Installation Docs for Non-Helm Users about policy-reporter HOT 8 CLOSED

Hey, thanks for your suggestion. I will check how to provide standard manifests to install policy-reporter and additional components for none helm users.

from policy-reporter.

I added three static installation.yaml with different configurations.

https://github.com/fjogeleit/policy-reporter/tree/main/manifest

Please let me know if you miss something or something is unclear. I will also update the Wiki in the next days.

from policy-reporter.

Looks good! My only feedback would be to note that the Secret for policy-reporter-targets is going to vary with the intended notification channels. So it may be that one user's Secret will only have the KVs for Slack, while another may use multiple supported.

Users may not realize that the Secret is populated by (I'm guessing likely) the config.yaml file, which doesn't have values for the sensitive keys like Slack webhook URL, etc.. I don't think it's a lot to expect users to create their own Secret for this rather than risk some initial confusion as to what the encrypted Secret in the install.yaml manifests really contains.

from policy-reporter.

Okay, thank you. In the default installation the secret is more a placeholder. In the other installation it is required to define Policy Reporter UI as a Target for Policy Reporter but you're right, it is prone to confusion. I will have a look on it and I will write more documentation about it in the Project Wiki.

from policy-reporter.

@shin-go I removed the secret for the default installation and splitted the secret for the other two installation in a separat target-secret.yaml. So It's optional to apply it. I also added a new Target Configuration section into the manifest/README.md file. I hope thats more clear.

from policy-reporter.

Thanks! I should have time to review and give them a try today or tomorrow.

from policy-reporter.

Had a chance to test this out today. It mostly worked as expected, though in my case we use bitnami's sealed-secrets-controller, so I had to do the following (to compare notes) for the secret resource:

• modify the config.yaml example from manifest/README.md to include my own sensitive values - like webhook URL for slack
• save off my own config.yaml locally, then base64 encode it. ex.: base64 -i config.yaml
• add the base64 encoded configmap to a generic secret resource, kind of like this:

---
apiVersion: v1
kind: Secret
metadata:
  name: policy-reporter-targets
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter
type: Opaque
data:
  config.yaml: <base64 encoded configmap>

• run the generic secret (ex.: unsealed_secret.yaml) through kubeseal with something like kubeseal --format=yaml < unsealed_secret.yaml > secret.yaml
• the contents of secret.yaml (the SealedSecret resource), should look something like this:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: policy-reporter-targets
  namespace: policy-reporter
spec:
  encryptedData:
    config.yaml: <encrypted data>
  template:
    metadata:
      creationTimestamp: null
      name: policy-reporter-targets
      namespace: kube-system
    type: Opaque

The only blurb I would consider updating is the mention in manifest/README.md that if you update the secret used, you need to delete the deployment. Updated secrets can be picked up by just restarting the deployment (ex.: kubectl rollout restart deployment/<name> -n policy-reporter.

Also in my case I wanted to make the UI available privately so I threw in an Ingress resource too. I wouldn't spend time trying to provide an example as there are going to be some slight variations to how that's configured depending on if Kubernetes is deployed on a managed offering or if it's self-managed. There were no configuration changes I needed to make to the UI Service to accommodate. Thanks for banging this out!

from policy-reporter.

Thanks for your detailed feedback! I mentioned in the bottom of the README that you need to delete the running pod if you change or replace the secret. Deleting the Pod instead of the Deployment should work too.

from policy-reporter.