chore(chart-deps): update policy-reporter to version 3.7.0 (#2746)

Author: svcAPLBot

chart/chart-index/Chart.yaml

@@ -88,7 +88,7 @@ dependencies:
     version: 0.99.1
     repository: https://open-telemetry.github.io/opentelemetry-helm-charts
   - name: policy-reporter
-    version: 3.5.0
+    version: 3.7.0
     repository: https://kyverno.github.io/policy-reporter
   - name: prometheus-blackbox-exporter
     version: 11.5.0

charts/policy-reporter/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 3.5.0
+appVersion: 3.6.0
 description: 'Policy Reporter watches for PolicyReport Resources. It creates Prometheus
   Metrics and can send rule validation events to different targets like Loki, Elasticsearch,
   Slack or Discord '
@@ -12,4 +12,4 @@ name: policy-reporter
 sources:
 - https://github.com/kyverno/policy-reporter
 type: application
-version: 3.5.0
+version: 3.7.0

charts/policy-reporter/README.md

@@ -3,7 +3,7 @@
 Policy Reporter watches for PolicyReport Resources.
 It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord
 
-![Version: 3.5.0](https://img.shields.io/badge/Version-3.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.5.0](https://img.shields.io/badge/AppVersion-3.5.0-informational?style=flat-square)
+![Version: 3.7.0](https://img.shields.io/badge/Version-3.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.6.0](https://img.shields.io/badge/AppVersion-3.6.0-informational?style=flat-square)
 
 ## Documentation
 
@@ -87,6 +87,12 @@ Open `http://localhost:8082/` in your browser.
 | ingress.annotations | object | `{}` | Annotations for the Ingress |
 | ingress.hosts | string | `nil` | Ingress host list |
 | ingress.tls | list | `[]` | Ingress tls list |
+| httproute.enabled | bool | `false` | Enable HTTPRoute resource (Gateway API alternative to Ingress) Requires Gateway API CRDs (v1) installed in cluster https://gateway-api.sigs.k8s.io/ |
+| httproute.labels | object | `{}` | Additional HTTPRoute labels |
+| httproute.annotations | object | `{}` | Additional HTTPRoute annotations |
+| httproute.parentRefs | list | `[]` | Gateway API parentRefs (list of Gateway references) Must reference an existing Gateway resource |
+| httproute.hostnames | list | `[]` | List of hostnames for HTTPRoute |
+| httproute.rules | list | `[{"matches":[{"path":{"type":"PathPrefix","value":"/"}}]}]` | HTTPRoute rules configuration Allows advanced routing with matches and filters |
 | logging.server | bool | `false` | Enables server access logging |
 | logging.encoding | string | `"console"` | Log encoding possible encodings are console and json |
 | logging.logLevel | int | `0` | Log level default info |
@@ -99,14 +105,10 @@ Open `http://localhost:8082/` in your browser.
 | worker | int | `5` | Amount of queue workers for Report resource processing |
 | reportFilter | object | `{}` | Filter Report resources to process |
 | sourceConfig | list | `[]` | Customize source specific logic like result ID generation |
-| sourceFilters[0].selector.source | string | `"kyverno"` | select Report by source |
+| sourceFilters[0].selector.sources | list | `["kyverno","KyvernoValidatingPolicy","KyvernoImageValidatingPolicy"]` | select Report by source |
 | sourceFilters[0].uncontrolledOnly | bool | `true` | Filter out Reports of controlled Pods and Jobs, only works for Reports with scope resource |
 | sourceFilters[0].disableClusterReports | bool | `false` | Filter out cluster scoped Reports |
 | sourceFilters[0].kinds | object | `{"exclude":["ReplicaSet"]}` | Filter out Reports based on the scope resource kind |
-| sourceFilters[1].selector.source | string | `"KyvernoValidatingPolicy"` | select Report by source |
-| sourceFilters[1].uncontrolledOnly | bool | `true` | Filter out Reports of controlled Pods and Jobs, only works for Reports with scope resource |
-| sourceFilters[1].disableClusterReports | bool | `false` | Filter out cluster scoped Reports |
-| sourceFilters[1].kinds | object | `{"exclude":["ReplicaSet"]}` | Filter out Reports based on the scope resource kind |
 | global.labels | object | `{}` | additional labels added on each resource |
 | basicAuth.username | string | `""` | HTTP BasicAuth username |
 | basicAuth.password | string | `""` | HTTP BasicAuth password |
@@ -387,7 +389,8 @@ Open `http://localhost:8082/` in your browser.
 | ui.image.registry | string | `"ghcr.io"` | Image registry |
 | ui.image.repository | string | `"kyverno/policy-reporter-ui"` | Image repository |
 | ui.image.pullPolicy | string | `"IfNotPresent"` | Image PullPolicy |
-| ui.image.tag | string | `"2.4.3"` | Image tag |
+| ui.image.tag | string | `"2.5.0"` | Image tag |
+| ui.crds.customBoard | bool | `false` | Install UI CustomBoard CRDs |
 | ui.replicaCount | int | `1` | Deployment replica count |
 | ui.priorityClassName | string | `""` | Deployment priorityClassName |
 | ui.logging.api | bool | `false` | Enables external api request logging |
@@ -459,6 +462,12 @@ Open `http://localhost:8082/` in your browser.
 | ui.ingress.annotations | object | `{}` | Ingress annotations. |
 | ui.ingress.hosts | list | `[]` | List of ingress host configurations. |
 | ui.ingress.tls | list | `[]` | List of ingress TLS configurations. |
+| ui.httproute.enabled | bool | `false` | Enable HTTPRoute resource (Gateway API alternative to Ingress) Requires Gateway API CRDs (v1) installed in cluster https://gateway-api.sigs.k8s.io/ |
+| ui.httproute.labels | object | `{}` | Additional HTTPRoute labels |
+| ui.httproute.annotations | object | `{}` | Additional HTTPRoute annotations |
+| ui.httproute.parentRefs | list | `[]` | Gateway API parentRefs (list of Gateway references) Must reference an existing Gateway resource |
+| ui.httproute.hostnames | list | `[]` | List of hostnames for HTTPRoute |
+| ui.httproute.rules | list | `[{"matches":[{"path":{"type":"PathPrefix","value":"/"}}]}]` | HTTPRoute rules configuration Allows advanced routing with matches and filters |
 | ui.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
 | ui.networkPolicy.egress | list | `[{"ports":[{"port":6443,"protocol":"TCP"}]}]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. Enables Kubernetes API Server by default |
 | ui.networkPolicy.ingress | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
@@ -476,7 +485,7 @@ Open `http://localhost:8082/` in your browser.
 | plugin.kyverno.image.registry | string | `"ghcr.io"` | Image registry |
 | plugin.kyverno.image.repository | string | `"kyverno/policy-reporter/kyverno-plugin"` | Image repository |
 | plugin.kyverno.image.pullPolicy | string | `"IfNotPresent"` | Image PullPolicy |
-| plugin.kyverno.image.tag | string | `"0.5.1"` | Image tag |
+| plugin.kyverno.image.tag | string | `"0.5.2"` | Image tag |
 | plugin.kyverno.replicaCount | int | `1` | Deployment replica count |
 | plugin.kyverno.priorityClassName | string | `""` | Deployment priorityClassName |
 | plugin.kyverno.logging.api | bool | `false` | Enables external API request logging |
@@ -523,6 +532,12 @@ Open `http://localhost:8082/` in your browser.
 | plugin.kyverno.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
 | plugin.kyverno.networkPolicy.egress | list | `[{"ports":[{"port":6443,"protocol":"TCP"}]}]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. Enables Kubernetes API Server by default |
 | plugin.kyverno.networkPolicy.ingress | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
+| plugin.kyverno.httproute.enabled | bool | `false` | Enable HTTPRoute resource (Gateway API alternative to Ingress) Requires Gateway API CRDs (v1) installed in cluster https://gateway-api.sigs.k8s.io/ |
+| plugin.kyverno.httproute.labels | object | `{}` | Additional HTTPRoute labels |
+| plugin.kyverno.httproute.annotations | object | `{}` | Additional HTTPRoute annotations |
+| plugin.kyverno.httproute.parentRefs | list | `[]` | Gateway API parentRefs (list of Gateway references) Must reference an existing Gateway resource |
+| plugin.kyverno.httproute.hostnames | list | `[]` | List of hostnames for HTTPRoute |
+| plugin.kyverno.httproute.rules | list | `[{"matches":[{"path":{"type":"PathPrefix","value":"/"}}]}]` | HTTPRoute rules configuration Allows advanced routing with matches and filters |
 | plugin.kyverno.resources | object | `{}` | Resource constraints |
 | plugin.kyverno.leaderElection.lockName | string | `"kyverno-plugin"` | Lock Name |
 | plugin.kyverno.leaderElection.releaseOnCancel | bool | `true` | Released lock when the run context is cancelled. |
@@ -542,7 +557,7 @@ Open `http://localhost:8082/` in your browser.
 | plugin.trivy.image.registry | string | `"ghcr.io"` | Image registry |
 | plugin.trivy.image.repository | string | `"kyverno/policy-reporter/trivy-plugin"` | Image repository |
 | plugin.trivy.image.pullPolicy | string | `"IfNotPresent"` | Image PullPolicy |
-| plugin.trivy.image.tag | string | `"0.4.10"` | Image tag Defaults to `Chart.AppVersion` if omitted |
+| plugin.trivy.image.tag | string | `"0.4.11"` | Image tag Defaults to `Chart.AppVersion` if omitted |
 | plugin.trivy.cli.image.registry | string | `"ghcr.io"` | Image registry |
 | plugin.trivy.cli.image.repository | string | `"aquasecurity/trivy"` | Image repository |
 | plugin.trivy.cli.image.pullPolicy | string | `"IfNotPresent"` | Image PullPolicy |

charts/policy-reporter/configs/ui.tmpl

@@ -20,6 +20,9 @@ ui:
     path: {{ .Values.ui.logo.path }}
     disabled: {{ .Values.ui.logo.disabled }}
 
+crds:
+  customBoard: {{ .Values.ui.crds.customBoard }}
+
 {{- $default := false -}}
 {{- range .Values.ui.clusters }}
     {{- if eq .name $.Values.ui.name -}}

charts/policy-reporter/templates/cluster-secret.yaml

@@ -28,6 +28,8 @@ data:
   {{- if .Values.plugin.kyverno.enabled }}
   {{- $host := printf "http://%s:%d" (include "kyverno-plugin.fullname" .) (.Values.plugin.kyverno.service.port | int) }}
   plugin.kyverno: {{ (printf "{\"host\":\"%s\", \"name\":\"kyverno\", \"username\":\"%s\", \"password\":\"%s\"}" $host $username $password) | b64enc }}
+  plugin.kyverno.vpol: {{ (printf "{\"host\":\"%s/vpol\", \"name\":\"KyvernoValidatingPolicy\", \"username\":\"%s\", \"password\":\"%s\"}" $host $username $password) | b64enc }}
+  plugin.kyverno.ivpol: {{ (printf "{\"host\":\"%s/ivpol\", \"name\":\"KyvernoImageValidatingPolicy\", \"username\":\"%s\", \"password\":\"%s\"}" $host $username $password) | b64enc }}
   {{- end }}
   {{- if .Values.plugin.trivy.enabled }}
   {{- $host := printf "http://%s:%d/vulnr" (include "trivy-plugin.fullname" .) (.Values.plugin.trivy.service.port | int) }}

charts/policy-reporter/templates/clusterrole.yaml

@@ -23,7 +23,7 @@ rules:
   - list
   - watch
 - apiGroups:
-  - '*'
+  - wgpolicyk8s.io
   resources:
   - policyreports
   - policyreports/status

charts/policy-reporter/templates/httproute.yaml

@@ -0,0 +1,49 @@
+{{- if .Values.httproute.enabled -}}
+{{- $fullName := include "policyreporter.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "policyreporter.namespace" . }}
+  labels:
+    {{- include "policyreporter.labels" . | nindent 4 }}
+    {{- if .Values.httproute.labels }}
+    {{- with .Values.httproute.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+  {{- if or .Values.annotations .Values.httproute.annotations }}
+  annotations:
+  {{- with .Values.httproute.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- end }}
+spec:
+  {{- with .Values.httproute.parentRefs }}
+  parentRefs:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.httproute.hostnames }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    {{- range .Values.httproute.rules }}
+    - {{- with .matches }}
+      matches:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .filters }}
+      filters:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      backendRefs:
+        - name: {{ $fullName }}
+          port: {{ $svcPort }}
+          weight: 1
+    {{- end }}
+{{- end }}

charts/policy-reporter/templates/monitoring/overview.dashboard.yaml

@@ -686,6 +686,7 @@ data:
     },
     "timezone": "",
     "title": "PolicyReports",
+    "uid": "BwFdLVeHJ",
     "version": 1
     }
 {{- end }}

charts/policy-reporter/templates/plugins/kyverno/clusterrole.yaml

@@ -9,7 +9,17 @@ metadata:
   name: {{ include "kyverno-plugin.fullname" . }}
 rules:
 - apiGroups:
-  - '*'
+  - policies.kyverno.io
+  resources:
+  - validatingpolicies
+  - validatingpolicies/status
+  - imagevalidatingpolicies
+  - imagevalidatingpolicies/status
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - kyverno.io
   resources:
   - policies
   - policies/status
@@ -28,7 +38,7 @@ rules:
   - list
   - watch
 - apiGroups:
-  - '*'
+  - wgpolicyk8s.io
   resources:
   - policyreports
   - policyreports/status

charts/policy-reporter/templates/plugins/kyverno/httproute.yaml

@@ -0,0 +1,44 @@
+{{- if .Values.plugin.kyverno.enabled -}}
+{{- if .Values.plugin.kyverno.httproute.enabled -}}
+{{- $fullName := include "kyverno-plugin.fullname" . -}}
+{{- $svcPort := .Values.plugin.kyverno.service.port -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "policyreporter.namespace" . }}
+  labels:
+    {{- include "kyverno-plugin.labels" . | nindent 4 }}
+    {{- with .Values.plugin.kyverno.httproute.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.plugin.kyverno.httproute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.plugin.kyverno.httproute.parentRefs }}
+  parentRefs:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.plugin.kyverno.httproute.hostnames }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    {{- range .Values.plugin.kyverno.httproute.rules }}
+    - {{- with .matches }}
+      matches:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .filters }}
+      filters:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      backendRefs:
+        - name: {{ $fullName }}
+          port: {{ $svcPort }}
+          weight: 1
+    {{- end }}
+{{- end }}
+{{- end }}