From 03af9831f3e3db4c8d54ac5267b5c6a18c817552 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Fri, 2 Feb 2024 12:37:58 +0100
Subject: [PATCH] feat: add global context support in helm chart (#9614)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 charts/kyverno/README.md                            |  1 +
 charts/kyverno/templates/_helpers.tpl               |  3 +++
 .../templates/admission-controller/deployment.yaml  |  1 +
 .../templates/background-controller/deployment.yaml |  1 +
 .../templates/cleanup-controller/deployment.yaml    |  1 +
 .../templates/reports-controller/deployment.yaml    |  1 +
 charts/kyverno/values.yaml                          |  3 +++
 cmd/background-controller/main.go                   | 13 ++++++++++++-
 cmd/cleanup-controller/main.go                      | 13 ++++++-------
 cmd/kyverno/main.go                                 | 12 ++++++++++++
 cmd/reports-controller/main.go                      | 12 ++++++++++++
 config/install-latest-testing.yaml                  |  4 ++++
 12 files changed, 57 insertions(+), 8 deletions(-)

diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index 0e9bc7698813..16d9c145c48e 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -334,6 +334,7 @@ The chart values are organised per component.
 | features.dumpPayload.enabled | bool | `false` | Enables the feature |
 | features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature |
 | features.generateValidatingAdmissionPolicy.enabled | bool | `false` | Enables the feature |
+| features.globalContext.enabled | bool | `true` | Enables the feature |
 | features.logging.format | string | `"text"` | Logging format |
 | features.logging.verbosity | int | `2` | Logging verbosity |
 | features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) |
diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl
index 6ca1fae60f65..b3a440c3a95d 100644
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@@ -46,6 +46,9 @@
 {{- with .generateValidatingAdmissionPolicy -}}
   {{- $flags = append $flags (print "--generateValidatingAdmissionPolicy=" .enabled) -}}
 {{- end -}}
+{{- with .globalContext -}}
+  {{- $flags = append $flags (print "--enableGlobalContext=" .enabled) -}}
+{{- end -}}
 {{- with .logging -}}
   {{- $flags = append $flags (print "--loggingFormat=" .format) -}}
   {{- $flags = append $flags (print "--v=" (join "," .verbosity)) -}}
diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml
index 8fb77b660112..7eaea1ff7f77 100644
--- a/charts/kyverno/templates/admission-controller/deployment.yaml
+++ b/charts/kyverno/templates/admission-controller/deployment.yaml
@@ -163,6 +163,7 @@ spec:
               "dumpPayload"
               "forceFailurePolicyIgnore"
               "generateValidatingAdmissionPolicy"
+              "globalContext"
               "logging"
               "omitEvents"
               "policyExceptions"
diff --git a/charts/kyverno/templates/background-controller/deployment.yaml b/charts/kyverno/templates/background-controller/deployment.yaml
index 38cd6e6e7adb..22b02524ab9c 100644
--- a/charts/kyverno/templates/background-controller/deployment.yaml
+++ b/charts/kyverno/templates/background-controller/deployment.yaml
@@ -117,6 +117,7 @@ spec:
             {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.backgroundController.featuresOverride)
               "configMapCaching"
               "deferredLoading"
+              "globalContext"
               "logging"
               "omitEvents"
               "policyExceptions"
diff --git a/charts/kyverno/templates/cleanup-controller/deployment.yaml b/charts/kyverno/templates/cleanup-controller/deployment.yaml
index 0124f4967e97..07d5a987249a 100644
--- a/charts/kyverno/templates/cleanup-controller/deployment.yaml
+++ b/charts/kyverno/templates/cleanup-controller/deployment.yaml
@@ -119,6 +119,7 @@ spec:
             {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.cleanupController.featuresOverride)
               "deferredLoading"
               "dumpPayload"
+              "globalContext"
               "logging"
               "ttlController"
               "protectManagedResources"
diff --git a/charts/kyverno/templates/reports-controller/deployment.yaml b/charts/kyverno/templates/reports-controller/deployment.yaml
index 85e318433245..170c399484a0 100644
--- a/charts/kyverno/templates/reports-controller/deployment.yaml
+++ b/charts/kyverno/templates/reports-controller/deployment.yaml
@@ -122,6 +122,7 @@ spec:
               "backgroundScan"
               "configMapCaching"
               "deferredLoading"
+              "globalContext"
               "logging"
               "omitEvents"
               "policyExceptions"
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 5466822a6c57..b79e3326c547 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -629,6 +629,9 @@ features:
   generateValidatingAdmissionPolicy:
     # -- Enables the feature
     enabled: false
+  globalContext:
+    # -- Enables the feature
+    enabled: true
   logging:
     # -- Logging format
     format: text
diff --git a/cmd/background-controller/main.go b/cmd/background-controller/main.go
index c9d84c965433..8dfbf84fc9dd 100644
--- a/cmd/background-controller/main.go
+++ b/cmd/background-controller/main.go
@@ -15,9 +15,11 @@ import (
 	kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
+	globalcontextcontroller "github.com/kyverno/kyverno/pkg/controllers/globalcontext"
 	policymetricscontroller "github.com/kyverno/kyverno/pkg/controllers/metrics/policy"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/apicall"
+	"github.com/kyverno/kyverno/pkg/engine/globalcontext/store"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/leaderelection"
@@ -153,7 +155,15 @@ func main() {
 		eventGenerator,
 		event.Workers,
 	)
-	// this controller only subscribe to events, nothing is returned...
+	gceController := internal.NewController(
+		globalcontextcontroller.ControllerName,
+		globalcontextcontroller.NewController(
+			kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(),
+			setup.KyvernoDynamicClient,
+			store.New(),
+		),
+		globalcontextcontroller.Workers,
+	) // this controller only subscribe to events, nothing is returned...
 	policymetricscontroller.NewController(
 		setup.MetricsManager,
 		kyvernoInformer.Kyverno().V1().ClusterPolicies(),
@@ -231,6 +241,7 @@ func main() {
 	}
 	// start non leader controllers
 	eventController.Run(signalCtx, setup.Logger, &wg)
+	gceController.Run(signalCtx, setup.Logger, &wg)
 	// start leader election
 	le.Run(signalCtx)
 	// wait for everything to shut down and exit
diff --git a/cmd/cleanup-controller/main.go b/cmd/cleanup-controller/main.go
index e253074da1ea..e1b0102a4db1 100644
--- a/cmd/cleanup-controller/main.go
+++ b/cmd/cleanup-controller/main.go
@@ -19,9 +19,9 @@ import (
 	"github.com/kyverno/kyverno/pkg/controllers/cleanup"
 	genericloggingcontroller "github.com/kyverno/kyverno/pkg/controllers/generic/logging"
 	genericwebhookcontroller "github.com/kyverno/kyverno/pkg/controllers/generic/webhook"
-	"github.com/kyverno/kyverno/pkg/controllers/globalcontext"
+	globalcontextcontroller "github.com/kyverno/kyverno/pkg/controllers/globalcontext"
 	ttlcontroller "github.com/kyverno/kyverno/pkg/controllers/ttl"
-	globalcontextstore "github.com/kyverno/kyverno/pkg/engine/globalcontext/store"
+	"github.com/kyverno/kyverno/pkg/engine/globalcontext/store"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/informers"
 	"github.com/kyverno/kyverno/pkg/leaderelection"
@@ -159,15 +159,14 @@ func main() {
 		eventGenerator,
 		event.Workers,
 	)
-	store := globalcontextstore.New()
 	gceController := internal.NewController(
-		globalcontext.ControllerName,
-		globalcontext.NewController(
+		globalcontextcontroller.ControllerName,
+		globalcontextcontroller.NewController(
 			kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(),
 			setup.KyvernoDynamicClient,
-			store,
+			store.New(),
 		),
-		globalcontext.Workers,
+		globalcontextcontroller.Workers,
 	)
 	// start informers and wait for cache sync
 	if !internal.StartInformersAndWaitForCacheSync(ctx, setup.Logger, kubeInformer, kyvernoInformer) {
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 4393f40edaf0..8b79425fd88c 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -20,12 +20,14 @@ import (
 	"github.com/kyverno/kyverno/pkg/controllers/certmanager"
 	genericloggingcontroller "github.com/kyverno/kyverno/pkg/controllers/generic/logging"
 	genericwebhookcontroller "github.com/kyverno/kyverno/pkg/controllers/generic/webhook"
+	globalcontextcontroller "github.com/kyverno/kyverno/pkg/controllers/globalcontext"
 	policymetricscontroller "github.com/kyverno/kyverno/pkg/controllers/metrics/policy"
 	policycachecontroller "github.com/kyverno/kyverno/pkg/controllers/policycache"
 	vapcontroller "github.com/kyverno/kyverno/pkg/controllers/validatingadmissionpolicy-generate"
 	webhookcontroller "github.com/kyverno/kyverno/pkg/controllers/webhook"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/apicall"
+	"github.com/kyverno/kyverno/pkg/engine/globalcontext/store"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/informers"
 	"github.com/kyverno/kyverno/pkg/leaderelection"
@@ -323,6 +325,15 @@ func main() {
 		logging.WithName("EventGenerator"),
 		strings.Split(omitEvents, ",")...,
 	)
+	gceController := internal.NewController(
+		globalcontextcontroller.ControllerName,
+		globalcontextcontroller.NewController(
+			kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(),
+			setup.KyvernoDynamicClient,
+			store.New(),
+		),
+		globalcontextcontroller.Workers,
+	)
 	eventController := internal.NewController(
 		event.ControllerName,
 		eventGenerator,
@@ -523,6 +534,7 @@ func main() {
 	defer server.Stop()
 	// start non leader controllers
 	eventController.Run(signalCtx, setup.Logger, &wg)
+	gceController.Run(signalCtx, setup.Logger, &wg)
 	for _, controller := range nonLeaderControllers {
 		controller.Run(signalCtx, setup.Logger.WithName("controllers"), &wg)
 	}
diff --git a/cmd/reports-controller/main.go b/cmd/reports-controller/main.go
index 538f81d66b23..085a6aefdd98 100644
--- a/cmd/reports-controller/main.go
+++ b/cmd/reports-controller/main.go
@@ -14,12 +14,14 @@ import (
 	kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
+	globalcontextcontroller "github.com/kyverno/kyverno/pkg/controllers/globalcontext"
 	admissionreportcontroller "github.com/kyverno/kyverno/pkg/controllers/report/admission"
 	aggregatereportcontroller "github.com/kyverno/kyverno/pkg/controllers/report/aggregate"
 	backgroundscancontroller "github.com/kyverno/kyverno/pkg/controllers/report/background"
 	resourcereportcontroller "github.com/kyverno/kyverno/pkg/controllers/report/resource"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/apicall"
+	"github.com/kyverno/kyverno/pkg/engine/globalcontext/store"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/leaderelection"
@@ -283,6 +285,15 @@ func main() {
 		eventGenerator,
 		event.Workers,
 	)
+	gceController := internal.NewController(
+		globalcontextcontroller.ControllerName,
+		globalcontextcontroller.NewController(
+			kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(),
+			setup.KyvernoDynamicClient,
+			store.New(),
+		),
+		globalcontextcontroller.Workers,
+	)
 	// engine
 	engine := internal.NewEngine(
 		ctx,
@@ -372,6 +383,7 @@ func main() {
 	}
 	// start non leader controllers
 	eventController.Run(ctx, setup.Logger, &wg)
+	gceController.Run(ctx, setup.Logger, &wg)
 	// start leader election
 	le.Run(ctx)
 	// wait for everything to shut down and exit
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index 1bf8b0803516..baae2cba12a7 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -51836,6 +51836,7 @@ spec:
             - --dumpPayload=false
             - --forceFailurePolicyIgnore=false
             - --generateValidatingAdmissionPolicy=false
+            - --enableGlobalContext=true
             - --loggingFormat=text
             - --v=2
             - --omitEvents=PolicyApplied,PolicySkipped
@@ -51987,6 +51988,7 @@ spec:
             - --metricsPort=8000
             - --enableConfigMapCaching=true
             - --enableDeferredLoading=true
+            - --enableGlobalContext=true
             - --loggingFormat=text
             - --v=2
             - --omitEvents=PolicyApplied,PolicySkipped
@@ -52094,6 +52096,7 @@ spec:
             - --metricsPort=8000
             - --enableDeferredLoading=true
             - --dumpPayload=false
+            - --enableGlobalContext=true
             - --loggingFormat=text
             - --v=2
             - --protectManagedResources=false
@@ -52234,6 +52237,7 @@ spec:
             - --skipResourceFilters=true
             - --enableConfigMapCaching=true
             - --enableDeferredLoading=true
+            - --enableGlobalContext=true
             - --loggingFormat=text
             - --v=2
             - --omitEvents=PolicyApplied,PolicySkipped