowedRegex, value)
+          def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
+          msg := get_message(input.parameters, def_msg)
+        }

packages/rancher-gatekeeper/package.yaml

@@ -1,4 +1,7 @@
 url: https://github.com/open-policy-agent/gatekeeper.git
-subdirectory: chart/gatekeeper-operator
+subdirectory: charts/gatekeeper
 type: git
-commit: 478aa0e193909a301cc7461f0f8c078d652e70fb
+commit: 9a8051ac8fa3dc407056ed0293a0d97210386115
+generateCRDChart:
+  enabled: true
+  providesGVR: configs.config.gatekeeper.sh/v1alpha1

packages/rancher-logging/overlay/templates/logging-rke1.yaml

@@ -1,19 +0,0 @@
-{{- if .Values.additionalLoggingSources.rke1.enabled }}
-apiVersion: logging.banzaicloud.io/v1beta1
-kind: Logging
-metadata:
-  name: {{ .Release.Name }}-rke
-  namespace: {{ .Release.Namespace }}
-  labels: {{ include "logging-operator.labels" . | indent 4 }}
-spec:
-  controlNamespace: {{ .Release.Namespace }}
-  fluentbit:
-    inputTail:
-      Tag: "rke"
-      Path: "/rke/*.log"
-    extraVolumeMounts:
-      - source: "/var/lib/rancher/rke/log"
-        destination: "/rke"
-        readOnly: true
-  fluentd: {}
-{{- end }}

packages/rancher-logging/rancher-logging.patch

@@ -1,7 +1,7 @@
 diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/Chart.yaml packages/rancher-logging/charts/Chart.yaml
 --- packages/rancher-logging/charts-original/Chart.yaml
 +++ packages/rancher-logging/charts/Chart.yaml
-@@ -1,5 +1,11 @@
+@@ -1,5 +1,15 @@
  apiVersion: v1
  appVersion: 3.4.0
 -description: A Helm chart to install Banzai Cloud logging-operator
@@ -15,6 +15,10 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/Chart.
 +  catalog.cattle.io/namespace: cattle-logging-system
 +  catalog.cattle.io/release-name: rancher-logging
 +  catalog.cattle.io/ui-component: logging
++
++  catalog.cattle.io/requires-gvr: logging.banzaicloud.io/v1beta1
++  catalog.cattle.io/auto-install-gvr: logging.banzaicloud.io/v1beta1
++  catalog.cattle.io/provides-gvr: logging.banzaicloud.io/v1beta1
 diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values.yaml packages/rancher-logging/charts/values.yaml
 --- packages/rancher-logging/charts-original/values.yaml
 +++ packages/rancher-logging/charts/values.yaml
@@ -27,7 +31,7 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values
  
  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
-@@ -76,4 +76,48 @@
+@@ -76,4 +76,44 @@
  monitoring:
    # Create a Prometheus Operator ServiceMonitor object
    serviceMonitor:
@@ -74,7 +78,4 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values
 +  address: ""
 +  cluster: true
 +  root_ca: ""
-+
-+additionalLoggingSources:
-+  rke1:
-+    enabled: false
+\ No newline at end of file