diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index bc470d9ec..493ced871 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -30,4 +30,4 @@ jobs: skipClusterCreation: true - run: | just k3d - just build + just up diff --git a/.gitignore b/.gitignore index 314af9374..fb54949fb 100644 --- a/.gitignore +++ b/.gitignore @@ -3,5 +3,3 @@ bin *.tgz skaffold.json - - diff --git a/charts/opa/README.md b/charts/opa/README.md index 909f6df2b..8ca463550 100644 --- a/charts/opa/README.md +++ b/charts/opa/README.md @@ -76,8 +76,8 @@ Reference](https://www.openpolicyagent.org/docs/configuration.html). | `podDisruptionBudget.minAvailable` | Sets the minimum number of pods to be available. Cannot be set at the same time as maxUnavailable. | `1` | | `podDisruptionBudget.maxUnavailable` | Sets the maximum number of pods to be unavailable. Cannot be set at the same time as minAvailable. | Unset | | `hostNetwork.enabled` | Use hostNetwork setting on OPA pod | `false` | -| `image` | OPA image to deploy. | `openpolicyagent/opa` | -| `imageTag` | OPA image tag to deploy. | See [values.yaml](values.yaml) | +| `image.repository` | OPA image to deploy. | `openpolicyagent/opa` | +| `image.tag` | OPA image tag to deploy. | See [values.yaml](values.yaml) | | `port` | Port in the pod to which OPA will bind itself. | `443` | | `logLevel` | Log level that OPA outputs at, (`debug`, `info` or `error`) | `info` | | `logFormat` | Log format that OPA produces (`text` or `json`) | `text` | diff --git a/charts/opa/templates/_helpers.tpl b/charts/opa/templates/_helpers.tpl index 814330529..40d5db24e 100644 --- a/charts/opa/templates/_helpers.tpl +++ b/charts/opa/templates/_helpers.tpl @@ -102,3 +102,8 @@ admissionregistration.k8s.io/v1 admissionregistration.k8s.io/v1beta1 {{- end -}} {{- end -}} + +{{- define "opa.mgmt.image" -}} +{{- $tag := .Values.mgmt.image.tag | default .Chart.AppVersion -}} +{{ printf "%s:%s" .Values.mgmt.image.repository $tag }} +{{- end -}} diff --git a/charts/opa/templates/deployment.yaml b/charts/opa/templates/deployment.yaml index 0bd8fd3c1..687f8f31f 100644 --- a/charts/opa/templates/deployment.yaml +++ b/charts/opa/templates/deployment.yaml @@ -43,8 +43,8 @@ spec: {{- if or .Values.authz.enabled .Values.bootstrapPolicies}} initContainers: - name: initpolicy - image: {{ .Values.mgmt.image }}:{{ coalesce .Values.mgmt.imageTag .Chart.AppVersion }} - imagePullPolicy: {{ .Values.mgmt.imagePullPolicy }} + image: {{ include "opa.mgmt.image" . }} + imagePullPolicy: {{ .Values.mgmt.image.pullPolicy }} resources: {{ toYaml .Values.mgmt.resources | indent 12 }} command: @@ -90,8 +90,8 @@ spec: - name: http containerPort: {{ .Values.mgmt.port }} {{- end }} - image: {{ .Values.image }}:{{ .Values.imageTag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- if .Values.extraEnv }} {{ toYaml .Values.extraEnv | indent 12 }} @@ -155,8 +155,8 @@ spec: periodSeconds: 15 {{- if .Values.mgmt.enabled }} - name: mgmt - image: {{ .Values.mgmt.image }}:{{ coalesce .Values.mgmt.imageTag .Chart.AppVersion }} - imagePullPolicy: {{ .Values.mgmt.imagePullPolicy }} + image: {{ include "opa.mgmt.image" . }} + imagePullPolicy: {{ .Values.mgmt.image.pullPolicy }} env: {{- if .Values.mgmt.extraEnv }} {{ toYaml .Values.mgmt.extraEnv | indent 12 }} @@ -193,8 +193,8 @@ spec: {{- end }} {{- if .Values.sar.enabled }} - name: sarproxy - image: {{ .Values.sar.image }}:{{ .Values.sar.imageTag }} - imagePullPolicy: {{ .Values.sar.imagePullPolicy }} + image: {{ .Values.sar.image.repository }}:{{ .Values.sar.image.tag }} + imagePullPolicy: {{ .Values.sar.image.pullPolicy }} resources: {{ toYaml .Values.sar.resources | indent 12 }} command: diff --git a/charts/opa/values.yaml b/charts/opa/values.yaml index 0d51e4c03..9fe618fdd 100644 --- a/charts/opa/values.yaml +++ b/charts/opa/values.yaml @@ -116,9 +116,10 @@ hostNetwork: enabled: false # Docker image and tag to deploy. -image: openpolicyagent/opa -imageTag: 0.37.0 -imagePullPolicy: IfNotPresent +image: + repository: openpolicyagent/opa + tag: 0.37.0 + pullPolicy: IfNotPresent # One or more secrets to be used when pulling images imagePullSecrets: [] @@ -136,9 +137,10 @@ extraEnv: [] mgmt: enabled: false - image: openpolicyagent/kube-mgmt - imageTag: null # appVersion is used by default, set to desired value to override - imagePullPolicy: IfNotPresent + image: + repository: openpolicyagent/kube-mgmt + tag: null # appVersion is used by default, set to desired value to override + pullPolicy: IfNotPresent # NOTE insecure http port conjointly used for mgmt access and prometheus metrics export port: 8181 extraArgs: [] @@ -215,9 +217,10 @@ serviceAccount: # Kubernetes API. You can get a rego function at github.com/open-policy-agent/library sar: enabled: false - image: lachlanevenson/k8s-kubectl - imageTag: latest - imagePullPolicy: IfNotPresent + image: + repository: lachlanevenson/k8s-kubectl + tag: latest + pullPolicy: IfNotPresent resources: {} # Set a priorityClass using priorityClassName diff --git a/justfile b/justfile index a116b6eb9..565628e81 100644 --- a/justfile +++ b/justfile @@ -34,8 +34,13 @@ test: test-helm test-e2e k3d cluster delete kube-mgmt || true k3d cluster create --config ./test/e2e/k3d.yaml -# @up: skaffold-ctx build -# skaffold run -# -# @down: -# skaffold delete || true +# render k8s manifests +@template: + skaffold render -a skaffold.json + +@up: skaffold-ctx + skaffold run + +@down: + skaffold delete || true + diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml deleted file mode 100644 index 4ed357afa..000000000 --- a/manifests/deployment.yaml +++ /dev/null @@ -1,67 +0,0 @@ -# Grant OPA/kube-mgmt read-only access to resources. This lets kube-mgmt -# list configmaps to be loaded into OPA as policies. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: opa-viewer -roleRef: - kind: ClusterRole - name: view - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: Group - name: system:serviceaccounts:opa - apiGroup: rbac.authorization.k8s.io ---- -# Define role for OPA/kube-mgmt to update configmaps with policy status. -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - namespace: opa - name: configmap-modifier -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["update", "patch"] ---- -# Grant OPA/kube-mgmt role defined above. -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - namespace: opa - name: opa-configmap-modifier -roleRef: - kind: Role - name: configmap-modifier - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: Group - name: system:serviceaccounts:opa - apiGroup: rbac.authorization.k8s.io ---- -# Deploy OPA and kube-mgmt. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: opa -spec: - selector: - matchLabels: - app: opa - replicas: 1 - template: - metadata: - labels: - app: opa - spec: - containers: - - name: opa - image: openpolicyagent/opa - args: - - "run" - - "--server" - ports: - - name: http - containerPort: 8181 - - name: kube-mgmt - image: openpolicyagent/kube-mgmt:0.12.1 diff --git a/skaffold.yaml b/skaffold.yaml index 13ad1d82c..b3d9fb0ef 100755 --- a/skaffold.yaml +++ b/skaffold.yaml @@ -1,7 +1,7 @@ apiVersion: skaffold/v2beta19 kind: Config metadata: - name: kube-mgmt + name: opa build: artifacts: - image: openpolicyagent/kube-mgmt @@ -20,12 +20,12 @@ profiles: deploy: helm: releases: - - name: kube-mgmt + - name: opa chartPath: charts/opa wait: true upgradeOnChange: false skipBuildDependencies: true artifactOverrides: - image: openpolicyagent/kube-mgmt + mgmt.image: openpolicyagent/kube-mgmt imageStrategy: helm: {}