kubewarden · viccuad · Apr 17, 2024 · Apr 16, 2024 · Apr 16, 2024 · Apr 16, 2024
@@ -1,6 +1,7 @@
 # This is a Rancher questions file
 ---
 questions:
+  # Audit checks:
   - variable: "auditScanner.enable"
     type: boolean
     default: false
@@ -10,28 +11,25 @@ questions:
       The Background Audit Check looks at existing Kubernetes resources and
       periodically determines whether they are still compliant with regards to the
       policies that are currently defined.
-    group: "Features"
+    group: "Audit checks"
   - variable: "auditScanner.cronJob.schedule"
     type: string
     default: "*/60 * * * *"
     show_if: auditScanner.enable=true
     label: Schedule
     description: |
       Schedule of the Background Audit check. Follows the Unix-cron syntax.
-    group: "Features"
-  - variable: "auditScanner.store"
+    group: "Audit checks"
+  - variable: "auditScanner.disableStore"
     show_if: auditScanner.enable=true
-    type: enum
-    options:
-      - "kubernetes"
-      - "memory"
-    default: "kubernetes"
-    label: Store
+    type: boolean
+    default: false
+    label: Don't store (Cluster)PolicyReports in etcd
     description: |
-        Configures where (Cluster)PolicyReports are stored.
-        It can be either "kubernetes" (use Kubernetes/etcd) or "memory" (use in-memory cache).
-        Note that you may need to adjust `resources.auditScanner` when using memory store.
-    group: "Features"
+      If true, (Cluster)PolicyReports are not stored in etcd but using an in-memory cache.
+      Note that you may need to adjust `resources.auditScanner` when using the
+      in-memory store.
+    group: "Audit checks"
   - variable: "auditScanner.serviceAccountName"
     type: string
     default: "audit-scanner"
@@ -42,7 +40,7 @@ questions:
       "view" (allows read-only access to most objects in a namespace, does not
       allow viewing secrets, roles or role bindings), and "audit-scanner-cluster-role"
       (allows read-write to Kubewarden resources and PolicyReports).
-    group: "Features"
+    group: "Audit checks"
   - variable: "auditScanner.policyReporter"
     type: boolean
     default: false
@@ -51,7 +49,24 @@ questions:
     description: |
       Policy reporter is a UI to visualize the reports generated by Background
       Audit checks
-    group: "Features"
+    group: "Audit checks"
+  - variable: "auditScanner.skipAdditionalNamespaces"
+    type: array[
+    show_if: auditScanner.enable=true
+    label: Additional namespaces to skip from audit
+    description: |
+      Additional namespaces that the audit scanner will not scan.
+    group: "Audit checks"
+  # controller HA:
+  - variable: "replicas"
+    type: integer
+    default: 1
+    required: true
+    label: Number of replicas
+    description: |
+      Number of replicas of the Controller Deployment
+    group: "Controller HA"
+  # Certificates:
   - variable: tls.source
     default: "cert-manager-self-signed"
     description: "Source for TLS certificates"
@@ -71,6 +86,7 @@ questions:
           Name of cert-manager Issuer
         group: "Certificates"
         show_if: "tls.source=cert-manager"
+  # Telemetry:
   - variable: "telemetry.metrics.enabled"
     type: boolean
     default: false

@@ -1,27 +1,52 @@
 # This is a Rancher questions file
 ---
 questions:
-# Recommended policies questions:
-- variable: "recommendedPolicies.enabled"
-  type: boolean
-  default: false
-  required: true
-  label: Enable recommended policies
-  description: |
-    Whether the recommended policies are enabled or not. Recommended
-    policies are a minimum set of policies that secure your cluster and
-    Kubewarden, while leaving the system namespaces untouched.
-  group: Settings
-- variable: "recommendedPolicies.defaultPolicyMode"
-  type: enum
-  options:
-    - "monitor"
-    - "protect"
-  default: "monitor"
-  show_if: recommendedPolicies.enabled=true
-  label: Execution mode of the recommended policies
-  description: |
-    Execution mode of the recommended policies. "protect" will reject requests,
-    "monitor" will log them. Transitioning from "monitor" to "protect" is
-    allowed, but not from "protect" to "monitor".
-  group: Settings
+  # Recommended policies questions:
+  - variable: "recommendedPolicies.enabled"
+    type: boolean
+    default: false
+    required: true
+    label: Enable recommended policies
+    description: |
+      Whether the recommended policies are enabled or not. Recommended
+      policies are a minimum set of policies that secure your cluster and
+      Kubewarden, while leaving the system namespaces untouched.
+    group: "Recommended Policies"
+  - variable: "recommendedPolicies.defaultPolicyMode"
+    type: enum
+    options:
+      - "monitor"
+      - "protect"
+    default: "monitor"
+    show_if: recommendedPolicies.enabled=true
+    label: Execution mode of the recommended policies
+    description: |
+      Execution mode of the recommended policies. "protect" will reject requests,
+      "monitor" will log them. Transitioning from "monitor" to "protect" is
+      allowed, but not from "protect" to "monitor".
+    group: "Recommended Policies"
+  - variable: "recommendedPolicies.skipAdditionalNamespaces"
+    type: array[
+    show_if: recommendedPolicies.enabled=true
+    label: Additional namespaces to skip from evaluation
+    description: |
+      Additional namespaces that the recommended policies will not apply to.
+    group: "Recommended Policies"
+  # Default PolicyServer questions
+  - variable: "policyServer.serviceAccountName"
+    type: string
+    required: true
+    label: Name of the ServiceAccount associated to the PolicyServer default
+    description: |
+      Minimum number of policy-server Pods that must be available at all times.
+      Can be an integer or a percentage.
+    group: "Default PolicyServer"
+  # Default PolicyServer HA
+  - variable: "policyServer.replicaCount"
+    type: integer
+    default: 1
+    required: true
+    label: Number of replicas
+    description: |
+      Number of replicas of the PolicyServer Deployment
+    group: "Default PolicyServer HA"