Skip to content

Commit

Permalink
fix: Allow to change WebhookConfiguration name and change preInstall …
Browse files Browse the repository at this point in the history
…crd image (open-policy-agent#2563)

Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
Signed-off-by: Xander Grzywinski <xandergr@microsoft.com>
  • Loading branch information
2 people authored and Xander Grzywinski committed Apr 5, 2023
1 parent f89bbb4 commit 0afa008
Show file tree
Hide file tree
Showing 18 changed files with 99 additions and 42 deletions.
14 changes: 14 additions & 0 deletions cmd/build/helmify/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -137,3 +137,17 @@ patchesJson6902:
patch: |-
- op: remove
path: /spec/ports
- target:
kind: ValidatingWebhookConfiguration
name: gatekeeper-validating-webhook-configuration
patch: |-
- op: replace
path: /metadata/name
value: "{{ .Values.validatingWebhookName }}"
- target:
kind: MutatingWebhookConfiguration
name: gatekeeper-mutating-webhook-configuration
patch: |-
- op: replace
path: /metadata/name
value: "{{ .Values.mutatingWebhookName }}"
2 changes: 2 additions & 0 deletions cmd/build/helmify/kustomize-for-helm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,8 @@ spec:
- --audit-interval={{ .Values.auditInterval }}
- --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }}
- --constraint-violations-limit={{ .Values.constraintViolationsLimit }}
- --validating-webhook-configuration-name={{ .Values.validatingWebhookName }}
- --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }}
- --audit-from-cache={{ .Values.auditFromCache }}
- --audit-chunk-size={{ .Values.auditChunkSize }}
- --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
Expand Down
15 changes: 11 additions & 4 deletions cmd/build/helmify/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,18 +101,21 @@ func (ks *kindSet) Write() error {
if err != nil {
return err
}

fileName := fmt.Sprintf("%s-%s.yaml", strings.ToLower(name), strings.ToLower(kind))
destFile := path.Join(*outputDir, subPath, fileName)
fmt.Printf("Writing %s\n", destFile)

if name == "gatekeeper-validating-webhook-configuration" {
if name == "validation.gatekeeper.sh" {
obj = "{{- if not .Values.disableValidatingWebhook }}\n" + obj + "{{- end }}\n"
fileName = fmt.Sprintf("gatekeeper-validating-webhook-configuration-%s.yaml", strings.ToLower(kind))
}

if name == "gatekeeper-mutating-webhook-configuration" {
if name == "mutation.gatekeeper.sh" {
obj = "{{- if not .Values.disableMutation }}\n" + obj + "{{- end }}\n"
fileName = fmt.Sprintf("gatekeeper-mutating-webhook-configuration-%s.yaml", strings.ToLower(kind))
}

destFile := path.Join(*outputDir, subPath, fileName)

if name == "gatekeeper-webhook-server-cert" && kind == "Secret" {
obj = "{{- if not .Values.externalCertInjection.enabled }}\n" + obj + "{{- end }}\n"
}
Expand Down Expand Up @@ -151,8 +154,12 @@ func (ks *kindSet) Write() error {

if name == "gatekeeper-manager-role" && kind == "ClusterRole" {
obj = strings.Replace(obj, "- apiGroups:\n - policy\n resourceNames:\n - gatekeeper-admin\n resources:\n - podsecuritypolicies\n verbs:\n - use\n", "{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has \"policy/v1beta1/PodSecurityPolicy\") }}\n- apiGroups:\n - policy\n resourceNames:\n - gatekeeper-admin\n resources:\n - podsecuritypolicies\n verbs:\n - use\n{{- end }}\n", 1)
obj = strings.Replace(obj, "- gatekeeper-validating-webhook-configuration\n", "- {{ .Values.validatingWebhookName }}\n", 1)
obj = strings.Replace(obj, "- gatekeeper-mutating-webhook-configuration\n", "- {{ .Values.mutatingWebhookName }}\n", 1)
}

fmt.Printf("Writing %s\n", destFile)

if err := os.WriteFile(destFile, []byte(obj), 0o600); err != nil {
return err
}
Expand Down
4 changes: 4 additions & 0 deletions cmd/build/helmify/static/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` |
| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` |
| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` |
| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0-beta.0` |
| preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` |
| preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` |
| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0-beta.0` |
Expand All @@ -123,6 +125,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` |
| disableValidatingWebhook | Disable the validating webhook | `false` |
| disableMutation | Disable mutation | `false` |
| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` |
| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` |
| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` |
| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` |
Expand All @@ -136,6 +139,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` |
| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` |
| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` |
| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` |
| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
Expand Down
12 changes: 10 additions & 2 deletions cmd/build/helmify/static/templates/upgrade-crds-hook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -93,10 +93,18 @@ spec:
{{- end }}
containers:
- name: crds-upgrade
{{- if not .Values.image.release }}
image: '{{ .Values.image.crdRepository }}'
{{- if .Values.preInstall.crdRepository.image.repository }}
{{- if not .Values.preInstall.crdRepository.image.tag }}
image: '{{ .Values.preInstall.crdRepository.image.repository }}'
{{- else }}
image: '{{ .Values.preInstall.crdRepository.image.repository }}:{{ .Values.preInstall.crdRepository.image.tag }}'
{{- end }}
{{- else }}
{{- if not .Values.image.release }}
image: '{{ .Values.image.crdRepository }}'
{{- else }}
image: '{{ .Values.image.crdRepository }}:{{ .Values.image.release }}'
{{- end }}
{{- end }}
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
args:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,10 @@ spec:
args:
- delete
{{- if not .Values.disableValidatingWebhook }}
- validatingwebhookconfiguration/gatekeeper-validating-webhook-configuration
- validatingwebhookconfiguration/{{ .Values.validatingWebhookName }}
{{- end }}
{{- if not .Values.disableMutation }}
- mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration
- mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }}
{{- end }}
resources:
{{- toYaml .Values.preUninstall.resources | nindent 10 }}
Expand Down Expand Up @@ -94,7 +94,7 @@ rules:
resources:
- validatingwebhookconfigurations
resourceNames:
- gatekeeper-validating-webhook-configuration
- {{ .Values.validatingWebhookName }}
verbs:
- delete
{{- end }}
Expand All @@ -104,7 +104,7 @@ rules:
resources:
- mutatingwebhookconfigurations
resourceNames:
- gatekeeper-mutating-webhook-configuration
- {{ .Values.mutatingWebhookName }}
verbs:
- delete
{{- end }}
Expand Down
19 changes: 13 additions & 6 deletions cmd/build/helmify/static/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ constraintViolationsLimit: 20
auditFromCache: false
disableMutation: false
disableValidatingWebhook: false
validatingWebhookName: gatekeeper-validating-webhook-configuration
validatingWebhookTimeoutSeconds: 3
validatingWebhookFailurePolicy: Ignore
validatingWebhookAnnotations: {}
Expand All @@ -18,6 +19,7 @@ enableExternalData: true
enableGeneratorResourceExpansion: false
enableTLSHealthcheck: false
maxServingThreads: -1
mutatingWebhookName: gatekeeper-mutating-webhook-configuration
mutatingWebhookFailurePolicy: Ignore
mutatingWebhookReinvocationPolicy: Never
mutatingWebhookAnnotations: {}
Expand All @@ -33,6 +35,17 @@ logMutations: false
emitAdmissionEvents: false
emitAuditEvents: false
resourceQuota: true
image:
repository: openpolicyagent/gatekeeper
crdRepository: openpolicyagent/gatekeeper-crds
release: v3.12.0-beta.0
pullPolicy: IfNotPresent
pullSecrets: []
preInstall:
crdRepository:
image:
repository: null
tag: v3.12.0-beta.0
postUpgrade:
labelNamespace:
enabled: false
Expand Down Expand Up @@ -123,12 +136,6 @@ preUninstall:
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
image:
repository: openpolicyagent/gatekeeper
crdRepository: openpolicyagent/gatekeeper-crds
release: v3.12.0-beta.0
pullPolicy: IfNotPresent
pullSecrets: []
podAnnotations: {}
podLabels: {}
podCountLimit: "100"
Expand Down
Loading

0 comments on commit 0afa008

Please sign in to comment.