use helm in chainsaw overlay

filariow · filariow · commit 456318ef7050 · 2025-04-28T16:11:20.000+02:00
Signed-off-by: Francesco Ilario &lt;filario@redhat.com&gt;
diff --git a/.github/workflows/chainsaw-tests.yaml b/.github/workflows/chainsaw-tests.yaml
@@ -37,7 +37,7 @@ jobs:
     - name: Install Dependencies
       shell: bash
       run: |
-        kustomize build components/kyverno/chainsaw | \
+        kustomize build --enable-helm components/kyverno/chainsaw | \
           kubectl apply -f - --server-side
 
     - name: Install Cosign
diff --git a/components/kyverno/chainsaw/job_resources.yaml b/components/kyverno/chainsaw/job_resources.yaml
@@ -0,0 +1,10 @@
+---
+- op: add
+  path: /spec/template/spec/containers/0/resources
+  value:
+    requests:
+      cpu: 100m
+      memory: 64M
+    limits:
+      cpu: 400m
+      memory: 256M
diff --git a/components/kyverno/chainsaw/kustomization.yaml b/components/kyverno/chainsaw/kustomization.yaml
@@ -1,17 +1,96 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+
 namespace: konflux-kyverno
+
 resources:
-- https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml
+- namespace.yaml
+
+generators:
+- kyverno-helm-generator.yaml
+
+replacements:
+  # enforce serviceAccountName is used instead of serviceAccount in Jobs
+  # TODO: these replacements can be removed when bumping to kyverno:1.14
+  # https://github.com/kyverno/kyverno/pull/12158
+  - source:
+      group: batch
+      version: v1
+      kind: Job
+      name: konflux-kyverno-clean-reports
+      namespace: konflux-kyverno
+      fieldPath: spec.template.spec.serviceAccount
+    targets:
+      - select:
+          group: batch
+          version: v1
+          kind: Job
+          namespace: konflux-kyverno
+          name: konflux-kyverno-clean-reports
+        fieldPaths:
+          - spec.template.spec.serviceAccountName
+        options:
+          create: true
+  - source:
+      group: batch
+      version: v1
+      kind: Job
+      name: konflux-kyverno-migrate-resources
+      namespace: konflux-kyverno
+      fieldPath: spec.template.spec.serviceAccount
+    targets:
+      - select:
+          group: batch
+          version: v1
+          kind: Job
+          namespace: konflux-kyverno
+          name: konflux-kyverno-migrate-resources
+        fieldPaths:
+          - spec.template.spec.serviceAccountName
+        options:
+          create: true
+  - source:
+      group: batch
+      version: v1
+      kind: Job
+      name: konflux-kyverno-remove-configmap
+      namespace: konflux-kyverno
+      fieldPath: spec.template.spec.serviceAccount
+    targets:
+      - select:
+          group: batch
+          version: v1
+          kind: Job
+          namespace: konflux-kyverno
+          name: konflux-kyverno-remove-configmap
+        fieldPaths:
+          - spec.template.spec.serviceAccountName
+        options:
+          create: true
 
+# set resources to jobs
 patches:
-- target:
-    kind: Deployment
-    name: kyverno-admission-controller
-  patch: |-
-    - op: add
-      path: /spec/template/spec/containers/0/args/-
-      value: --reportsServiceAccountName=system:serviceaccount:konflux-kyverno:kyverno-reports-controller
-    - op: add
-      path: /spec/template/spec/containers/0/args/-
-      value: --backgroundServiceAccountName=system:serviceaccount:konflux-kyverno:kyverno-background-controller
+  - path: job_resources.yaml
+    target:
+      group: batch
+      version: v1
+      kind: Job
+      name: konflux-kyverno-scale-to-zero
+  - path: job_resources.yaml
+    target:
+      group: batch
+      version: v1
+      kind: Job
+      name: konflux-kyverno-clean-reports
+  - path: job_resources.yaml
+    target:
+      group: batch
+      version: v1
+      kind: Job
+      name: konflux-kyverno-migrate-resources
+  - path: job_resources.yaml
+    target:
+      group: batch
+      version: v1
+      kind: Job
+      name: konflux-kyverno-remove-configmap
diff --git a/components/kyverno/chainsaw/kyverno-helm-generator.yaml b/components/kyverno/chainsaw/kyverno-helm-generator.yaml
@@ -0,0 +1,13 @@
+apiVersion: builtin
+kind: HelmChartInflationGenerator
+metadata:
+  name: kyverno
+name: kyverno
+repo: https://kyverno.github.io/kyverno/
+# TODO: when bumping to kyverno:1.14 we can remove ServiceAccountName 
+# replacements from the kustomization.yaml file
+# https://github.com/kyverno/kyverno/pull/12158
+version: 3.3.7
+namespace: konflux-kyverno
+valuesFile: kyverno-helm-values.yaml
+releaseName: kyverno
diff --git a/components/kyverno/chainsaw/kyverno-helm-values.yaml b/components/kyverno/chainsaw/kyverno-helm-values.yaml
@@ -0,0 +1,104 @@
+---
+fullnameOverride: konflux-kyverno
+namespaceOverride: konflux-kyverno
+config:
+  updateRequestThreshold: 1000
+admissionController:
+  replicas: 1
+  initContainer:
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      capabilities:
+        drop:
+        - "ALL"
+  container:
+    resources:
+      limits:
+        cpu: 500m
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      capabilities:
+        drop:
+        - "ALL"
+backgroundController:
+  replicas: 1
+  resources:
+    limits:
+      cpu: 500m
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+      - "ALL"
+cleanupController:
+  enabled: false
+  resources:
+    limits:
+      cpu: 500m
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+      - "ALL"
+reportsController:
+  enabled: false
+  resources:
+    limits:
+      cpu: 500m
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+      - "ALL"
+policyReportsCleanup:
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsGroup: null
+    runAsUser: null
+    capabilities:
+      drop:
+      - "ALL"
+webhooksCleanup:
+  enabled: false
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsGroup: null
+    runAsUser: null
+    capabilities:
+      drop:
+      - "ALL"
+test:
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsGroup: null
+    runAsUser: null
+    capabilities:
+      drop:
+      - "ALL"
+crds:
+  migration:
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      runAsGroup: null
+      runAsUser: null
+      capabilities:
+        drop:
+        - "ALL"
diff --git a/components/kyverno/chainsaw/namespace.yaml b/components/kyverno/chainsaw/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: konflux-kyverno
diff --git a/hack/chainsaw/chainsaw-prepare.sh b/hack/chainsaw/chainsaw-prepare.sh
@@ -6,7 +6,7 @@ set -e
 kind create cluster --name infra-deployments-chainsaw
 
 ## Install kyverno
-kustomize build components/kyverno/chainsaw | \
+kustomize build --enable-helm components/kyverno/chainsaw | \
   kubectl apply -f - --server-side
 
 ## wait for kyverno to rollout
