Merge pull request #464 from mojaloop/feat/kyverno

feat: kyverno chart

gitops/applications/base/kyverno/image-rewrite-policy.yaml

@@ -0,0 +1,86 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: redirect-dockerio-to-mirrorgcrio
+spec:
+  rules:
+    - name: redirect-dockerio-to-mirrorgcrio
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+              operations:
+                - CREATE
+                - UPDATE
+      exclude:
+        any:
+        - resources:
+            namespaces:
+            - istio-ingress-ext
+            - istio-ingress-int
+      mutate:
+        foreach:
+          - list: request.object.spec.containers[]
+            preconditions:
+              all:
+                - key: "{{ image_normalize(element.image) }}"
+                  operator: AnyIn
+                  value:
+                    - docker.io/*
+            patchStrategicMerge:
+              metadata:
+                annotations:
+                  kyverno/redirect-dockerio-to-mirrorgcrio: applied
+              spec:
+                containers:
+                  - name: "{{ element.name }}"
+                    env:
+                      - name: ORIGINAL_IMAGE
+                        value: "{{ element.image }}"
+                    image: 'mirror.gcr.io/{{ images.containers."{{element.name}}".path}}:{{images.containers."{{element.name}}".tag}}'
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: redirect-xpkgupboundio-to-ghcr
+spec:
+  rules:
+    - name: redirect-xpkgupboundio-to-ghcr
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+              operations:
+                - CREATE
+                - UPDATE
+      exclude:
+        any:
+        - resources:
+            namespaces:
+            - istio-ingress-ext
+            - istio-ingress-int
+      mutate:
+        foreach:
+          - list: request.object.spec.containers[]
+            preconditions:
+              all:
+                - key: "{{ image_normalize(element.image) }}"
+                  operator: AnyIn
+                  value:
+                    - xpkg.upbound.io/*
+                - key: "{{ element.image }}"
+                  operator: NotEquals
+                  value: "auto:latest"
+            patchStrategicMerge:
+              metadata:
+                annotations:
+                  kyverno/redirect-xpkgupboundio-to-ghcr: applied
+              spec:
+                containers:
+                  - name: "{{ element.name }}"
+                    env:
+                      - name: ORIGINAL_IMAGE
+                        value: "{{ element.image }}"
+                    image: 'ghcr.io/mojaloop/infra/{{ images.containers."{{element.name}}".path}}:{{images.containers."{{element.name}}".tag}}'

gitops/applications/base/kyverno/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespaces.yaml
+  - image-rewrite-policy.yaml
+
+helmCharts:
+  - name: kyverno
+    releaseName: kyverno
+    version: ${ARGOCD_ENV_kyverno_helm_version}
+    repo: https://kyverno.github.io/kyverno/
+    valuesFile: kyverno-values.yaml
+    namespace: ${ARGOCD_ENV_kyverno_namespace}

gitops/applications/base/kyverno/kyverno-values.yaml

@@ -0,0 +1,26 @@
+config:
+
+  # TODO
+  # If possible we should not watch and mutate kube-system but image rewrite likely needs it
+
+  # Enable Kyverno to touch resources in kube-system namespace
+  resourceFiltersExcludeNamespaces:
+  - kube-system
+
+  # Enable Kyverno to watch resources in kube-system namespace
+  webhooks:
+    namespaceSelector:
+      matchExpressions: {}
+
+reportsController:
+  rbac:
+    coreClusterRole:
+      extraResources:
+      - apiGroups:
+        - '*'
+        resources:
+        - '*'
+        verbs:
+        - get
+        - list
+        - watch

gitops/applications/base/kyverno/namespaces.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ${ARGOCD_ENV_kyverno_namespace}

gitops/applications/base/vault/vault-init-crs.yaml

@@ -81,7 +81,8 @@ spec:
       restartPolicy: OnFailure
       containers:
         - name: vault-client
-          image: hashicorp/vault
+          #TODO: this version tag needs another solution
+          image: hashicorp/vault:1.17.2
           command:
             - /bin/sh
             - "-c"
@@ -102,4 +103,3 @@ spec:
                   name: ${ARGOCD_ENV_tf_post_config_output_secret}
                   key: kv_path
 ---
-

gitops/applications/overlays/cloud_provider/aws/rook-ceph-cluster/pvc/ceph-cluster-crs.yaml

@@ -73,7 +73,7 @@ spec:
                     operator: In
                     values:
                       - rook-ceph-osd-prepare
-        resources:
+        #resources:
         # These are the OSD daemon limits. For OSD prepare limits, see the separate section below for "prepareosd" resources
         #   limits:
         #     memory: "4Gi"
@@ -92,7 +92,7 @@ spec:
               accessModes:
                 - ReadWriteOnce
     onlyApplyOSDPlacement: false
-  resources:
+  #resources:
   #  prepareosd:
   #    requests:
   #      cpu: "200m"
@@ -106,4 +106,4 @@ spec:
   disruptionManagement:
     managePodBudgets: true
     osdMaintenanceTimeout: 30
-    pgHealthCheckTimeout: 0
+    pgHealthCheckTimeout: 0

gitops/argo-apps/base/argocd-helm.yaml

@@ -35,7 +35,7 @@ spec:
 
   destination:
     server: "https://kubernetes.default.svc"
-    namespace: ${ARGOCD_ENV_utils_argocd_namespace}
+    namespace: ${ARGOCD_ENV_utils_argocd_helm_namespace}
 
   sources:
     - chart: argo-cd
@@ -428,6 +428,11 @@ spec:
               server.enable.proxy.extension: "true"
               reposerver.enable.git.submodule: "false"
               applicationsetcontroller.enable.git.submodule: "false"
+
+              #Enable Server-Side Diff so argocd play nicely with Kyverno mutating webhooks:
+              #https://argo-cd.readthedocs.io/en/stable/user-guide/diff-strategies/#mutation-webhooks
+              controller.diff.server.side: "true"
+
             cmp:
               create: true
               plugins:

gitops/argo-apps/base/kyverno.yaml

@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ${ARGOCD_ENV_utils_kyverno_app_name}
+  namespace: ${ARGOCD_ENV_argocd_app_namespace}
+  annotations:
+    argocd.argoproj.io/sync-wave: ${ARGOCD_ENV_utils_sync_wave}
+
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    retry:
+      limit: 20
+      backoff:
+        duration: 10s
+        maxDuration: 3m0s
+        factor: 2
+    syncOptions:
+      - CreateNamespace=true
+      - PrunePropagationPolicy=foreground
+      - PruneLast=true
+      - ServerSideApply=true
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: ${ARGOCD_ENV_utils_kyverno_namespace}
+  source:
+    repoURL: ${ARGOCD_ENV_argocd_repo_url}
+    targetRevision: ${ARGOCD_ENV_utils_application_gitrepo_tag}
+    path: gitops/applications/base/kyverno
+    plugin:
+      name: envsubst
+      env:
+        - name: "kyverno_namespace"
+          value: "${ARGOCD_ENV_utils_kyverno_namespace}"
+
+        - name: "kyverno_helm_version"
+          value: "${ARGOCD_ENV_utils_kyverno_helm_version}"

gitops/argo-apps/base/netbird.yaml

@@ -27,7 +27,7 @@ spec:
       - PruneLast=true
   destination:
     server: "https://kubernetes.default.svc"
-    namespace: ${ARGOCD_ENV_security_namespace}
+    namespace: ${ARGOCD_ENV_security_netbird_namespace}
 
   source:
     repoURL: ${ARGOCD_ENV_argocd_repo_url}

gitops/argo-apps/overlays/local/root/kustomization.yaml

@@ -51,4 +51,6 @@ resources:
   - ../../../base/monitoring.yaml
   - ../../../base/monitoring-post-config.yaml
   # k8s
-  - ../../../base/k8s-post-config.yaml
+  - ../../../base/k8s-post-config.yaml
+  # kyverno
+  - ../../../base/kyverno.yaml

terraform/ccnew/ansible-k8s-deploy/templates/argoapps.yaml.tpl

@@ -1,6 +1,6 @@
 argocd_override:
   initial_application_gitrepo_tag: "${iac_terraform_modules_tag}"
-  apps:        
+  apps:
     utils:
       application_gitrepo_tag: "${iac_terraform_modules_tag}"
       sub_apps:
@@ -56,10 +56,12 @@ argocd_override:
           vault_crossplane_modules_version: "${vault_crossplane_modules_version}"
           terraform_crossplane_modules_version: "${terraform_crossplane_modules_version}"
           ansible_crossplane_modules_version: "${ansible_crossplane_modules_version}"
-          aws_crossplane_module_version:  "${aws_crossplane_module_version}"          
+          aws_crossplane_module_version:  "${aws_crossplane_module_version}"
           crossplane_func_pat_version: "${crossplane_func_pat_version}"
           k8s_crossplane_module_version: "${k8s_crossplane_module_version}"
           crossplane_func_go_templating_version: "${crossplane_func_go_templating_version}"
+        kyverno:
+          helm_version: "${kyverno_helm_version}"
     maintenance:
       application_gitrepo_tag: "${iac_terraform_modules_tag}"
       sub_apps:
@@ -126,7 +128,7 @@ argocd_override:
           postgres_replicas: "${zitadel_perc_postgres_replicas}"
           postgres_proxy_replicas: "${zitadel_perc_postgres_proxy_replicas}"
           postgres_storage_size: "${zitadel_perc_postgres_storage_size}"
-          pgdb_helm_version: "${zitadel_perc_pgdb_helm_version}"          
+          pgdb_helm_version: "${zitadel_perc_pgdb_helm_version}"
         zitadel_rds_provider:
           engine: "${zitadel_rds_engine}"
           engine_version: "${zitadel_rds_engine_version}"
@@ -142,8 +144,8 @@ argocd_override:
           backup_retention_period: "${zitadel_db_backup_retention_period}"
           preferred_backup_window: "${zitadel_db_preferred_backup_window}"
           storage_type: "${zitadel_rds_storage_type}"
-          storage_iops: "${zitadel_rds_storage_iops}"       
-        zitadel_cockroachdb_provider:                    
+          storage_iops: "${zitadel_rds_storage_iops}"
+        zitadel_cockroachdb_provider:
           helm_version: "${cockroachdb_helm_version}"
           pvc_size: "${zitadel_db_storage_size}"
         netbird:
@@ -162,21 +164,21 @@ argocd_override:
           rdbms_provider: "${netbird_rdbms_provider}"
         netbird_percona_provider:
           postgres_replicas: "${netbird_perc_postgres_replicas}"
-          postgres_proxy_replicas: "${netbird_perc_postgres_proxy_replicas}"          
+          postgres_proxy_replicas: "${netbird_perc_postgres_proxy_replicas}"
           postgres_storage_size: "${netbird_perc_postgres_storage_size}"
           pgdb_helm_version: "${netbird_perc_pgdb_helm_version}"
         netbird_rds_provider:
           engine: "${netbird_rds_engine}"
           engine_version: "${netbird_rds_engine_version}"
-          replica_count: "${netbird_rds_replica_count}"                     
+          replica_count: "${netbird_rds_replica_count}"
           postgres_instance_class: "${netbird_rds_instance_class}"
           storage_encrypted: "${netbird_rds_storage_encrypted}"
-          skip_final_snapshot: "${netbird_rds_skip_final_snapshot}"        
+          skip_final_snapshot: "${netbird_rds_skip_final_snapshot}"
           rdbms_subnet_list: "${join(",", rdbms_subnet_list)}"
           db_provider_cloud_region: "${cloud_region}"
           rdbms_vpc_id: "${rdbms_vpc_id}"
           vpc_cidr: "${vpc_cidr}"
-          postgres_storage_size: "${netbird_rds_postgres_storage_size}"         
+          postgres_storage_size: "${netbird_rds_postgres_storage_size}"
           backup_retention_period: "${netbird_db_backup_retention_period}"
           preferred_backup_window: "${netbird_db_preferred_backup_window}"
           storage_type: "${netbird_rds_storage_type}"
@@ -192,7 +194,7 @@ argocd_override:
           cpu_limit: "${nexus_cpu_limit}"
           memory_limit: "${nexus_memory_limit}"
           cpu_request: "${nexus_cpu_request}"
-          memory_request: "${nexus_memory_request}"          
+          memory_request: "${nexus_memory_request}"
         post_config:
           ansible_collection_tag: "${nexus_ansible_collection_tag}"
 
@@ -232,23 +234,23 @@ argocd_override:
           redis_cluster_size: "${gitlab_redis_cluster_size}"
           redis_storage_size: "${gitlab_redis_storage_size}"
           rdbms_provider: "${gitlab_postgres_rdbms_provider}"
-        webdb_percona_provider:            
+        webdb_percona_provider:
           postgres_replicas: "${gitlab_perc_postgres_replicas}"
           postgres_proxy_replicas: "${gitlab_perc_postgres_proxy_replicas}"
           postgres_storage_size: "${gitlab_perc_postgres_storage_size}"
           pgdb_helm_version: "${gitlab_perc_pgdb_helm_version}"
         praefectdb_percona_provider:
           postgres_replicas: "${praefect_perc_postgres_replicas}"
-          postgres_proxy_replicas: "${praefect_perc_postgres_proxy_replicas}"          
+          postgres_proxy_replicas: "${praefect_perc_postgres_proxy_replicas}"
           postgres_storage_size: "${praefect_perc_postgres_storage_size}"
           pgdb_helm_version: "${praefect_perc_pgdb_helm_version}"
         webdb_rds_provider:
           engine: "${gitlab_rds_engine}"
           engine_version: "${gitlab_rds_engine_version}"
-          replica_count: "${gitlab_rds_replica_count}"          
+          replica_count: "${gitlab_rds_replica_count}"
           postgres_instance_class: "${gitlab_rds_instance_class}"
           storage_encrypted: "${gitlab_rds_storage_encrypted}"
-          skip_final_snapshot: "${gitlab_rds_skip_final_snapshot}"        
+          skip_final_snapshot: "${gitlab_rds_skip_final_snapshot}"
           rdbms_subnet_list: "${join(",", rdbms_subnet_list)}"
           db_provider_cloud_region: "${cloud_region}"
           rdbms_vpc_id: "${rdbms_vpc_id}"
@@ -261,21 +263,21 @@ argocd_override:
         praefectdb_rds_provider:
           engine: "${praefect_rds_engine}"
           engine_version: "${praefect_rds_engine_version}"
-          replica_count: "${praefect_rds_replica_count}"                     
+          replica_count: "${praefect_rds_replica_count}"
           postgres_instance_class: "${praefect_rds_instance_class}"
           storage_encrypted: "${praefect_rds_storage_encrypted}"
-          skip_final_snapshot: "${praefect_rds_skip_final_snapshot}"        
+          skip_final_snapshot: "${praefect_rds_skip_final_snapshot}"
           rdbms_subnet_list: "${join(",", rdbms_subnet_list)}"
           db_provider_cloud_region: "${cloud_region}"
           rdbms_vpc_id: "${rdbms_vpc_id}"
           vpc_cidr: "${vpc_cidr}"
-          postgres_storage_size: "${praefect_rds_postgres_storage_size}"         
+          postgres_storage_size: "${praefect_rds_postgres_storage_size}"
           backup_retention_period: "${praefect_db_backup_retention_period}"
           preferred_backup_window: "${praefect_db_preferred_backup_window}"
           storage_type: "${praefect_rds_storage_type}"
           storage_iops: "${praefect_rds_storage_iops}"
 
-          
+
     deploy_env:
       application_gitrepo_tag: "${iac_terraform_modules_tag}"
       sub_apps:
@@ -286,7 +288,7 @@ argocd_override:
           ceph_bucket_max_size:  "${ceph_bucket_max_size}"
           env_token_ttl: "${env_token_ttl}"
         onboard:
-          terraform_modules_tag: "${iac_terraform_modules_tag}"          
+          terraform_modules_tag: "${iac_terraform_modules_tag}"
 
 
     monitoring: