support excluding namespaces in helm chart (#564)

sami-alajrami · web-flow · commit 8b006043a78f · 2025-10-23T12:56:03.000+02:00
diff --git a/charts/k8s-reporter/Chart.yaml b/charts/k8s-reporter/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.10.0
+version: 1.11.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.11.15"
+appVersion: "2.11.27"
diff --git a/charts/k8s-reporter/templates/_validations.tpl b/charts/k8s-reporter/templates/_validations.tpl
@@ -5,4 +5,25 @@ Validate that namespacesRegex is not used with namespace-scoped permissions
 {{- if and (eq .Values.serviceAccount.permissionScope "namespace") (ne .Values.reporterConfig.namespacesRegex "") -}}
 {{- fail "namespacesRegex cannot be used with namespace-scoped permissions (serviceAccount.permissionScope: namespace). namespacesRegex requires cluster-wide permissions." -}}
 {{- end -}}
+{{- end -}}
+
+{{/*
+Validate that excludeNamespacesRegex is not used with namespace-scoped permissions
+*/}}
+{{- define "k8s-reporter.validateExcludeNamespacesRegex" -}}
+{{- if and (eq .Values.serviceAccount.permissionScope "namespace") (ne .Values.reporterConfig.excludeNamespacesRegex "") -}}
+{{- fail "excludeNamespacesRegex cannot be used with namespace-scoped permissions (serviceAccount.permissionScope: namespace). excludeNamespacesRegex requires cluster-wide permissions." -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate that exclude options are not combined with include options
+*/}}
+{{- define "k8s-reporter.validateExcludeOptions" -}}
+{{- if and (ne .Values.reporterConfig.namespaces "") (or (ne .Values.reporterConfig.excludeNamespaces "") (ne .Values.reporterConfig.excludeNamespacesRegex "")) -}}
+{{- fail "excludeNamespaces and excludeNamespacesRegex cannot be combined with namespaces. Use either include (namespaces/namespacesRegex) or exclude (excludeNamespaces/excludeNamespacesRegex) options, but not both." -}}
+{{- end -}}
+{{- if and (ne .Values.reporterConfig.namespacesRegex "") (or (ne .Values.reporterConfig.excludeNamespaces "") (ne .Values.reporterConfig.excludeNamespacesRegex "")) -}}
+{{- fail "excludeNamespaces and excludeNamespacesRegex cannot be combined with namespacesRegex. Use either include (namespaces/namespacesRegex) or exclude (excludeNamespaces/excludeNamespacesRegex) options, but not both." -}}
+{{- end -}}
 {{- end -}} 
diff --git a/charts/k8s-reporter/templates/cronjob.yaml b/charts/k8s-reporter/templates/cronjob.yaml
@@ -1,4 +1,6 @@
 {{- include "k8s-reporter.validateNamespacesRegex" . -}}
+{{- include "k8s-reporter.validateExcludeNamespacesRegex" . -}}
+{{- include "k8s-reporter.validateExcludeOptions" . -}}
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -57,6 +59,12 @@ spec:
               {{ else if .Values.reporterConfig.namespacesRegex }}
               - name: KOSLI_NAMESPACES_REGEX
                 value: {{ .Values.reporterConfig.namespacesRegex | quote }}
+              {{ else if .Values.reporterConfig.excludeNamespaces }}
+              - name: KOSLI_EXCLUDE_NAMESPACES
+                value: {{ .Values.reporterConfig.excludeNamespaces | quote }}
+              {{ else if .Values.reporterConfig.excludeNamespacesRegex }}
+              - name: KOSLI_EXCLUDE_NAMESPACES_REGEX
+                value: {{ .Values.reporterConfig.excludeNamespacesRegex | quote }}
               {{ end }}
 
               {{- range $key, $value :=  .Values.env }}
diff --git a/charts/k8s-reporter/values.yaml b/charts/k8s-reporter/values.yaml
@@ -8,7 +8,7 @@ image:
   # -- the kosli reporter image pull policy
   pullPolicy: IfNotPresent
   # -- the kosli reporter image tag, overrides the image tag whose default is the chart appVersion.
-  tag: "v2.11.17"
+  tag: "v2.11.27"
 
 # -- overrides the name used for the created k8s resources. If `fullnameOverride` is provided, it has higher precedence than this one
 nameOverride: ""
@@ -44,15 +44,29 @@ reporterConfig:
   # -- the name of Kosli environment that the k8s cluster/namespace correlates to
   kosliEnvironmentName: ""
   # -- the namespaces to scan and report.
+  # Cannot be combined with excludeNamespaces or excludeNamespacesRegex.
   # It is a comma separated list of namespace names.
   # leave this and namespacesRegex unset if you want to report what is running in the entire cluster
   namespaces: ""
   # -- the namespaces Regex patterns to scan and report.
   # Does not have effect if namespaces is set.
   # Requires cluster-wide permissions.
+  # Cannot be combined with excludeNamespaces or excludeNamespacesRegex.
   # It is a comma separated list of namespace regex patterns.
   # leave this and namespaces unset if you want to report what is running in the entire cluster
   namespacesRegex: ""
+  # -- the namespaces to exclude from scanning and reporting.
+  # Cannot be combined with namespaces or namespacesRegex.
+  # It is a comma separated list of namespace names.
+  # leave this and excludeNamespacesRegex unset if you want to report what is running in the entire cluster
+  excludeNamespaces: ""
+  # -- the namespaces Regex patterns to exclude from scanning and reporting.
+  # Does not have effect if excludeNamespaces is set.
+  # Cannot be combined with namespaces or namespacesRegex.
+  # Requires cluster-wide permissions.
+  # It is a comma separated list of namespace regex patterns.
+  # leave this and excludeNamespaces unset if you want to report what is running in the entire cluster
+  excludeNamespacesRegex: ""
   # -- whether the dry run mode is enabled or not. In dry run mode, the reporter logs the reports to stdout and does not send them to kosli.
   dryRun: false
   # -- the http proxy url
diff --git a/cmd/kosli/archiveEnvironment_test.go b/cmd/kosli/archiveEnvironment_test.go
@@ -36,10 +36,10 @@ func (suite *ArchiveEnvironmentCommandTestSuite) TestArchiveEnvironmentCmd() {
 			golden: "environment archive-environment was archived\n",
 		},
 		{
-			wantError: true,
-			name:      "archiving non-existing environment fails",
-			cmd:       fmt.Sprintf(`archive environment non-existing %s`, suite.defaultKosliArguments),
-			golden:    "Error: Environment named 'non-existing' does not exist for organization 'docs-cmd-test-user'. \n",
+			wantError:   true,
+			name:        "archiving non-existing environment fails",
+			cmd:         fmt.Sprintf(`archive environment non-existing %s`, suite.defaultKosliArguments),
+			goldenRegex: "^Error: Environment named 'non-existing' does not exist for organization 'docs-cmd-test-user'",
 		},
 		{
 			wantError: true,
