chore(deploy): align static YAMLs with Helm templates

CONTRIBUTING.md

@@ -20,6 +20,7 @@ These guidelines will help you get started with the Starboard project.
   - [In Cluster](#in-cluster)
   - [Out of Cluster](#out-of-cluster)
   - [Uninstall](#uninstall)
+- [Update Static YAML Manifests](#update-static-yaml-manifests)
 - [Operator Lifecycle Manager (OLM)](#operator-lifecycle-manager-olm)
   - [Install OLM](#install-olm)
   - [Build the Catalog Image](#build-the-catalog-image)
@@ -255,6 +256,26 @@ kubectl delete -f deploy/crd/vulnerabilityreports.crd.yaml \
   -f deploy/crd/ciskubebenchreports.crd.yaml
 ```
 
+## Update Static YAML Manifests
+
+```
+mkdir -p $TMPDIR/starboard-helm-template
+```
+
+```
+helm template starboard-operator ./deploy/helm \
+  --namespace starboard-system --create-namespace \
+  --set="targetNamespaces=default" \
+  --set="managedBy=kubectl" \
+  --output-dir=$TMPDIR/starboard-helm-template
+```
+
+```
+cp $TMPDIR/starboard-helm-template/starboard-operator/templates/rbac.yaml deploy/static/02-starboard-operator.rbac.yaml
+cp $TMPDIR/starboard-helm-template/starboard-operator/templates/config.yaml deploy/static/03-starboard-operator.config.yaml
+cp $TMPDIR/starboard-helm-template/starboard-operator/templates/deployment.yaml deploy/static/04-starboard-operator.deployment.yaml
+```
+
 ## Operator Lifecycle Manager (OLM)
 
 ### Install OLM

deploy/helm/templates/_helpers.tpl

@@ -35,12 +35,14 @@ Create chart name and version as used by the chart label.
 Common labels
 */}}
 {{- define "starboard-operator.labels" -}}
+{{- if eq .Values.managedBy "Helm" -}}
 helm.sh/chart: {{ include "starboard-operator.chart" . }}
+{{ end -}}
 {{ include "starboard-operator.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/managed-by: {{ .Values.managedBy }}
 {{- end }}
 
 {{/*

deploy/helm/templates/config.yaml

@@ -6,45 +6,58 @@ metadata:
   labels:
     {{- include "starboard-operator.labels" . | nindent 4 }}
 data:
-  scanJob.tolerations: {{ .Values.starboard.scanJobTolerations | toJson | quote }}
-  scanJob.annotations: {{ .Values.starboard.scanJobAnnotations | quote }}
+  {{- with .Values.starboard.scanJobTolerations }}
+  scanJob.tolerations: {{ . | toJson | quote }}
+  {{- end }}
+  {{- with .Values.starboard.scanJobAnnotations }}
+  scanJob.annotations: {{ . | quote }}
+  {{- end }}
   {{- if .Values.operator.vulnerabilityScannerEnabled }}
   vulnerabilityReports.scanner: {{ .Values.starboard.vulnerabilityReportsPlugin | quote }}
   {{- end }}
-  {{- if .Values.operator.kubernetesBenchmarkEnabled }}
-  kube-bench.imageRef: {{ required ".Values.kubeBench.imageRef is required" .Values.kubeBench.imageRef | quote }}
-  {{- end }}
   {{- if .Values.operator.configAuditScannerEnabled }}
   configAuditReports.scanner: {{ .Values.starboard.configAuditReportsPlugin | quote }}
   {{- end }}
+  {{- if .Values.operator.kubernetesBenchmarkEnabled }}
+  kube-bench.imageRef: {{ required ".Values.kubeBench.imageRef is required" .Values.kubeBench.imageRef | quote }}
+  {{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: starboard
+  labels:
+    {{- include "starboard-operator.labels" . | nindent 4 }}
 {{- if eq .Values.starboard.vulnerabilityReportsPlugin "Trivy" }}
+{{- with .Values.trivy }}
+{{- if .createConfig }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: starboard-trivy-config
   labels:
-    {{- include "starboard-operator.labels" . | nindent 4 }}
+    {{- include "starboard-operator.labels" $ | nindent 4 }}
 data:
-  trivy.imageRef: {{ required ".Values.trivy.imageRef is required" .Values.trivy.imageRef | quote }}
-  trivy.mode: {{ .Values.trivy.mode | quote }}
-  {{- if .Values.trivy.httpProxy }}
-  trivy.httpProxy: {{ .Values.trivy.httpProxy | quote }}
+  trivy.imageRef: {{ required ".Values.trivy.imageRef is required" .imageRef | quote }}
+  trivy.mode: {{ .mode | quote }}
+  {{- if .httpProxy }}
+  trivy.httpProxy: {{ .httpProxy | quote }}
   {{- end }}
-  {{- if .Values.trivy.httpsProxy }}
-  trivy.httpsProxy: {{ .Values.trivy.httpsProxy | quote }}
+  {{- if .httpsProxy }}
+  trivy.httpsProxy: {{ .httpsProxy | quote }}
   {{- end }}
-  {{- if .Values.trivy.noProxy }}
-  trivy.noProxy: {{ .Values.trivy.noProxy | quote }}
+  {{- if .noProxy }}
+  trivy.noProxy: {{ .noProxy | quote }}
   {{- end }}
-  trivy.severity: {{ .Values.trivy.severity | quote }}
-  {{- if .Values.trivy.ignoreUnfixed }}
-  trivy.ignoreUnfixed: {{ .Values.trivy.ignoreUnfixed | quote }}
+  trivy.severity: {{ .severity | quote }}
+  {{- if .ignoreUnfixed }}
+  trivy.ignoreUnfixed: {{ .ignoreUnfixed | quote }}
   {{- end }}
-  {{- if eq .Values.trivy.mode "ClientServer" }}
-  trivy.serverURL: {{ required ".Values.trivy.serverURL is required" .Values.trivy.serverURL | quote }}
+  {{- if eq .mode "ClientServer" }}
+  trivy.serverURL: {{ required ".Values.trivy.serverURL is required" .serverURL | quote }}
   {{- end }}
-  {{- with .Values.trivy.resources }}
+  {{- with .resources }}
     {{- with .requests }}
       {{- if .cpu }}
   trivy.resources.requests.cpu: {{ .cpu }}
@@ -68,9 +81,8 @@ kind: Secret
 metadata:
   name: starboard-trivy-config
   labels:
-    {{- include "starboard-operator.labels" . | nindent 4 }}
+    {{- include "starboard-operator.labels" $ | nindent 4 }}
 data:
-  {{- with .Values.trivy }}
   {{- if .githubToken }}
   trivy.githubToken: {{ .githubToken | b64enc | quote }}
   {{- end }}
@@ -82,35 +94,59 @@ data:
   trivy.serverCustomHeaders: {{ .serverCustomHeaders | b64enc | quote }}
   {{- end }}
   {{- end }}
-  {{- end }}
+{{- end }}
+{{- end }}
 {{- end }}
 {{- if eq .Values.starboard.configAuditReportsPlugin "Conftest" }}
+{{- with .Values.conftest }}
+{{- if .createConfig }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: starboard-conftest-config
   labels:
-    {{- include "starboard-operator.labels" . | nindent 4 }}
+    {{- include "starboard-operator.labels" $ | nindent 4 }}
 data:
-  conftest.imageRef: {{ required ".Values.conftest.imageRef is required" .Values.conftest.imageRef | quote }}
-  conftest.resources.requests.cpu: {{ .Values.conftest.resources.requests.cpu | quote }}
-  conftest.resources.requests.memory: {{ .Values.conftest.resources.requests.memory | quote }}
-  conftest.resources.limits.cpu: {{ .Values.conftest.resources.limits.cpu | quote }}
-  conftest.resources.limits.memory: {{ .Values.conftest.resources.limits.memory | quote }}
+  conftest.imageRef: {{ required ".Values.conftest.imageRef is required" .imageRef | quote }}
+  {{- with .resources }}
+  conftest.resources.requests.cpu: {{ .requests.cpu | quote }}
+  conftest.resources.requests.memory: {{ .requests.memory | quote }}
+  conftest.resources.limits.cpu: {{ .limits.cpu | quote }}
+  conftest.resources.limits.memory: {{ .limits.memory | quote }}
+  {{- end }}
+  {{- range $key, $val := .library }}
+  conftest.library.{{ $key }}: {{ $val | quote }}
+  {{- end }}
+  {{- range $key, $val := .policy }}
+  conftest.policy.{{ $key }}.rego: {{ $val.rego | quote }}
+  conftest.policy.{{ $key }}.kinds: {{ $val.kinds | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
 {{- end }}
 {{- if eq .Values.starboard.configAuditReportsPlugin "Polaris" }}
+{{- with .Values.polaris }}
+{{- if .createConfig }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: starboard-polaris-config
   labels:
-    {{- include "starboard-operator.labels" . | nindent 4 }}
+    {{- include "starboard-operator.labels" $ | nindent 4 }}
 data:
-  polaris.imageRef: {{ required ".Values.polaris.imageRef is required" .Values.polaris.imageRef | quote }}
+  polaris.imageRef: {{ required ".Values.polaris.imageRef is required" .imageRef | quote }}
+  {{- with .resources }}
+  polaris.resources.requests.cpu: {{ .requests.cpu | quote }}
+  polaris.resources.requests.memory: {{ .requests.memory | quote }}
+  polaris.resources.limits.cpu: {{ .limits.cpu | quote }}
+  polaris.resources.limits.memory: {{ .limits.memory | quote }}
+  {{- end }}
   polaris.config.yaml: |
-  {{- toYaml .Values.polaris.config | nindent 4 }}
+  {{- toYaml .config | nindent 4 }}
+{{- end }}
+{{- end }}
 {{- end }}
 {{- if eq .Values.starboard.vulnerabilityReportsPlugin "Aqua" }}
 ---

deploy/helm/templates/deployment.yaml

@@ -26,67 +26,73 @@ metadata:
     {{- include "starboard-operator.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.operator.replicas }}
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       {{- include "starboard-operator.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      {{- with .Values.podAnnotations }}
       annotations:
-        {{- with .Values.podAnnotations }}
         {{- . | toYaml | nindent 8 }}
-        {{- end }}
+      {{- end }}
       labels:
         {{- include "starboard-operator.selectorLabels" . | nindent 8 }}
     spec:
+      serviceAccountName: {{ include "starboard-operator.serviceAccountName" . }}
+      automountServiceAccountToken: true
       containers:
-        - name: "{{ .Chart.Name }}"
+        - name: {{ .Chart.Name | quote }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          {{- with .Values.image.pullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
           env:
             - name: OPERATOR_NAMESPACE
               value: {{ .Release.Namespace | quote }}
             - name: OPERATOR_TARGET_NAMESPACES
               value: {{ tpl .Values.targetNamespaces . | quote }}
             - name: OPERATOR_SERVICE_ACCOUNT
-              value: {{ include "starboard-operator.serviceAccountName" . }}
-            {{- if gt (int .Values.operator.replicas) 1 }}
-            - name: OPERATOR_LEADER_ELECTION_ENABLED
-              value: "true"
-            {{- end }}
-            {{- if gt (int .Values.operator.replicas) 1 }}
-            - name: OPERATOR_LEADER_ELECTION_ID
-              value: {{ .Values.operator.leaderElectionId | quote }}
-            {{- end }}
+              value: {{ include "starboard-operator.serviceAccountName" . | quote }}
+            - name: OPERATOR_LOG_DEV_MODE
+              value: {{ .Values.operator.logDevMode | quote }}
+            - name: OPERATOR_SCAN_JOB_TIMEOUT
+              value: {{ .Values.operator.scanJobTimeout | quote }}
+            - name: OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT
+              value: {{ .Values.operator.scanJobsConcurrentLimit | quote }}
+            - name: OPERATOR_SCAN_JOB_RETRY_AFTER
+              value: {{ .Values.operator.scanJobsRetryDelay | quote }}
+            - name: OPERATOR_BATCH_DELETE_LIMIT
+              value: {{ .Values.operator.batchDeleteLimit | quote }}
+            - name: OPERATOR_BATCH_DELETE_DELAY
+              value: {{ .Values.operator.batchDeleteDelay | quote }}
             - name: OPERATOR_METRICS_BIND_ADDRESS
               value: ":8080"
             - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS
               value: ":9090"
-            - name: OPERATOR_LOG_DEV_MODE
-              value: {{ .Values.operator.logDevMode | quote }}
             - name: OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED
               value: {{ .Values.operator.kubernetesBenchmarkEnabled | quote }}
             - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED
               value: {{ .Values.operator.vulnerabilityScannerEnabled | quote }}
             - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
               value: {{ .Values.operator.configAuditScannerEnabled | quote }}
-            - name: OPERATOR_BATCH_DELETE_LIMIT
-              value: {{ .Values.operator.batchDeleteLimit | quote }}
-            - name: OPERATOR_BATCH_DELETE_DELAY
-              value: {{ .Values.operator.batchDeleteDelay | quote }}
+            {{- if gt (int .Values.operator.replicas) 1 }}
+            - name: OPERATOR_LEADER_ELECTION_ENABLED
+              value: "true"
+            - name: OPERATOR_LEADER_ELECTION_ID
+              value: {{ .Values.operator.leaderElectionId | quote }}
+            {{- end }}
           ports:
-            # metrics port is exposed by the k8s Service and by default also
-            # have annotations which will help prometheus as a target for
-            # scraping of metrics
             - name: metrics
               containerPort: 8080
-            # probes port is not exposed by the k8s Service and used directly by
-            # kubelet for the readinessProbe and livenessProbe
             - name: probes
               containerPort: 9090
           readinessProbe:
             httpGet:
               path: /readyz/
               port: probes
-            initialDelaySeconds: 0
+            initialDelaySeconds: 5
             periodSeconds: 10
             successThreshold: 1
             failureThreshold: 3
@@ -104,18 +110,12 @@ spec:
           securityContext:
             {{- . | toYaml | nindent 12 }}
           {{- end }}
-          {{- with .Values.image.pullPolicy }}
-          imagePullPolicy: {{ . }}
-          {{- end }}
       {{- with .Values.image.pullSecrets }}
       imagePullSecrets:
         {{- . | toYaml | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ include "starboard-operator.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
       securityContext:
-        {{- . | toYaml | nindent 8 }}
-      {{- end }}
+        {{- .Values.podSecurityContext | toYaml | nindent 8 }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- . | toYaml | nindent 8 }}