From b60d12cffbde1eaa40c4702cf1a2f09267369f51 Mon Sep 17 00:00:00 2001 From: Sami Alajrami Date: Thu, 23 Oct 2025 11:40:51 +0200 Subject: [PATCH 1/2] support excluding namespaces in helm chart --- charts/k8s-reporter/Chart.yaml | 4 ++-- .../k8s-reporter/templates/_validations.tpl | 21 +++++++++++++++++++ charts/k8s-reporter/templates/cronjob.yaml | 8 +++++++ charts/k8s-reporter/values.yaml | 16 +++++++++++++- 4 files changed, 46 insertions(+), 3 deletions(-) diff --git a/charts/k8s-reporter/Chart.yaml b/charts/k8s-reporter/Chart.yaml index 20600c310..b11d130d3 100644 --- a/charts/k8s-reporter/Chart.yaml +++ b/charts/k8s-reporter/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.10.0 +version: 1.11.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "2.11.15" +appVersion: "2.11.27" diff --git a/charts/k8s-reporter/templates/_validations.tpl b/charts/k8s-reporter/templates/_validations.tpl index f3df1d357..411a7bf7e 100644 --- a/charts/k8s-reporter/templates/_validations.tpl +++ b/charts/k8s-reporter/templates/_validations.tpl @@ -5,4 +5,25 @@ Validate that namespacesRegex is not used with namespace-scoped permissions {{- if and (eq .Values.serviceAccount.permissionScope "namespace") (ne .Values.reporterConfig.namespacesRegex "") -}} {{- fail "namespacesRegex cannot be used with namespace-scoped permissions (serviceAccount.permissionScope: namespace). namespacesRegex requires cluster-wide permissions." -}} {{- end -}} +{{- end -}} + +{{/* +Validate that excludeNamespacesRegex is not used with namespace-scoped permissions +*/}} +{{- define "k8s-reporter.validateExcludeNamespacesRegex" -}} +{{- if and (eq .Values.serviceAccount.permissionScope "namespace") (ne .Values.reporterConfig.excludeNamespacesRegex "") -}} +{{- fail "excludeNamespacesRegex cannot be used with namespace-scoped permissions (serviceAccount.permissionScope: namespace). excludeNamespacesRegex requires cluster-wide permissions." -}} +{{- end -}} +{{- end -}} + +{{/* +Validate that exclude options are not combined with include options +*/}} +{{- define "k8s-reporter.validateExcludeOptions" -}} +{{- if and (ne .Values.reporterConfig.namespaces "") (or (ne .Values.reporterConfig.excludeNamespaces "") (ne .Values.reporterConfig.excludeNamespacesRegex "")) -}} +{{- fail "excludeNamespaces and excludeNamespacesRegex cannot be combined with namespaces. Use either include (namespaces/namespacesRegex) or exclude (excludeNamespaces/excludeNamespacesRegex) options, but not both." -}} +{{- end -}} +{{- if and (ne .Values.reporterConfig.namespacesRegex "") (or (ne .Values.reporterConfig.excludeNamespaces "") (ne .Values.reporterConfig.excludeNamespacesRegex "")) -}} +{{- fail "excludeNamespaces and excludeNamespacesRegex cannot be combined with namespacesRegex. Use either include (namespaces/namespacesRegex) or exclude (excludeNamespaces/excludeNamespacesRegex) options, but not both." -}} +{{- end -}} {{- end -}} \ No newline at end of file diff --git a/charts/k8s-reporter/templates/cronjob.yaml b/charts/k8s-reporter/templates/cronjob.yaml index e7dc1d5db..cf8000427 100644 --- a/charts/k8s-reporter/templates/cronjob.yaml +++ b/charts/k8s-reporter/templates/cronjob.yaml @@ -1,4 +1,6 @@ {{- include "k8s-reporter.validateNamespacesRegex" . -}} +{{- include "k8s-reporter.validateExcludeNamespacesRegex" . -}} +{{- include "k8s-reporter.validateExcludeOptions" . -}} apiVersion: batch/v1 kind: CronJob metadata: @@ -57,6 +59,12 @@ spec: {{ else if .Values.reporterConfig.namespacesRegex }} - name: KOSLI_NAMESPACES_REGEX value: {{ .Values.reporterConfig.namespacesRegex | quote }} + {{ else if .Values.reporterConfig.excludeNamespaces }} + - name: KOSLI_EXCLUDE_NAMESPACES + value: {{ .Values.reporterConfig.excludeNamespaces | quote }} + {{ else if .Values.reporterConfig.excludeNamespacesRegex }} + - name: KOSLI_EXCLUDE_NAMESPACES_REGEX + value: {{ .Values.reporterConfig.excludeNamespacesRegex | quote }} {{ end }} {{- range $key, $value := .Values.env }} diff --git a/charts/k8s-reporter/values.yaml b/charts/k8s-reporter/values.yaml index 1456e77b9..8baf39dce 100644 --- a/charts/k8s-reporter/values.yaml +++ b/charts/k8s-reporter/values.yaml @@ -8,7 +8,7 @@ image: # -- the kosli reporter image pull policy pullPolicy: IfNotPresent # -- the kosli reporter image tag, overrides the image tag whose default is the chart appVersion. - tag: "v2.11.17" + tag: "v2.11.27" # -- overrides the name used for the created k8s resources. If `fullnameOverride` is provided, it has higher precedence than this one nameOverride: "" @@ -44,15 +44,29 @@ reporterConfig: # -- the name of Kosli environment that the k8s cluster/namespace correlates to kosliEnvironmentName: "" # -- the namespaces to scan and report. + # Cannot be combined with excludeNamespaces or excludeNamespacesRegex. # It is a comma separated list of namespace names. # leave this and namespacesRegex unset if you want to report what is running in the entire cluster namespaces: "" # -- the namespaces Regex patterns to scan and report. # Does not have effect if namespaces is set. # Requires cluster-wide permissions. + # Cannot be combined with excludeNamespaces or excludeNamespacesRegex. # It is a comma separated list of namespace regex patterns. # leave this and namespaces unset if you want to report what is running in the entire cluster namespacesRegex: "" + # -- the namespaces to exclude from scanning and reporting. + # Cannot be combined with namespaces or namespacesRegex. + # It is a comma separated list of namespace names. + # leave this and excludeNamespacesRegex unset if you want to report what is running in the entire cluster + excludeNamespaces: "" + # -- the namespaces Regex patterns to exclude from scanning and reporting. + # Does not have effect if excludeNamespaces is set. + # Cannot be combined with namespaces or namespacesRegex. + # Requires cluster-wide permissions. + # It is a comma separated list of namespace regex patterns. + # leave this and excludeNamespaces unset if you want to report what is running in the entire cluster + excludeNamespacesRegex: "" # -- whether the dry run mode is enabled or not. In dry run mode, the reporter logs the reports to stdout and does not send them to kosli. dryRun: false # -- the http proxy url From 51d7f52a21e6f1b2be7eafd9400923f93becc4e4 Mon Sep 17 00:00:00 2001 From: Sami Alajrami Date: Thu, 23 Oct 2025 11:56:16 +0200 Subject: [PATCH 2/2] fix test expectation --- cmd/kosli/archiveEnvironment_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cmd/kosli/archiveEnvironment_test.go b/cmd/kosli/archiveEnvironment_test.go index 84b7c9052..9f2f7c9a6 100644 --- a/cmd/kosli/archiveEnvironment_test.go +++ b/cmd/kosli/archiveEnvironment_test.go @@ -36,10 +36,10 @@ func (suite *ArchiveEnvironmentCommandTestSuite) TestArchiveEnvironmentCmd() { golden: "environment archive-environment was archived\n", }, { - wantError: true, - name: "archiving non-existing environment fails", - cmd: fmt.Sprintf(`archive environment non-existing %s`, suite.defaultKosliArguments), - golden: "Error: Environment named 'non-existing' does not exist for organization 'docs-cmd-test-user'. \n", + wantError: true, + name: "archiving non-existing environment fails", + cmd: fmt.Sprintf(`archive environment non-existing %s`, suite.defaultKosliArguments), + goldenRegex: "^Error: Environment named 'non-existing' does not exist for organization 'docs-cmd-test-user'", }, { wantError: true,