Merge branch 'main' into dashboard-updates

.github/workflows/playwright.yml

@@ -28,14 +28,14 @@ on:
       k3s:
         description: Kubernetes version
         type: choice
-        default: 'v1.28.11-k3s2'
+        default: 'v1.28.12-k3s1'
         required: true
         options:
         - v1.26.15-k3s1
-        - v1.27.15-k3s2
-        - v1.28.11-k3s2
-        - v1.29.6-k3s2
-        - v1.30.2-k3s2
+        - v1.27.16-k3s1
+        - v1.28.12-k3s1
+        - v1.29.7-k3s1
+        - v1.30.3-k3s1
       mode:
         description: Installation mode
         type: choice
@@ -76,7 +76,7 @@ env:
   # Github -> Secrets and variables -> Actions -> New repository variable
   KUBEWARDEN: ${{ inputs.kubewarden || 'rc' }}
   K3D_VERSION: # 'v5.6.3' - optionally pin version
-  K3S_VERSION: ${{ inputs.k3s || 'v1.28.11-k3s2' }}
+  K3S_VERSION: ${{ inputs.k3s || 'v1.28.12-k3s1' }}
   K3D_CLUSTER_NAME: ${{ github.repository_owner }}-${{ github.event.repository.name }}-runner
   # First value after the && must be truthy. Otherwise, the value after the || will always be returned
   TESTBASE: ${{ github.event_name != 'workflow_dispatch' && true || inputs.testbase }}
@@ -93,13 +93,18 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        rancher: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_run') && fromJSON('["2.7", "2.8"]') || fromJSON(format('["{0}"]', inputs.rancher || 'released')) }}
+        rancher: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_run') && fromJSON('["2.7", "2.8", "2.9"]') || fromJSON(format('["{0}"]', inputs.rancher || 'released')) }}
         mode: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_run') && fromJSON('["base", "upgrade", "fleet"]') || fromJSON(format('["{0}"]', inputs.mode || 'base')) }}
         exclude:
+          # Run full tests on 2.8 since it's latest prime version
           - rancher: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_run') && '2.7' }}
             mode: upgrade
           - rancher: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_run') && '2.7' }}
             mode: fleet
+          - rancher: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_run') && '2.9' }}
+            mode: upgrade
+          - rancher: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_run') && '2.9' }}
+            mode: fleet
 
 
     # Run schedule workflows only on original repo, not forks
@@ -112,15 +117,6 @@ jobs:
     # Check out code and install requirements
     # Use local kuberlr to avoid version skew
     - uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
-      with:
-        node-version: '16'
-    - name: Install playwright
-      working-directory: tests
-      run: |
-        yarn install
-        yarn playwright install chromium  # --with-deps not supported on opensuse
-
 
     # ==================================================================================================
     # Set up parameters and ENV
@@ -131,15 +127,17 @@ jobs:
           pull_request)
             KUBEWARDEN=source;;
           schedule)
-            # Rancher 2.7 chart requires kubeVersion: < 1.28.0-0
-            [[ "${{ matrix.rancher }}" == "2.7" ]] && echo K3S_VERSION="v1.27.15-k3s2" | tee -a $GITHUB_ENV
-            KUBEWARDEN=released;;
+            # Rancher 2.9 is not prime = UI is not available from official charts
+            [[ "${{ matrix.rancher }}" == *2.9* ]] && KUBEWARDEN=rc || KUBEWARDEN=released;;
           workflow_run)
             KUBEWARDEN=rc;;
         esac
 
+        # Rancher 2.7 chart requires kubeVersion: < 1.28.0-0
+        [[ "${{ matrix.rancher }}" == *2.7* ]] && echo K3S_VERSION="v1.27.16-k3s1" | tee -a $GITHUB_ENV
+
         # KW extension is prime since 2.8.3
-        [[ "$KUBEWARDEN" == "source" ]] && REPO=rancher-latest || REPO=rancher-prime
+        [[ "${{ matrix.rancher }}" == *2.[78]* ]] && REPO=rancher-prime || REPO=rancher-latest
 
         # Print matrix
         echo "Event: ${{github.event_name}}"
@@ -176,12 +174,6 @@ jobs:
         [ "$RANCHER" == "rc" ] && RANCHER='*-0'
         [ "$RANCHER" == "released" ] && RANCHER='*'
 
-        # Workaround for rancher 2.9 in alpha
-        if [ "$KUBEWARDEN" == "source" ]; then
-          REPO=rancher-alpha
-          RANCHER='~2.9-0'
-        fi
-
         # Rancher PSP is based on kubernetes version
         RANCHER_PSP=$(kubectl version -o json | jq -r '.serverVersion.minor <= "24"')
 
@@ -213,13 +205,28 @@ jobs:
     # ==================================================================================================
     # Setup playwright ENV and run tests
     # https://rancher.github.io/dashboard/testing/e2e-test#setup-for-local-tests
+    - uses: actions/setup-node@v4
+      if: env.KUBEWARDEN == 'source'
+      with:
+        node-version: '16'
+
     - name: Build Kubewarden extension
       if: env.KUBEWARDEN == 'source'
       run: |
         yarn install --ignore-engines
         VERSION=0.0.1 yarn build-pkg kubewarden
 
-    - name: Install & Execute tests
+    - uses: actions/setup-node@v4
+      with:
+        node-version: '18'
+
+    - name: Install playwright
+      working-directory: tests
+      run: |
+        yarn install
+        yarn playwright install chromium  # --with-deps not supported on opensuse
+
+    - name: Execute tests
       timeout-minutes: 120
       working-directory: tests
       run: |

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ui",
-  "version": "1.6.2",
+  "version": "2.0.0",
   "private": false,
   "scripts": {
     "build-pkg": "./node_modules/@rancher/shell/scripts/build-pkg.sh",

pkg/kubewarden/assets/kubewarden-dashboard-policyserver.json

@@ -269,7 +269,7 @@
       "type": "stat"
     },
     {
-      "datasource": "${DS_PROMETHEUS}",
+      "datasource": null,
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -383,7 +383,7 @@
       "type": "stat"
     },
     {
-      "datasource": "${DS_PROMETHEUS}",
+      "datasource": null,
       "fieldConfig": {
         "defaults": {
           "color": {

pkg/kubewarden/chart/kubewarden/admission/Settings.vue

@@ -6,6 +6,10 @@ import YamlEditor from '@shell/components/YamlEditor';
 
 export default {
   props: {
+    activeTab: {
+      type:    String,
+      default: null
+    },
     value: {
       type:     Object,
       required: true
@@ -22,10 +26,14 @@ export default {
     return { settingsYaml };
   },
 
-  mounted() {
-    this.$root.$on('routeChanged', () => {
-      this.$refs.yamleditor?.refresh();
-    });
+  watch: {
+    activeTab() {
+      if ( this.activeTab === 'settings' ) {
+        this.$nextTick(() => {
+          this.$refs.yamleditor.refresh();
+        });
+      }
+    }
   },
 
   computed: {

pkg/kubewarden/chart/kubewarden/admission/index.vue

@@ -40,7 +40,7 @@ export default {
   inject: ['chartType'],
 
   data() {
-    return { chartValues: null };
+    return { activeTab: null, chartValues: null };
   },
 
   created() {
@@ -104,6 +104,10 @@ export default {
   methods: {
     settingsChanged(event) {
       this.chartValues.policy.spec.settings = jsyaml.load(event);
+    },
+
+    setActiveTab(tab) {
+      this.activeTab = tab;
     }
   }
 };
@@ -122,10 +126,11 @@ export default {
     </Tab>
 
     <template v-if="showSettings">
-      <Tab name="settings" :label="t('kubewarden.policyConfig.tabs.settings')" :weight="98">
+      <Tab name="settings" :label="t('kubewarden.policyConfig.tabs.settings')" :weight="98" @active="() => setActiveTab('settings')">
         <Settings
           v-model="chartValues"
           data-testid="kw-policy-config-settings-tab"
+          :active-tab="activeTab"
           @updateSettings="settingsChanged($event)"
         />
       </Tab>

pkg/kubewarden/components/PolicyReporter/index.vue

@@ -3,14 +3,15 @@ import { mapGetters } from 'vuex';
 import isEmpty from 'lodash/isEmpty';
 import semver from 'semver';
 
-import { SERVICE, WORKLOAD_TYPES } from '@shell/config/types';
+import { CATALOG, SERVICE, WORKLOAD_TYPES } from '@shell/config/types';
 import { KUBERNETES } from '@shell/config/labels-annotations';
 import ResourceFetch from '@shell/mixins/resource-fetch';
 import ResourceManager from '@shell/mixins/resource-manager';
 
 import Loading from '@shell/components/Loading';
 import { Banner } from '@components/Banner';
 
+import { isAdminUser } from '../../utils/permissions';
 import { handleGrowl } from '../../utils/handle-growl';
 import { rootKubewardenRoute } from '../../utils/custom-routing';
 import { KUBEWARDEN, KUBEWARDEN_APPS, KUBEWARDEN_CHARTS, WG_POLICY_K8S } from '../../types';
@@ -21,21 +22,46 @@ export default {
   mixins: [ResourceFetch, ResourceManager],
 
   async fetch() {
-    await this.$fetchType(WORKLOAD_TYPES.DEPLOYMENT);
-    await this.$fetchType(SERVICE);
+    this.isAdminUser = isAdminUser(this.$store.getters);
+    const types = {
+      policyServer:           { type: KUBEWARDEN.POLICY_SERVER },
+      admissionPolicy:        { type: KUBEWARDEN.ADMISSION_POLICY },
+      clusterAdmissionPolicy: { type: KUBEWARDEN.CLUSTER_ADMISSION_POLICY },
+      app:                    { type: CATALOG.APP },
+      deployment:             { type: WORKLOAD_TYPES.DEPLOYMENT }
+    };
+
+    for ( const [key, value] of Object.entries(types) ) {
+      if ( this.$store.getters['cluster/canList'](value) ) {
+        this.permissions[key] = true;
+      }
+    }
 
-    this.secondaryResourceData = this.secondaryResourceDataConfig();
-    await this.resourceManagerFetchSecondaryResources(this.secondaryResourceData);
+    if ( this.hasAvailability ) {
+      await this.$fetchType(WORKLOAD_TYPES.DEPLOYMENT);
+      await this.$fetchType(SERVICE);
+
+      this.secondaryResourceData = this.secondaryResourceDataConfig();
+      await this.resourceManagerFetchSecondaryResources(this.secondaryResourceData);
+    }
   },
 
   data() {
     return {
+      isAdminUser: false,
+      permissions: {
+        policyServer:           false,
+        admissionPolicy:        false,
+        clusterAdmissionPolicy: false,
+        app:                    false,
+        deployment:             false
+      },
+
       rootKubewardenRoute,
-      controller:               null,
-      reporterReportingService: null,
-      reporterUIService:        null,
-      reporterUrl:              null,
-      secondaryResourceData:    this.secondaryResourceDataConfig(),
+      reporterReportingService:   null,
+      reporterUIService:          null,
+      reporterUrl:                null,
+      secondaryResourceData:      this.secondaryResourceDataConfig(),
     };
   },
 
@@ -56,6 +82,10 @@ export default {
       return this.allDeployments?.filter(deploy => deploy?.metadata?.labels?.[KUBERNETES.INSTANCE] === KUBEWARDEN_APPS.RANCHER_CONTROLLER);
     },
 
+    hasAvailability() {
+      return this.isAdminUser || Object.values(this.permissions).every(value => value);
+    },
+
     hasPolicyServerSchema() {
       return this.$store.getters['cluster/schemaFor'](KUBEWARDEN.POLICY_SERVER);
     },
@@ -161,7 +191,15 @@ export default {
 <template>
   <Loading v-if="$fetchState.pending" />
   <div v-else>
-    <template v-if="!hasPolicyServerSchema">
+    <template v-if="!hasAvailability">
+      <Banner
+        color="error"
+        class="mt-20 mb-20"
+        data-testid="kw-unavailability-banner"
+        :label="t('kubewarden.unavailability.banner', { type: t('kubewarden.unavailability.type.policyReporter') })"
+      />
+    </template>
+    <template v-else-if="!hasPolicyServerSchema">
       <div>
         <h1 class="mb-20">
           {{ t('kubewarden.policyReporter.title') }}

pkg/kubewarden/l10n/en-us.yaml

@@ -1,7 +1,10 @@
 kubewarden:
   title: Kubewarden
   unavailability:
-    banner: 'You do not have access to the Kubewarden Dashboard. Please contact your administrator.'
+    banner: 'You do not have access to the {type}. Please contact your administrator.'
+    type:
+      dashboard: Kubewarden Dashboard
+      policyReporter: Policy Reporter
   generic:
     name: Name
   dashboard:

pkg/kubewarden/modules/policyReporter.ts

@@ -47,7 +47,7 @@ export async function getReports(
       controllerApp = await fetchControllerApp(store);
     }
 
-    if ( schema && isValidAppVersion(controllerApp) ) {
+    if ( schema ) {
       try {
         const reports = await store.dispatch('cluster/findAll', { type: reportType }, { root: true });
 

pkg/kubewarden/package.json

@@ -2,7 +2,7 @@
   "name": "kubewarden",
   "description": "Kubewarden extension for Rancher Manager",
   "icon": "https://raw.githubusercontent.com/kubewarden/ui/main/pkg/kubewarden/assets/icon-kubewarden.svg",
-  "version": "1.6.2",
+  "version": "2.0.0",
   "private": false,
   "rancher": {
     "annotations": {

pkg/kubewarden/pages/c/_cluster/kubewarden/index.vue

@@ -68,7 +68,7 @@ export default {
       color="error"
       class="mt-20 mb-20"
       data-testid="kw-unavailability-banner"
-      label-key="kubewarden.unavailability.banner"
+      :label="t('kubewarden.unavailability.banner', { type: t('kubewarden.unavailability.type.dashboard') })"
     />
   </div>
   <div v-else>

pkg/kubewarden/utils/chart.ts

@@ -175,7 +175,7 @@ export function checkUpgradeAvailable(store: Store<any>, app: CatalogApp, chart:
  * @param highestVersion - The highest version found so far.
  * @returns string | null - The valid upgrade version or null if no valid upgrade is found.
  */
-function getValidUpgrade(currentVersion: string, upgradeVersion: string, highestVersion: string): string | null {
+export function getValidUpgrade(currentVersion: string, upgradeVersion: string, highestVersion: string): string | null {
   if ( !currentVersion || !upgradeVersion ) {
     return null;
   }

tests/e2e/00-installation.spec.ts

@@ -18,12 +18,13 @@ expect(MODE).toMatch(/^(base|fleet|upgrade)$/)
 // Known Kubewarden versions for upgrade test, start at [0]
 const upMap: AppVersion[] = [
   // { app: 'v1.8.0', controller: '2.0.0', crds: '1.4.2', defaults: '1.8.0' },
-  { app: 'v1.9.0', controller: '2.0.5', crds: '1.4.4', defaults: '1.9.2' },
+  // { app: 'v1.9.0', controller: '2.0.5', crds: '1.4.4', defaults: '1.9.2' },
   { app: 'v1.10.0', controller: '2.0.8', crds: '1.4.5', defaults: '1.9.3' },
   { app: 'v1.11.0', controller: '2.0.10', crds: '1.4.6', defaults: '1.9.4' },
   { app: 'v1.12.0', controller: '2.0.11', crds: '1.5.0', defaults: '2.0.0' },
   { app: 'v1.13.0', controller: '2.1.0', crds: '1.5.1', defaults: '2.0.3' },
   { app: 'v1.14.0', controller: '2.2.1', crds: '1.6.0', defaults: '2.1.0' },
+  { app: 'v1.15.0', controller: '2.3.1', crds: '1.7.0', defaults: '2.2.1' },
 ]
 
 test('Initial rancher setup', async({ page, ui, nav }) => {
@@ -87,15 +88,11 @@ test('Install UI extension', async({ page, ui }) => {
   })
 })
 
-test('Install Kubewarden', async({ page, ui, nav, context }) => {
+test('Install Kubewarden', async({ page, ui, nav }) => {
   test.skip(MODE === 'fleet')
 
-  // Required by cert-manager copy on click
-  // Setting clipboard-write on model is broken, probably playwright issue
-  await context.grantPermissions(['clipboard-read', 'clipboard-write'])
   const kwPage = new KubewardenPage(page)
   await kwPage.installKubewarden({ version: MODE === 'upgrade' ? upMap[0].controller : undefined })
-  await context.clearPermissions()
 
   // Check UI is active
   await nav.explorer('Kubewarden')