search

kubewarden / helm-charts

Helm charts for the Kubewarden project
Apache License 2.0
25 stars 17 forks source link

Ingress for Policy Reporter UI invalid #463

Closed mueller-ma closed 3 months ago

mueller-ma commented 4 months ago

Is there an existing issue for this?

Current Behavior

https://docs.kubewarden.io/howtos/audit-scanner#ingress

I tried to use values from the linked docs page, but the ingress only returns 404 for me. When I kubectl describe the ingress, I can see it uses kubewarden-controller-policy-reporter:8080 as backend. On the docs there's also a kubectl port-forward command which uses a different service: kubewarden-controller-ui. When using kubectl edit to change the ingress to the ui service, it works:

apiVersion: networking.k8s.io/v1
kind: Ingress
[....]
spec:
  rules:
  - host: kw.rancher.dahag-unstable.de
    http:
      paths:
      - backend:
          service:
            name: kubewarden-controller-ui # Changed from kubewarden-controller-policy-reporter
            port:
              number: 8080
        path: /ui
        pathType: Exact

Expected Behavior

It should work with editing the ingress.

Steps To Reproduce

No response

Environment

No response

Anything else?

No response

jvanz commented 3 months ago

It looks like we have an issue in the documentation. The values defined there enable in ingress for the policy reporter issue, as you notice. As far as I can see, if you want to enable the ingress for the ui, it's necessary to enabled in the ui subchart. @mueller-ma , please, try to install/upgrade the controller charts with the following values:

auditScanner:
  policyReporter: true
policy-reporter: # subchart values settings
  ui:
    enabled: true
    ingress:
      enabled: true
      hosts:
        - host: "*.local"
          paths:
            - path: /
              pathType: Exact

You should get a ingress object pointing to the ui service.

mueller-ma commented 3 months ago

I had to change the pathType to ImplementationSpecific as the UI itself needs access to other ressources, e.g. /api/v1/cluster-resources/rules. Please note that I also set a non-wildcard domain:

      auditScanner:
        policyReporter: true
      policy-reporter: # subchart values settings
        ui:
          enabled: true
          ingress:
            enabled: true
            hosts:
              - host: "kubewarden.example.com"
                paths:
                  - path: /
                    pathType: ImplementationSpecific