Exposing values to enable users to manage the SecurityProfilesOperatorDaemon config

[rahulroshan-kachchap]

What type of PR is this?

kind feature

What this PR does / why we need it:

Expanding helm chart to expose values to enable users to manage the SecurityProfilesOperatorDaemon config, so that users can toggle what's deployed more easily via three new values: enableSelinux, enableLogEnricher and enableAppArmor.
Added config.yaml file in the templates directory of helm chart which takes configurable input from users via values.yaml.

Which issue(s) this PR fixes:

Fixes #1320

Does this PR have test?

NA

Special notes for your reviewer:

Tested the above changes with only enableAppArmor: true and enableSelinux, enableLogEnricher as false. Verified in the spod logs after deployment:
I1213 04:41:53.620891 2231997 apparmorprofile.go:277] apparmor-spod "msg"="detecting apparmor support..."
I1213 04:41:53.642182 2231997 apparmorprofile.go:284] apparmor-spod "msg"="apparmor enabled: OK"
I1213 04:41:53.642412 2231997 apparmorprofile.go:287] apparmor-spod "msg"="apparmor enforceable: OK"

Does this PR introduce a user-facing change?

Exposed `enableSelinux`, `enableLogEnricher` and `enableAppArmor` values in the helm chart values.yaml to make it configurable by the user during the deployment.

[k8s-ci-robot]

Welcome @rahulroshan-kachchap!

It looks like this is your first PR to kubernetes-sigs/security-profiles-operator 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/security-profiles-operator has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @rahulroshan-kachchap. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[saschagrunert]

/ok-to-test

Thank you for the contribution @rahulroshan-kachchap! I guess this one deserves a release note, doesn't it?

[codecov-commenter]

Codecov Report

Merging #1376 (064654d) into main (bf24f5c) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1376   +/-   ##
=======================================
  Coverage   44.13%   44.13%           
=======================================
  Files          50       50           
  Lines        5651     5651           
=======================================
  Hits         2494     2494           
  Misses       3037     3037           
  Partials      120      120           

[rahulroshan-kachchap]

/ok-to-test

Thank you for the contribution @rahulroshan-kachchap! I guess this one deserves a release note, doesn't it?

Updated

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: rahulroshan-kachchap / name: Rahul Roshan Kachchap (0f02581, 365378e)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JAORMX, rahulroshan-kachchap

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [JAORMX]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rahulroshan-kachchap]

/easycla

[jhrozek]

would it be possible to squash the patches to one to have a leaner commit history?

[jhrozek]

btw looks like you also need to run make deployments and commit the result

[rahulroshan-kachchap]

would it be possible to squash the patches to one to have a leaner commit history?
Done

[rahulroshan-kachchap]

btw looks like you also need to run make deployments and commit the result

@jhrozek Being this as my first PR , can you please elaborate on this? Where do i need to run make deployments? Do i need to post the result somewhere?

[jhrozek]

btw looks like you also need to run make deployments and commit the result

@jhrozek Being this as my first PR , can you please elaborate on this? Where do i need to run make deployments? Do i need to post the result somewhere?

Sorry, I don't know helm very much so I'm not sure I can help with the contents of the PR. But the gist of it is that during PR verifications, one of the checks that are run is the same thing as if you run make deployments from the command line in the SPO code tree. This command should not modify the resulting files in any way.

Looking at your PR, it looks like you were modifying deploy/helm/templates/static-resources.yaml which is the file the make deployments target writes to with $(BUILD_DIR)/kustomize build --reorder=none deploy/overlays/helm -o deploy/helm/templates/static-resources.yaml. Shouldn't your PR rather modify files under deploy/overlays/helm so that the result is generated the way you want?

[pjbgf]

Looks good and happy with everything being disabled by default. Tested and works as expected.

However, we still need the commits to be squashed so the changes are a single commit.

/lgtm /hold

[rahulroshan-kachchap]

Looks good and happy with everything being disabled by default. Tested and works as expected.

However, we still need the commits to be squashed so the changes are a single commit.

/lgtm /hold

Squashed commits into one

[rahulroshan-kachchap]

Hi @pjbgf , what is the expected date for approving this PR?

[JAORMX]

Running the CI tests now, waiting for them to finish before tagging this PR as approved.

[rahulroshan-kachchap]

@JAORMX are we good here to close the PR as all the required tests are passing

[ccojocar]

I would expose also other flags in here such as: enableBpfRecoder, verbosity, enableProfiling. The same all switched off by default.

[rahulroshan-kachchap]

@ccojocar Will add enableBpfRecorder & enableProfiling.
For verbosity crd says:
verbosity:
description: Verbosity specifies the logging verbosity of the daemon.
type: integer
Since its type is integer, i assume the default needs to be set as 0. Please suggest

[rahulroshan-kachchap]

@ccojocar kindly suggest

[pjbgf]

+1 considering the title of the PR I think that would make sense.
But also happy for that to be added as a follow-up PR.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: rahulroshan-kachchap / name: Rahul Roshan Kachchap (3ca5892)

[pjbgf]

@rahulroshan-kachchap would you mind rebasing this PR again please?

[pjbgf]

@rahulroshan-kachchap thank you for following-up and rebasing. 🙇

/lgtm