Merge pull request #35 from aiyengar2/release_0_1_0

Use global.cattle.psp.enabled, switch to official fork, and more chart changes for v0.1.0 release

Dockerfile.dapper

@@ -14,6 +14,9 @@ RUN if [ "${ARCH}" == "amd64" ]; then \
         curl -sL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.40.1; \
     fi
 
+ENV YQ_VERSION=v4.25.1
+RUN wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${ARCH} -O /usr/bin/yq && chmod +x /usr/bin/yq;
+
 COPY --from=helm ./helm/bin/helm /usr/local/bin/
 
 ENV DAPPER_ENV REPO TAG DRONE_TAG CROSS

charts/example-chart/Chart.yaml

@@ -8,4 +8,4 @@ annotations:
   catalog.cattle.io/hidden: "true"
   catalog.cattle.io/release-name: example-chart
   catalog.cattle.io/os: linux,windows
-  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/permits-os: linux,windows

charts/example-chart/README.md

@@ -2,4 +2,4 @@
 
 This chart is a dummy chart that is deployed on behalf of the default Helm Project Operator.
 
-This chart is primarily intended for testing purposes.
+This chart is primarily intended for testing purposes.

charts/example-chart/questions.yaml

@@ -4,4 +4,4 @@ questions:
     description: My Data
     type: string
     required: true
-    group: Data
+    group: Data

charts/example-chart/templates/configmaps.yaml

@@ -42,4 +42,4 @@ data:
   cattle-url: |-
 {{ .Values.global.cattle.url | toYaml | indent 4 }}
   cluster-id: |-
-{{ .Values.global.cattle.clusterId | toYaml | indent 4 }}
+{{ .Values.global.cattle.clusterId | toYaml | indent 4 }}

charts/example-chart/templates/dashboard-values-configmap.yaml

@@ -7,4 +7,4 @@ metadata:
     helm.cattle.io/dashboard-values-configmap: {{ .Release.Name }}
 data:
   data.json: |-
-{{ .Values.data | toJson | indent 4 }}
+{{ .Values.data | toJson | indent 4 }}

charts/example-chart/values.yaml

@@ -31,4 +31,4 @@ global:
       aggregateToDefaultRoles: true
 
 data:
-  hello: world
+  hello: world

charts/helm-project-operator/Chart.yaml

@@ -1,15 +1,15 @@
 apiVersion: v2
 name: helm-project-operator
 description: Helm Project Operator
-version: 0.0.3
-appVersion: 0.0.1
+version: 0.1.0
+appVersion: 0.1.0
 annotations:
   catalog.cattle.io/certified: rancher
   catalog.cattle.io/display-name: Helm Project Operator
   catalog.cattle.io/kube-version: '>=1.16.0-0'
   catalog.cattle.io/namespace: cattle-helm-system
   catalog.cattle.io/permits-os: linux,windows
   catalog.cattle.io/provides-gvr: helm.cattle.io.projecthelmchart/v1alpha1
-  catalog.cattle.io/rancher-version: '>= 2.6.0-0 <=2.6.99-0'
+  catalog.cattle.io/rancher-version: '>= 2.6.0-0'
   catalog.cattle.io/release-name: helm-project-operator
-  catalog.cattle.io/os: linux,windows
+  catalog.cattle.io/os: linux,windows

charts/helm-project-operator/README.md

@@ -74,4 +74,4 @@ By default, the `example-chart` (the underlying chart deployed by Helm Project O
 |`hardenedNamespaces.enabled`| Whether to automatically patch the default ServiceAccount with `automountServiceAccountToken: false` and create a default NetworkPolicy in all managed namespaces in the cluster; the default values ensure that the creation of the namespace does not break a CIS 1.16 hardened scan |
 |`hardenedNamespaces.configuration`| The configuration to be supplied to the default ServiceAccount or auto-generated NetworkPolicy on managing a namespace |
 |`helmController.enabled`| Whether to enable an embedded k3s-io/helm-controller instance within the Helm Project Operator. Should be disabled for RKE2 clusters since RKE2 clusters already run Helm Controller to manage internal Kubernetes components |
-|`helmLocker.enabled`| Whether to enable an embedded rancher/helm-locker instance within the Helm Project Operator. |
+|`helmLocker.enabled`| Whether to enable an embedded rancher/helm-locker instance within the Helm Project Operator. |

charts/helm-project-operator/app-readme.md

@@ -0,0 +1,20 @@
+# Helm Project Operator
+
+This chart installs the example [Helm Project Operator](https://github.com/rancher/helm-project-operator) onto your cluster.
+
+## Upgrading to Kubernetes v1.25+
+
+Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. 
+
+As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
+​
+> **Note:**
+> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
+    ​
+> **Note:**
+> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
+>
+> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
+Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
+​
+As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.

charts/helm-project-operator/questions.yaml

@@ -1,4 +1,10 @@
 questions:
+- variable: global.cattle.psp.enabled
+  default: "false"
+  description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false."
+  label: "Enable PodSecurityPolicies"
+  type: boolean
+  group: "Security Settings"
 - variable: helmController.enabled
   label: Enable Embedded Helm Controller
   description: 'Note: If you are running this chart in an RKE2 cluster, this should be disabled.'
@@ -34,4 +40,4 @@ questions:
   type: string
   default: view
   required: false
-  group: RBAC
+  group: RBAC

charts/helm-project-operator/templates/NOTES.txt

@@ -1,3 +1,2 @@
 {{ $.Chart.Name }} has been installed. Check its status by running:
   kubectl --namespace {{ template "helm-project-operator.namespace" . }} get pods -l "release={{ $.Release.Name }}"
-

charts/helm-project-operator/templates/_helpers.tpl

@@ -52,7 +52,7 @@ Allow the release namespace to be overridden for multi-namespace deployments in
 {{- end }}
 
 {{/* Generate basic labels */}}
-{{- define "helm-project-operator.labels" }}
+{{- define "helm-project-operator.labels" -}}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
@@ -63,4 +63,4 @@ heritage: {{ $.Release.Service | quote }}
 {{- if .Values.commonLabels}}
 {{ toYaml .Values.commonLabels }}
 {{- end }}
-{{- end }}
+{{- end -}}

charts/helm-project-operator/templates/cleanup.yaml

@@ -16,13 +16,13 @@ spec:
         app: {{ template "helm-project-operator.name" . }}
     spec:
       serviceAccountName: {{ template "helm-project-operator.name" . }}
-      securityContext:
-        runAsNonRoot: false
-        runAsUser: 0
+{{- if .Values.cleanup.securityContext }}
+      securityContext: {{ toYaml .Values.cleanup.securityContext | nindent 8 }}
+{{- end }}
       initContainers:
         - name: add-cleanup-annotations
           image: {{ template "system_default_registry" . }}{{ .Values.cleanup.image.repository }}:{{ .Values.cleanup.image.tag }}
-          imagePullPolicy: IfNotPresent
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
           command:
           - /bin/sh
           - -c
@@ -42,6 +42,12 @@ spec:
                 kubectl label projecthelmcharts -n ${namespace} ${projectHelmChart} helm.cattle.io/helm-project-operator-cleanup=true --overwrite;
               done;
             done;
+{{- if .Values.cleanup.resources }}
+          resources: {{ toYaml .Values.cleanup.resources | nindent 12 }}
+{{- end }}
+{{- if .Values.cleanup.containerSecurityContext }}
+          securityContext: {{ toYaml .Values.cleanup.containerSecurityContext | nindent 12 }}
+{{- end }}
       containers:
         - name: ensure-subresources-deleted
           image: {{ template "system_default_registry" . }}{{ .Values.cleanup.image.repository }}:{{ .Values.cleanup.image.tag }}
@@ -59,6 +65,12 @@ spec:
               sleep 3;
             done;
             echo "Successfully deleted all HelmCharts and HelmReleases in ${SYSTEM_NAMESPACE}!";
+{{- if .Values.cleanup.resources }}
+          resources: {{ toYaml .Values.cleanup.resources | nindent 12 }}
+{{- end }}
+{{- if .Values.cleanup.containerSecurityContext }}
+          securityContext: {{ toYaml .Values.cleanup.containerSecurityContext | nindent 12 }}
+{{- end }}
       restartPolicy: OnFailure
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
       {{- if .Values.cleanup.nodeSelector }}

charts/helm-project-operator/templates/deployment.yaml

@@ -99,13 +99,16 @@ spec:
             value: {{ .Values.valuesOverride | toYaml | sha256sum }}
 {{- if .Values.resources }}
           resources: {{ toYaml .Values.resources | nindent 12 }}
+{{- end }}
+{{- if .Values.containerSecurityContext }}
+          securityContext: {{ toYaml .Values.containerSecurityContext | nindent 12 }}
 {{- end }}
           volumeMounts:
           - name: config
             mountPath: "/etc/helmprojectoperator/config"
       serviceAccountName: {{ template "helm-project-operator.name" . }}
 {{- if .Values.securityContext }}
-      securityContext: {{ toYaml .Values.securityContext | indent 8 }}
+      securityContext: {{ toYaml .Values.securityContext | nindent 8 }}
 {{- end }}
       nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} 
 {{- if .Values.nodeSelector }}
@@ -118,4 +121,4 @@ spec:
       volumes:
       - name: config
         configMap:
-          name: {{ template "helm-project-operator.name" . }}-config
+          name: {{ template "helm-project-operator.name" . }}-config

charts/helm-project-operator/templates/psp.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.global.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies") }}
+{{- if .Values.global.cattle.psp.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

charts/helm-project-operator/templates/rbac.yaml

@@ -8,9 +8,6 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: "cluster-admin" # see note below
-  # apiGroup: rbac.authorization.k8s.io
-  # kind: ClusterRole
-  # name: {{ template "helm-project-operator.name" . }}
 subjects:
 - kind: ServiceAccount
   name: {{ template "helm-project-operator.name" . }}
@@ -31,93 +28,5 @@ imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
 # As of now, due to the fact that the k3s-io/helm-controller can only deploy jobs that are cluster-bound to the cluster-admin
 # ClusterRole, the only way for this operator to be able to perform that binding is if it is also bound to the cluster-admin ClusterRole.
 #
-# As a result, this ClusterRole will be left as a work-in-progress until changes are made in k3s-io/helm-controller to allow us to grant
+# As a result, this ClusterRoleBinding will be left as a work-in-progress until changes are made in k3s-io/helm-controller to allow us to grant
 # only scoped down permissions to the Job that is deployed.
-#
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRole
-# metadata:
-#   name: {{ template "helm-project-operator.name" . }}
-#   labels: {{ include "helm-project-operator.labels" . | nindent 4 }}
-#     app: {{ template "helm-project-operator.name" . }}
-# rules:
-# # Helm Project Operator
-# - apiGroups:
-#   - helm.cattle.io
-#   resources:
-#   - projecthelmcharts
-#   - projecthelmcharts/status
-#   verbs:
-#   - "*"
-# - apiGroups:
-#   - ""
-#   resources:
-#   - namespaces
-#   verbs:
-#   - create
-#   - get
-#   - list
-#   - watch
-#   - update
-#   - patch
-# # Helm Controller
-# - apiGroups:
-#   - helm.cattle.io
-#   resources:
-#   - helmcharts
-#   - helmcharts/status
-#   - helmchartconfigs
-#   - helmchartconfigs/status
-#   verbs:
-#   - "*"
-# - apiGroups:
-#   - batch
-#   resources:
-#   - jobs
-#   verbs:
-#   - "*"
-# - apiGroups:
-#   - ""
-#   resources:
-#   - serviceaccounts
-#   verbs:
-#   - "*"
-# - apiGroups:
-#   - rbac.authorization.k8s.io
-#   resources:
-#   - clusterrolebindings
-#   verbs:
-#   - "*"
-# # Helm Locker
-# - apiGroups:
-#   - helm.cattle.io
-#   resources:
-#   - helmreleases
-#   - helmreleases/status
-#   verbs:
-#   - "*"
-# - apiGroups:
-#   - ""
-#   resources:
-#   - secrets
-#   verbs:
-#   - create
-#   - get
-#   - list
-#   - watch
-#   - update
-#   - patch
-# # Common
-# - apiGroups:
-#   - ""
-#   resources:
-#   - configmaps
-#   verbs:
-#   - "*"
-# - apiGroups:
-#     - ""
-#     - events.k8s.io
-#   resources:
-#     - events
-#   verbs:
-#     - "*"

charts/helm-project-operator/templates/system-namespaces-configmap.yaml

@@ -59,4 +59,4 @@ roleRef:
   name: {{ template "helm-project-operator.name" . }}-system-namespaces
 subjects: {{ .Values.systemNamespacesConfigMap.rbac.subjects | toYaml | nindent 2 }}
 {{- end }}
-{{- end }}
+{{- end }}

charts/helm-project-operator/templates/validate-psp-install.yaml

@@ -0,0 +1,7 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+#{{- if .Values.global.cattle.psp.enabled }}
+#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
+#{{- end }}
+#{{- end }}
+#{{- end }}