helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon kubewarden

feat: Add Rancher Helm charts for policies

Open viccuad opened this issue 2 years ago • 1 comments

Description

Partial implementation of https://github.com/kubewarden/rfc/pull/12.

Several Helm charts for several policies, ranging from complex policy settings to simple ones.

Test

To test, install Rancher and then add the Kubewarden charts from the UI:

minikube start --kubernetes-version=v1.23.9
minikube addons enable ingress

kubectl create namespace cattle-system

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.2/cert-manager.crds.yaml

helm install --wait \
    cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.7.1

helm install rancher rancher-latest/rancher \
  --namespace cattle-system \
  --set hostname=rancher.local \
  --set replicas=1 \
  --set bootstrapPassword=password

# 'rancher.local is in /etc/hosts matching the minikube ip'

With Rancher deployed, install kubewarden-controller and then kubewarden-defaults from a GH repo in Rancher Explorer UI with: https://github.com/kubewarden/helm-charts.git and branch rancher-1.1.

Then, add another repo matching this PR (https://github.com/kubewarden/helm-charts.git and branch rancher-policies), and you can install the policies from there.

Additional Information

Tradeoff

There is duplicated logic both in questions.yaml and templates/policy.yaml, to work around bug https://github.com/rancher/dashboard/issues/6811.

Potential improvement

  • Make policy charts depend on requires-gvr: "[policyservers.policies.kubewarden.io/v1](http://policyservers.policies.kubewarden.io/v1)", which is provided by kubewarden-controller chart. But, it doesn't seem to work.
  • Mark all the policy charts as hidden, and provide a keywords: ["kubewarden-policies"] or such, so they can be installed through Kubewarden UI using a tailored approach for them.

viccuad avatar Sep 07 '22 13:09 viccuad

Thanks for the review @aiyengar2! Could you have a quick look again?

viccuad avatar Sep 22 '22 11:09 viccuad

Given that policies now have the questions.yaml included in the metatada.yaml programatically, and that we can direct the Kubewarden UI to consume blessed policies from different places besides ArtifactHub, I don't think it's needed to keep this as an example anymore.

Closing!

viccuad avatar Jul 10 '23 10:07 viccuad