feat: policy reporter

Adds a Kubewarden controller subchart to allow users to install the
Policy Reporter UI. Therefore, user get a UI to visualize the reports
generated by the audit scanner.

Signed-off-by: José Guilherme Vanz <[email protected]>

.github/workflows/helm-chart-release.yml

@@ -79,6 +79,11 @@ jobs:
         run: |
           make generate-changelog-files
 
+      - name: Add dependency repo required to release the controller chart
+        run: |
+          helm repo add policy-reporter https://kyverno.github.io/policy-reporter
+          helm repo update
+
       - name: Run chart-releaser
         uses: helm/[email protected]
         with:

charts/kubewarden-controller/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: policy-reporter
+  repository: https://kyverno.github.io/policy-reporter
+  version: 2.19.4
+digest: sha256:145d113d1448d3c2217db65df2c2bc6ec91ba57ef9cbdb69805c2466187dbaba
+generated: "2023-09-05T09:47:29.471541497-03:00"

charts/kubewarden-controller/Chart.yaml

@@ -44,3 +44,8 @@ annotations:
   # Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template`
   # See the Cluster Tools section to learn more about when to set this value to `cluster-tool`.
   catalog.cattle.io/type: cluster-tool
+dependencies:
+  - name: policy-reporter
+    version: 2.19.4
+    repository: https://kyverno.github.io/policy-reporter
+    condition: auditScanner.policyReporter

charts/kubewarden-controller/chart-values.yaml

@@ -91,6 +91,7 @@ resources:
 replicas: 1
 auditScanner:
   enable: true
+  policyReporter: false
   # The default audit-scanner ServiceAccount is bound to the ClusterRoles:
   # - view: Allows read-only access to most objects in a namespace.
   #   Does not allow viewing secrets, roles or role bindings.
@@ -114,3 +115,18 @@ auditScanner:
   logLevel: info
   # Output result of scan to stdout in JSON upon completion
   outputScan: true
+
+# Values to configure the policy reporter subchart enabled by the
+# auditScanner.policyReporter flag
+policy-reporter:
+  image:
+    registry: ghcr.io
+    repository: kyverno/policy-reporter
+    tag: 2.15.4
+  ui:
+    enabled: true
+    image:
+      registry: ghcr.io
+      repository: kyverno/policy-reporter-ui
+      tag: 1.8.4
+

charts/kubewarden-controller/values.yaml

@@ -127,6 +127,7 @@ resources:
 replicas: 1
 auditScanner:
   enable: true
+  policyReporter: false
   # The default audit-scanner ServiceAccount is bound to the ClusterRoles:
   # - view: Allows read-only access to most objects in a namespace.
   #   Does not allow viewing secrets, roles or role bindings.
@@ -150,3 +151,18 @@ auditScanner:
   logLevel: info
   # Output result of scan to stdout in JSON upon completion
   outputScan: true
+
+# Values to configure the policy reporter subchart enabled by the
+# auditScanner.policyReporter flag
+policy-reporter:
+  image:
+    registry: ghcr.io
+    repository: kyverno/policy-reporter
+    tag: 2.15.4
+  ui:
+    enabled: true
+    image:
+      registry: ghcr.io
+      repository: kyverno/policy-reporter-ui
+      tag: 1.8.4
+

scripts/extract_images.sh

@@ -12,7 +12,10 @@ if [ -e $IMAGELIST_FILENAME ]; then
 fi
 
 for chart in $CHARTS_DIRS; do
-	helm template --values "$chart"/values.yaml "$chart"/ | yq -r "..|.image?" | grep -v "null"  > $TMP_IMAGE_FILE
+	# the set CLI flag is used only by the controller chart. But to
+	# simplify the script, it will be passed for all the chart. It will be
+	# ignore for the other chart anyway
+	helm template --values "$chart"/values.yaml --set auditScanner.policyReporter=true "$chart"/ | yq -r "..|.image?" | grep -v "null"  > $TMP_IMAGE_FILE
 	sed --in-place '/---/d' $TMP_IMAGE_FILE
 	mv $TMP_IMAGE_FILE "$chart"/$IMAGELIST_FILENAME 
 done