Policy Reporter v3 (#482)

Policy Reporter v3 Signed-off-by: Frank Jogeleit <[email protected]>
kyverno · Oct 7, 2024 · 78f2449 · 78f2449
1 parent b8a6584
commit 78f2449
Show file tree

Hide file tree

Showing 277 changed files with 15,603 additions and 10,925 deletions.
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-      - development
+      - 3.x
 
     paths-ignore:
       - README.md
@@ -14,25 +14,62 @@ on:
   pull_request:
     branches:
       - main
+      - 3.x
 
 jobs:
   coverage:
     runs-on: ubuntu-latest
     steps:
-      - name: Set up Go 1.22
-        uses: actions/setup-go@v2
+      - name: Checkout
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+
+      - name: Set up Go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.2.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+
+      - name: Check go.mod
+        run: |
+          set -e
+          go mod tidy && git diff --exit-code
+
+      - name: Check code format
+        run: |
+          set -e
+          make fmt
+          git diff --exit-code
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
         with:
-          go-version: 1.22
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Get dependencies
-        run: go get -v -t -d ./...
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
       - name: Calc coverage
         run: make coverage
+
       - name: Convert coverage to lcov
-        uses: jandelgado/[email protected]
+        uses: jandelgado/gcov2lcov-action@c680c0f7c7442485f1749eb2a13e54a686e76eb5 #v1.0.9
+
       - name: Coveralls
-        uses: coverallsapp/github-action@v2.0.0
+        uses: coverallsapp/github-action@643bc377ffa44ace6394b2b5d0d3950076de9f63 # v2.3.0
         with:
           github-token: ${{ secrets.github_token }}
-          file: coverage.lcov
+          file: coverage.lcov
+
+  check-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b8f9a25a51fe633d9215ac7734854dc11cd299cb # v3.0.13
+        with:
+          # slsa-github-generator requires using a semver tag for reusable workflows. 
+          # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
+          allowlist: |
+            slsa-framework/slsa-github-generator
diff --git a/.github/workflows/cr.yaml b/.github/workflows/cr.yaml
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@master
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Setup node env
-        uses: actions/setup-node@v2.1.2
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 #v4.0.4
         with:
           node-version: 16
 
@@ -32,9 +32,8 @@ jobs:
           cp index.yaml ./dist/index.yaml
           cp artifacthub-repo.yml ./dist/artifacthub-repo.yml
 
-
       - name: Deploy
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e #v4.0.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./dist

diff --git a/.github/workflows/helm-chart.yaml b/.github/workflows/helm-chart.yaml
@@ -5,7 +5,6 @@ on:
     # run pipeline on push on master
     branches:
       - main
-      - development
     paths:
       - "charts/**"
 
@@ -18,16 +17,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           fetch-depth: "0"
 
       - name: chart-testing (ct lint)
-        uses: helm/chart-testing-action@v2.0.1
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
 
       - name: Run Helm Chart lint
         run: |
-            ct lint --lint-conf=.github/ct_lintconf.yaml \
-                    --chart-yaml-schema=.github/ct_chart_schema.yaml \
-                    --target-branch=main --validate-maintainers=false \
-                    --chart-dirs charts
+          set -e
+          ct lint --lint-conf=.github/ct_lintconf.yaml \
+                  --chart-yaml-schema=.github/ct_chart_schema.yaml \
+                  --target-branch=main \
+                  --validate-maintainers=false \
+                  --check-version-increment=false \
+                  --chart-dirs charts
diff --git a/.github/workflows/release-chart.yaml b/.github/workflows/release-chart.yaml
@@ -0,0 +1,65 @@
+name: release-chart
+
+on:
+  push:
+    tags:
+      - 'policy-reporter-chart-v*'
+
+jobs:
+  helm-chart:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          fetch-depth: 0
+
+      - name: Verify Helm Docs
+        run: |
+          set -e
+          make verify-helm-docs
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Install Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        with:
+          version: v3.16.1
+
+      - name: Prepare GPG key
+        run: |
+          gpg_dir=.cr-gpg
+          mkdir "$gpg_dir"
+          keyring="$gpg_dir/secring.gpg"
+          base64 -d <<< "$GPG_KEYRING_BASE64" > "$keyring"
+          passphrase_file="$gpg_dir/passphrase"
+          echo "$GPG_PASSPHRASE" > "$passphrase_file"
+          echo "CR_PASSPHRASE_FILE=$passphrase_file" >> "$GITHUB_ENV"
+          echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV"
+        env:
+          GPG_KEYRING_BASE64: "${{ secrets.GPG_KEYRING_BASE64 }}" #Referring secrets of github above
+          GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}" 
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+        id: cr
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_KEY: "${{ secrets.CR_KEY }}"
+          CR_SIGN: true
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
+
+      - name: Push to OCI
+        run: |
+          set -e
+          output=$(helm push .cr-release-packages/policy-reporter-{{ steps.cr.outputs.chart_version }}.tgz oci://ghcr.io/kyverno/charts 2>&1)
+          digest=$( echo "$output" | grep Digest | cut -c9-)
+          cosign sign --yes ghcr.io/kyverno/charts/policy-reporter@$digest
diff --git a/.github/workflows/image.yaml → .github/workflows/release-image.yaml b/.github/workflows/image.yaml → .github/workflows/release-image.yaml
@@ -1,9 +1,16 @@
-name: image
+name: release-image
 on:
   push:
+    branches:
+      - main
+
     tags:
-      - v*
-      - dev
+      - 'v*'
+
+    paths-ignore:
+      - README.md
+      - charts/**
+      - manifest/**
 
 permissions:
   contents: read
@@ -15,58 +22,58 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Push image
         id: params
         run: |
           # Strip git ref prefix from version
-          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
+          VERSION=$(git rev-parse --short "$GITHUB_SHA")
           # Strip "v" prefix from tag name
           [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
           echo VERSION=$VERSION
-          echo "::set-output name=version::$VERSION"
+          echo "VERSION=$VERSION" >> "$GITHUB_ENV"
 
       - name: Login to Github Packages
-        uses: docker/login-action@v2
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.CR_PAT }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1
         id: buildx
         with:
           install: true
           version: latest
 
       - name: Build image and push to GitHub Container Registry
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         id: push
         with:
           push: true
-          platforms: linux/arm64,linux/amd64,linux/s390x
+          platforms: linux/arm64,linux/amd64
           cache-from: type=registry,ref=ghcr.io/kyverno/policy-reporter:buildcache
           cache-to: type=registry,ref=ghcr.io/kyverno/policy-reporter:buildcache,mode=max
           tags: |
-            ghcr.io/kyverno/policy-reporter:latest
-            ghcr.io/kyverno/policy-reporter:${{ steps.params.outputs.version }}
+            ghcr.io/kyverno/policy-reporter:${{ env.VERSION }}
 
-      - name: Set up Go 1.22
-        uses: actions/setup-go@v2
+      - name: Set up Go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.2.0
         with:
-          go-version: 1.22
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
 
       - uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
         with:
           version: v1
           args: app -licenses -json -output policy-reporter-bom.cdx.json -main .
 
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: policy-reporter-bom-cdx
           path: policy-reporter-bom.cdx.json

diff --git a/.gitignore b/.gitignore
@@ -6,6 +6,7 @@ build
 /test.yaml
 *.db
 values*.yaml
+monitoring.yaml
 coverage.out*
 heap*
 /.env*

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -309,7 +309,7 @@
 * Policy Reporter
     * New `certificate` config for `loki`, `elasticsearch`, `teams`, `webhook` and `ui`, to set the path to your custom certificate for the related client.
     * New `skipTLS` config for `loki`, `elasticsearch`, `teams`, `webhook` and `ui`, to skip tls if needed for the given target.
-    * New `secretRef` for targets to reference a secret with the related `username`, `password`, `webhook`, `host`, `accessKeyID`, `secretAccessKey` information of the given target, instead of configure your credentials directly.
+    * New `secretRef` for targets to reference a secret with the related `username`, `password`, `webhook`, `host`, `accessKeyId`, `secretAccessKey` information of the given target, instead of configure your credentials directly.
 * Policy Reporter UI
     * New value `refreshInterval` to configure the default refresh interval for API polling. Set `0` to disable polling.
 * Policy Reporter Kyverno Plugin