Skip to content

Commit

Permalink
feat: Add HA settings to Rancher UI questions (#425)
Browse files Browse the repository at this point in the history 
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
  • Loading branch information
@viccuad
viccuad authored Apr 17, 2024
1 parent 8874bc2 commit 9ef5ab2
Show file tree
Hide file tree
Showing 2 changed files with 80 additions and 39 deletions.
46 changes: 31 additions & 15 deletions charts/kubewarden-controller/questions.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# This is a Rancher questions file
---
questions:
# Audit checks:
- variable: "auditScanner.enable"
type: boolean
default: false
Expand All @@ -10,28 +11,25 @@ questions:
The Background Audit Check looks at existing Kubernetes resources and
periodically determines whether they are still compliant with regards to the
policies that are currently defined.
group: "Features"
group: "Audit checks"
- variable: "auditScanner.cronJob.schedule"
type: string
default: "*/60 * * * *"
show_if: auditScanner.enable=true
label: Schedule
description: |
Schedule of the Background Audit check. Follows the Unix-cron syntax.
group: "Features"
- variable: "auditScanner.store"
group: "Audit checks"
- variable: "auditScanner.disableStore"
show_if: auditScanner.enable=true
type: enum
options:
- "kubernetes"
- "memory"
default: "kubernetes"
label: Store
type: boolean
default: false
label: Don't store (Cluster)PolicyReports in etcd
description: |
Configures where (Cluster)PolicyReports are stored.
It can be either "kubernetes" (use Kubernetes/etcd) or "memory" (use in-memory cache).
Note that you may need to adjust `resources.auditScanner` when using memory store.
group: "Features"
If true, (Cluster)PolicyReports are not stored in etcd but using an in-memory cache.
Note that you may need to adjust `resources.auditScanner` when using the
in-memory store.
group: "Audit checks"
- variable: "auditScanner.serviceAccountName"
type: string
default: "audit-scanner"
Expand All @@ -42,7 +40,7 @@ questions:
"view" (allows read-only access to most objects in a namespace, does not
allow viewing secrets, roles or role bindings), and "audit-scanner-cluster-role"
(allows read-write to Kubewarden resources and PolicyReports).
group: "Features"
group: "Audit checks"
- variable: "auditScanner.policyReporter"
type: boolean
default: false
Expand All @@ -51,7 +49,24 @@ questions:
description: |
Policy reporter is a UI to visualize the reports generated by Background
Audit checks
group: "Features"
group: "Audit checks"
- variable: "auditScanner.skipAdditionalNamespaces"
type: array[
show_if: auditScanner.enable=true
label: Additional namespaces to skip from audit
description: |
Additional namespaces that the audit scanner will not scan.
group: "Audit checks"
# controller HA:
- variable: "replicas"
type: integer
default: 1
required: true
label: Number of replicas
description: |
Number of replicas of the Controller Deployment
group: "Controller HA"
# Certificates:
- variable: tls.source
default: "cert-manager-self-signed"
description: "Source for TLS certificates"
Expand All @@ -71,6 +86,7 @@ questions:
Name of cert-manager Issuer
group: "Certificates"
show_if: "tls.source=cert-manager"
# Telemetry:
- variable: "telemetry.metrics.enabled"
type: boolean
default: false
Expand Down
73 changes: 49 additions & 24 deletions charts/kubewarden-defaults/questions.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,27 +1,52 @@
# This is a Rancher questions file
---
questions:
# Recommended policies questions:
- variable: "recommendedPolicies.enabled"
type: boolean
default: false
required: true
label: Enable recommended policies
description: |
Whether the recommended policies are enabled or not. Recommended
policies are a minimum set of policies that secure your cluster and
Kubewarden, while leaving the system namespaces untouched.
group: Settings
- variable: "recommendedPolicies.defaultPolicyMode"
type: enum
options:
- "monitor"
- "protect"
default: "monitor"
show_if: recommendedPolicies.enabled=true
label: Execution mode of the recommended policies
description: |
Execution mode of the recommended policies. "protect" will reject requests,
"monitor" will log them. Transitioning from "monitor" to "protect" is
allowed, but not from "protect" to "monitor".
group: Settings
# Recommended policies questions:
- variable: "recommendedPolicies.enabled"
type: boolean
default: false
required: true
label: Enable recommended policies
description: |
Whether the recommended policies are enabled or not. Recommended
policies are a minimum set of policies that secure your cluster and
Kubewarden, while leaving the system namespaces untouched.
group: "Recommended Policies"
- variable: "recommendedPolicies.defaultPolicyMode"
type: enum
options:
- "monitor"
- "protect"
default: "monitor"
show_if: recommendedPolicies.enabled=true
label: Execution mode of the recommended policies
description: |
Execution mode of the recommended policies. "protect" will reject requests,
"monitor" will log them. Transitioning from "monitor" to "protect" is
allowed, but not from "protect" to "monitor".
group: "Recommended Policies"
- variable: "recommendedPolicies.skipAdditionalNamespaces"
type: array[
show_if: recommendedPolicies.enabled=true
label: Additional namespaces to skip from evaluation
description: |
Additional namespaces that the recommended policies will not apply to.
group: "Recommended Policies"
# Default PolicyServer questions
- variable: "policyServer.serviceAccountName"
type: string
required: true
label: Name of the ServiceAccount associated to the PolicyServer default
description: |
Minimum number of policy-server Pods that must be available at all times.
Can be an integer or a percentage.
group: "Default PolicyServer"
# Default PolicyServer HA
- variable: "policyServer.replicaCount"
type: integer
default: 1
required: true
label: Number of replicas
description: |
Number of replicas of the PolicyServer Deployment
group: "Default PolicyServer HA"

0 comments on commit 9ef5ab2

Please sign in to comment.