Merge pull request #98 from jordojordo/kw

Release Kubewarden `3.1.1`

Author: jordojordo

assets/kubewarden/kubewarden-3.1.1.tgz

@@ -0,0 +1,17 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/namespace: cattle-ui-plugin-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux, windows
+  catalog.cattle.io/scope: management
+  catalog.cattle.io/ui-component: plugins
+  catalog.cattle.io/kube-version: '>= v1.16.0-0'
+  catalog.cattle.io/rancher-version: '>= 2.10.0-0'
+  catalog.cattle.io/ui-extensions-version: '>= 3.0.0 < 4.0.0'
+apiVersion: v2
+appVersion: 3.1.1
+description: Kubewarden extension for Rancher Manager
+name: kubewarden
+type: application
+version: 3.1.1
+icon: https://raw.githubusercontent.com/rancher/ui-plugin-charts/main/icons/kubewarden/3.1.1-icon-kubewarden.svg

charts/kubewarden/3.1.1/Chart.yaml

@@ -0,0 +1,7 @@
+# Kubewarden Extension for Rancher Manager
+
+An extension for Rancher Manager which allows you to interact with Kubewarden.
+
+After installation, go to a cluster and you will see a new side navigation entry 'Kubewarden'. This will allow you to install Kubewarden into the cluster and manage Kubewarden resources and configuration.
+
+For more information see https://www.kubewarden.io/

charts/kubewarden/3.1.1/README.md

@@ -0,0 +1,63 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "extension-server.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "extension-server.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "extension-server.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "extension-server.labels" -}}
+helm.sh/chart: {{ include "extension-server.chart" . }}
+{{ include "extension-server.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "extension-server.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "extension-server.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Pkg annotations
+*/}}
+{{- define "extension-server.pluginMetadata" -}}
+{{- with .Values.plugin.metadata }}
+{{- range $key, $value := . }}
+{{ $key }}: {{ $value | quote }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/kubewarden/3.1.1/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+apiVersion: catalog.cattle.io/v1
+kind: UIPlugin
+metadata:
+  name: {{ include "extension-server.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "extension-server.labels" . | nindent 4 }}
+spec:
+  plugin:
+    name: {{ include "extension-server.fullname" . }}
+    version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
+    endpoint: https://raw.githubusercontent.com/rancher/ui-plugin-charts/main/extensions/kubewarden/3.1.1
+    noCache: {{ .Values.plugin.noCache }}
+    noAuth: {{ .Values.plugin.noAuth }}
+    metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}

charts/kubewarden/3.1.1/templates/cr.yaml

@@ -0,0 +1,11 @@
+nameOverride: ""
+fullnameOverride: ""
+plugin:
+  enabled: true
+  versionOverride: ""
+  noCache: false
+  noAuth: false
+  metadata:
+    catalog.cattle.io/kube-version: ">= v1.16.0-0"
+    catalog.cattle.io/rancher-version: ">= 2.10.0-0"
+    catalog.cattle.io/ui-extensions-version: ">= 3.0.0 < 4.0.0"

charts/kubewarden/3.1.1/values.yaml

@@ -0,0 +1,37 @@
+plugin/assets/airgap-installation.md
+plugin/img/generic-catalog.1842a50e.svg
+plugin/img/harvester.20240f8a.png
+plugin/img/icon-kubewarden.46f880a3.svg
+plugin/kubewarden-3.1.1.umd.min.205.js
+plugin/kubewarden-3.1.1.umd.min.205.js.map
+plugin/kubewarden-3.1.1.umd.min.37.js
+plugin/kubewarden-3.1.1.umd.min.37.js.map
+plugin/kubewarden-3.1.1.umd.min.463.js
+plugin/kubewarden-3.1.1.umd.min.463.js.map
+plugin/kubewarden-3.1.1.umd.min.60.js
+plugin/kubewarden-3.1.1.umd.min.60.js.map
+plugin/kubewarden-3.1.1.umd.min.68.js
+plugin/kubewarden-3.1.1.umd.min.68.js.map
+plugin/kubewarden-3.1.1.umd.min.919.js
+plugin/kubewarden-3.1.1.umd.min.919.js.map
+plugin/kubewarden-3.1.1.umd.min.953.js
+plugin/kubewarden-3.1.1.umd.min.953.js.map
+plugin/kubewarden-3.1.1.umd.min.airgap-docs.js
+plugin/kubewarden-3.1.1.umd.min.airgap-docs.js.map
+plugin/kubewarden-3.1.1.umd.min.detail.js
+plugin/kubewarden-3.1.1.umd.min.detail.js.map
+plugin/kubewarden-3.1.1.umd.min.dialog.js
+plugin/kubewarden-3.1.1.umd.min.dialog.js.map
+plugin/kubewarden-3.1.1.umd.min.edit.js
+plugin/kubewarden-3.1.1.umd.min.edit.js.map
+plugin/kubewarden-3.1.1.umd.min.formatters.js
+plugin/kubewarden-3.1.1.umd.min.formatters.js.map
+plugin/kubewarden-3.1.1.umd.min.js
+plugin/kubewarden-3.1.1.umd.min.js.map
+plugin/kubewarden-3.1.1.umd.min.list.js
+plugin/kubewarden-3.1.1.umd.min.list.js.map
+plugin/kubewarden-3.1.1.umd.min.markdown.js
+plugin/kubewarden-3.1.1.umd.min.markdown.js.map
+plugin/kubewarden-3.1.1.umd.min.policyDashboard0.js
+plugin/kubewarden-3.1.1.umd.min.policyDashboard1.js
+plugin/package.json

extensions/kubewarden/3.1.1/files.txt

@@ -0,0 +1,155 @@
+# Air gap installation
+
+This guide will show you how to install Kubewarden in air-gapped environments. In an air-gapped installation of Kubewarden,
+you will need a private OCI registry accessible by your Kubernetes cluster. Kubewarden Policies
+are WebAssembly modules; therefore, they can be stored inside an OCI-compliant registry as OCI artifacts.
+You need to add Kubewarden's images and policies to this OCI registry. Let's see how to do that.
+
+## Requirements
+
+1. Private registry that supports OCI artifacts, [here](../../distributing-policies/oci-registries-support) you can find a list of supported OCI registries. It will be used for storing the container images and policies.
+2. [kwctl](https://github.com/kubewarden/kwctl) 1.3.1 or above
+3. docker v20.10.6 or above
+
+## Save container images in your workstation
+
+1. Download `kubewarden-images.txt` from the Kubewarden [release page](https://github.com/kubewarden/helm-charts/releases/). Alternatively, the `imagelist.txt` and `policylist.txt` files are shipped inside the helm charts containing the used container images and policy wasm modules, respectively.
+
+>**Note:** Optionally, you can verify the signatures of the [helm charts](../../security/verifying-kubewarden#helm-charts) and [container images](../../security/verifying-kubewarden#container-images)
+
+2. Add `cert-manager` if it is not available in your private registry.
+
+```
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+helm pull jetstack/cert-manager
+helm template ./cert-manager-<Version>.tgz | \
+  awk '$1 ~ /image:/ {print $2}' | sed s/\"//g >> ./kubewarden-images.txt
+```
+
+3. Download `kubewarden-save-images.sh` and `kubewarden-load-images.sh` from the [utils repository](https://github.com/kubewarden/utils).
+4. Save Kubewarden container images into a .tar.gz file:
+
+```
+./kubewarden-save-images.sh \
+  --image-list ./kubewarden-images.txt \
+  --images kubewarden-images.tar.gz
+```
+
+Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes.
+When the process completes, your current directory will output a tarball named `kubewarden-images.tar.gz`. It will be present in the same directory where you executed the command.
+
+## Save policies in your workstation
+
+1. Add all the policies you want to use in a `policies.txt` file. A file with a list of the default policies can be found in the Kubewarden defaults [release page](https://github.com/kubewarden/helm-charts/releases/)
+2. Download `kubewarden-save-policies.sh` and `kubewarden-load-policies.sh` from the [kwctl repository](https://github.com/kubewarden/kwctl/tree/main/scripts)
+3. Save policies into a .tar.gz file:
+
+```
+./kubewarden-save-policies.sh --policies-list policies.txt
+```
+
+kwctl downloads all the policies and stores them as `kubewarden-policies.tar.gz` archive.
+
+## Helm charts
+
+You need to download the following helm charts in your workstation:
+
+```
+helm pull kubewarden/kubewarden-crds
+helm pull kubewarden/kubewarden-controller
+helm pull kubewarden/kubewarden-defaults
+```
+
+Download `cert-manager` if it is not installed in the air gap cluster.
+
+```
+helm pull jetstack/cert-manager
+```
+
+## Populate private registry
+
+Move `kubewarden-policies.tar.gz`, `kubewarden-images.tar.gz`, `kubewarden-load-images.sh`, `kubewarden-load-policies.sh` and `policies.txt`
+to the air gap environment.
+
+1. Load Kubewarden images into the private registry. Docker client must be authenticated against the local registry
+```
+./kubewarden-load-images.sh \
+  --image-list ./kubewarden-images.txt \
+  --images kubewarden-images.tar.gz \
+  --registry <REGISTRY.YOURDOMAIN.COM:PORT>
+```
+2. Load Kubewarden policies into the private registry. Kwctl must be authenticated against the local registry (`kwctl` uses the same mechanism to authenticate as `docker`, a `~/.docker/config.json` file)
+```
+./kubewarden-load-policies.sh \
+  --policies-list policies.txt \
+  --policies kubewarden-policies.tar.gz \
+  --registry <REGISTRY.YOURDOMAIN.COM:PORT> \
+  --sources-path sources.yml
+```
+
+>***Caution:***
+>The `sources.yaml` file is needed by kwctl to connect to registries that fall into these categories:
+>
+>* Authentication is required
+>* Self signed certificate is being used
+>* No TLS termination is done
+>
+>Please refer to [the section on custom certificate authorities](../../distributing-policies/custom-certificate-authorities.md) in our documentation to learn more about configuring the `sources.yaml` file
+
+
+## Install Kubewarden
+
+Let's install Kubewarden now that we have everything we need in our private registry. The only difference with a normal
+Kubewarden installation is that we need to change the registry in the container images and policies to our private registry.
+
+Install `cert-manager` if it is not already installed in the air gap cluster:
+
+```
+helm install --create-namespace cert-manager ./cert-manager-<Version>.tgz \
+    -n kubewarden \
+    --set installCRDs=true \
+    --set image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-controller \
+    --set webhook.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-webhook \
+    --set cainjector.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-cainjector \
+    --set startupapicheck.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-ctl
+```
+
+Let's install the Kubewarden stack:
+
+```
+helm install --wait -n kubewarden \
+  kubewarden-crds kubewarden-crds.tgz
+```
+
+```
+helm install --wait -n kubewarden \
+  kubewarden-controller kubewarden-controller.tgz \
+  --set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>
+```
+
+```
+helm install --wait -n kubewarden \
+  kubewarden-defaults kubewarden-defaults.tgz \
+  --set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>
+```
+
+>***Caution***
+>To download the recommended policies installed by the `kubewarden-defaults` Helm
+>Chart from a registry other than `global.cattle.systemDefaultRegistry`, you can
+>utilize the `recommendedPolicies.defaultPoliciesRegistry` configuration. This
+>configuration allows users to specify a registry dedicated to pulling the OCI
+>artifacts of the policies. It is particularly useful when their container image
+>repository does not support OCI artifacts.
+>
+>To install and wait for the installation to complete, use the following command:
+>
+>```console
+>helm install --wait -n kubewarden \
+>  kubewarden-defaults kubewarden-defaults.tgz \
+>  --set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \
+>  --set recommendedPolicies.defaultPoliciesRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>
+>```
+>
+>If the `recommendedPolicies.defaultPoliciesRegistry` configuration is not set,
+>the `global.cattle.systemDefaultRegistry` will be used as the default registry.