From afb4750327100c9fca7c80d6fa8a754cee5e051c Mon Sep 17 00:00:00 2001 From: Romain Chalumeau Date: Fri, 11 Jun 2021 10:20:54 +0200 Subject: [PATCH 01/10] Add annotations to ValidatingWebhook and MutatingWebhook Signed-off-by: Romain Chalumeau --- cmd/build/helmify/kustomize-for-helm.yaml | 56 ++++++++++--------- cmd/build/helmify/replacements.go | 6 ++ cmd/build/helmify/static/README.md | 14 +++-- cmd/build/helmify/static/values.yaml | 3 + config/overlays/mutation_webhook/webhook.yaml | 46 +++++++-------- manifest_staging/charts/gatekeeper/README.md | 14 +++-- ...guration-mutatingwebhookconfiguration.yaml | 2 + ...ration-validatingwebhookconfiguration.yaml | 2 + .../charts/gatekeeper/values.yaml | 3 + 9 files changed, 85 insertions(+), 61 deletions(-) diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 96d495d7908..a17639ff2ad 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -133,29 +133,31 @@ metadata: labels: gatekeeper.sh/system: "yes" name: gatekeeper-validating-webhook-configuration + annotations: + HELMSUBST_VALIDATING_WEBHOOK_ANNOTATIONS: "" webhooks: -- clientConfig: - service: - name: gatekeeper-webhook-service - namespace: gatekeeper-system - path: /v1/admit - name: validation.gatekeeper.sh - timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT - rules: - - apiGroups: - - "*" - apiVersions: - - '*' - operations: HELMSUBST_VALIDATING_WEBHOOK_OPERATION_RULES - resources: - - '*' -- clientConfig: - service: - name: gatekeeper-webhook-service - namespace: gatekeeper-system - path: /v1/admitlabel - name: check-ignore-label.gatekeeper.sh - timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT + - clientConfig: + service: + name: gatekeeper-webhook-service + namespace: gatekeeper-system + path: /v1/admit + name: validation.gatekeeper.sh + timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT + rules: + - apiGroups: + - "*" + apiVersions: + - "*" + operations: HELMSUBST_VALIDATING_WEBHOOK_OPERATION_RULES + resources: + - "*" + - clientConfig: + service: + name: gatekeeper-webhook-service + namespace: gatekeeper-system + path: /v1/admitlabel + name: check-ignore-label.gatekeeper.sh + timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget @@ -180,8 +182,8 @@ spec: pods: HELMSUBST_RESOURCEQUOTA_POD_LIMIT scopeSelector: matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PRIORITY_CLASS_NAME - - HELMSUBST_DEPLOYMENT_AUDIT_PRIORITY_CLASS_NAME + - operator: In + scopeName: PriorityClass + values: + - HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PRIORITY_CLASS_NAME + - HELMSUBST_DEPLOYMENT_AUDIT_PRIORITY_CLASS_NAME diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index 66381058e02..e15dd60a76a 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -35,8 +35,14 @@ var replacements = map[string]string{ "HELMSUBST_SECRET_ANNOTATIONS": `{{- toYaml .Values.secretAnnotations | trim | nindent 4 }}`, + "HELMSUBST_SECRET_NAME": `{{- .Values.controllerManager.certificateSecretName }}`, + "HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT": `{{ .Values.validatingWebhookTimeoutSeconds }}`, + `HELMSUBST_VALIDATING_WEBHOOK_ANNOTATIONS: ""`: `{{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }}`, + + `HELMSUBST_MUTATING_WEBHOOK_ANNOTATIONS: ""`: `{{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }}`, + "HELMSUBST_RESOURCEQUOTA_POD_LIMIT": `{{ .Values.podCountLimit }}`, "HELMSUBST_VALIDATING_WEBHOOK_OPERATION_RULES": ` diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 27097b96116..f1458ae1d8e 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -29,8 +29,8 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen **Upgrading from < v3.4.0** Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. -Option 1: -A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. +Option 1: +A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. ```console $ helm uninstall gatekeeper @@ -38,7 +38,7 @@ $ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --creat ``` -Option 2: +Option 2: Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. ```console @@ -63,7 +63,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi ## Parameters | Parameter | Description | Default | -| :--------------------------------------------| :--------------------------------------------------------------------------------------| :-------------------------------------------------------------------------| +| :------------------------------------------- | :------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `line/kubectl-kustomize` | | postInstall.labelNamespace.image.tag | Image tag | `1.20.4-4.0.5` | @@ -73,18 +73,20 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | | auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | -| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | | disableValidatingWebhook | Disable the validating webhook | `false` | | validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | +| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | | enableDeleteOperations | Enable validating webhook for delete operations | `false` | | experimentalEnableMutation | Enable mutation (alpha feature) | `false` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | | emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` | | logDenies | Log detailed info on each deny | `false` | | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.5.0-rc.1` | +| image.release | The image release tag to use | Current release version: `v3.5.0-rc.1` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index bcfafc2d833..f31b2d2dab0 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -30,6 +30,8 @@ podAnnotations: podLabels: {} podCountLimit: 100 secretAnnotations: {} +mutatingWebhookAnnotations: {} +validatingWebhookAnnotations: {} controllerManager: hostNetwork: false priorityClassName: system-cluster-critical @@ -54,6 +56,7 @@ controllerManager: requests: cpu: 100m memory: 256Mi + certSecretName: gatekeeper-certificate audit: hostNetwork: false priorityClassName: system-cluster-critical diff --git a/config/overlays/mutation_webhook/webhook.yaml b/config/overlays/mutation_webhook/webhook.yaml index 376b94b0cda..79a36ad1abb 100644 --- a/config/overlays/mutation_webhook/webhook.yaml +++ b/config/overlays/mutation_webhook/webhook.yaml @@ -7,26 +7,28 @@ kind: MutatingWebhookConfiguration metadata: creationTimestamp: null name: gatekeeper-mutating-webhook-configuration + annotations: + HELMSUBST_MUTATING_WEBHOOK_ANNOTATIONS: "" webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /v1/mutate - failurePolicy: Ignore - name: mutation.gatekeeper.sh - matchPolicy: Exact - rules: - - apiGroups: - - '*' - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - resources: - - '*' - sideEffects: None + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /v1/mutate + failurePolicy: Ignore + name: mutation.gatekeeper.sh + matchPolicy: Exact + rules: + - apiGroups: + - "*" + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + resources: + - "*" + sideEffects: None diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 27097b96116..f1458ae1d8e 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -29,8 +29,8 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen **Upgrading from < v3.4.0** Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. -Option 1: -A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. +Option 1: +A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. ```console $ helm uninstall gatekeeper @@ -38,7 +38,7 @@ $ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --creat ``` -Option 2: +Option 2: Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. ```console @@ -63,7 +63,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi ## Parameters | Parameter | Description | Default | -| :--------------------------------------------| :--------------------------------------------------------------------------------------| :-------------------------------------------------------------------------| +| :------------------------------------------- | :------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `line/kubectl-kustomize` | | postInstall.labelNamespace.image.tag | Image tag | `1.20.4-4.0.5` | @@ -73,18 +73,20 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | | auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | -| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | | disableValidatingWebhook | Disable the validating webhook | `false` | | validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | +| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | | enableDeleteOperations | Enable validating webhook for delete operations | `false` | | experimentalEnableMutation | Enable mutation (alpha feature) | `false` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | | emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` | | logDenies | Log detailed info on each deny | `false` | | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.5.0-rc.1` | +| image.release | The image release tag to use | Current release version: `v3.5.0-rc.1` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index eecfb80eb78..7f13efeb4e3 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -2,6 +2,8 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + annotations: + {{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }} creationTimestamp: null labels: app: '{{ template "gatekeeper.name" . }}' diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index eb5f44fd282..608e56d8bcf 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -2,6 +2,8 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: + annotations: + {{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }} labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index bcfafc2d833..f31b2d2dab0 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -30,6 +30,8 @@ podAnnotations: podLabels: {} podCountLimit: 100 secretAnnotations: {} +mutatingWebhookAnnotations: {} +validatingWebhookAnnotations: {} controllerManager: hostNetwork: false priorityClassName: system-cluster-critical @@ -54,6 +56,7 @@ controllerManager: requests: cpu: 100m memory: 256Mi + certSecretName: gatekeeper-certificate audit: hostNetwork: false priorityClassName: system-cluster-critical From efedbdc50a16da241555a6e30cbe03f662530126 Mon Sep 17 00:00:00 2001 From: Romain Chalumeau Date: Fri, 11 Jun 2021 11:07:33 +0200 Subject: [PATCH 02/10] Add certificateSecretname parameter to inject custom certificate in controller Signed-off-by: Romain Chalumeau --- cmd/build/helmify/kustomize-for-helm.yaml | 4 ++++ cmd/build/helmify/static/README.md | 1 + cmd/build/helmify/static/values.yaml | 2 +- .../overlays/mutation_webhook/kustomization.yaml | 15 +++++++-------- manifest_staging/charts/gatekeeper/README.md | 1 + .../gatekeeper-controller-manager-deployment.yaml | 2 +- manifest_staging/charts/gatekeeper/values.yaml | 2 +- 7 files changed, 16 insertions(+), 11 deletions(-) diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index a17639ff2ad..bcbf9da0232 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -80,6 +80,10 @@ spec: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_IMAGE_PULL_SECRETS: "" hostNetwork: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HOST_NETWORK priorityClassName: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PRIORITY_CLASS_NAME + volumes: + - name: cert + secret: + secretName: "{{ .Values.controllerManager.certificateSecretName }}" --- apiVersion: apps/v1 kind: Deployment diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index f1458ae1d8e..f06785391d6 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -94,6 +94,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | tolerations | The tolerations to use for pod scheduling | `[]` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | +| controllerManager.certificateSecretName | The name of the secret storing the TLS certificate | `gatekeeper-webhook-server-cert` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index f31b2d2dab0..6a5a12c7876 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -56,7 +56,7 @@ controllerManager: requests: cpu: 100m memory: 256Mi - certSecretName: gatekeeper-certificate + certificateSecretName: gatekeeper-webhook-server-cert audit: hostNetwork: false priorityClassName: system-cluster-critical diff --git a/config/overlays/mutation_webhook/kustomization.yaml b/config/overlays/mutation_webhook/kustomization.yaml index cbe74d50e79..d14763000f4 100644 --- a/config/overlays/mutation_webhook/kustomization.yaml +++ b/config/overlays/mutation_webhook/kustomization.yaml @@ -1,6 +1,6 @@ # TODO: this is a temporary kustomization for the mutation webhook # It is kept separate until the mutation feature is stable enough, -# when the mutation webhook should be moved to config/webhooks/manifests.yaml +# when the mutation webhook should be moved to config/webhooks/manifests.yaml namespace: gatekeeper-system @@ -12,11 +12,10 @@ resources: - mutations.gatekeeper.sh_assign.yaml - mutations.gatekeeper.sh_assignmetadata.yaml - patchesJson6902: -- target: - group: rbac.authorization.k8s.io - version: v1 - kind: ClusterRole - name: manager-role - path: webhook_permissions_patch.yaml + - target: + group: rbac.authorization.k8s.io + version: v1 + kind: ClusterRole + name: manager-role + path: webhook_permissions_patch.yaml diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index f1458ae1d8e..f06785391d6 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -94,6 +94,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | tolerations | The tolerations to use for pod scheduling | `[]` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | +| controllerManager.certificateSecretName | The name of the secret storing the TLS certificate | `gatekeeper-webhook-server-cert` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 40524708bd1..4794cf3cf69 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -115,4 +115,4 @@ spec: - name: cert secret: defaultMode: 420 - secretName: gatekeeper-webhook-server-cert + secretName: '{{ .Values.controllerManager.certificateSecretName }}' diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index f31b2d2dab0..6a5a12c7876 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -56,7 +56,7 @@ controllerManager: requests: cpu: 100m memory: 256Mi - certSecretName: gatekeeper-certificate + certificateSecretName: gatekeeper-webhook-server-cert audit: hostNetwork: false priorityClassName: system-cluster-critical From 729be268307441d7951f7e75ae7d3fb2711111e8 Mon Sep 17 00:00:00 2001 From: Romain Chalumeau Date: Fri, 11 Jun 2021 13:52:48 +0200 Subject: [PATCH 03/10] Debug cert-manager reconciling loop Signed-off-by: Romain Chalumeau --- ...ration-validatingwebhookconfiguration.yaml | 25 +------------------ 1 file changed, 1 insertion(+), 24 deletions(-) diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index 608e56d8bcf..0b042834b8d 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -32,7 +32,7 @@ webhooks: - '*' apiVersions: - '*' - operations: + operations: - CREATE - UPDATE {{- if .Values.enableDeleteOperations }} @@ -42,27 +42,4 @@ webhooks: - '*' sideEffects: None timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: gatekeeper-webhook-service - namespace: '{{ .Release.Namespace }}' - path: /v1/admitlabel - failurePolicy: Fail - matchPolicy: Exact - name: check-ignore-label.gatekeeper.sh - rules: - - apiGroups: - - "" - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - resources: - - namespaces - sideEffects: None - timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} {{- end }} From 9182440e90911de5ff685ecc067b7c9471051577 Mon Sep 17 00:00:00 2001 From: Romain Chalumeau Date: Fri, 11 Jun 2021 14:57:27 +0200 Subject: [PATCH 04/10] Parameter to disable auto generation of certificate secret Signed-off-by: Romain Chalumeau --- cmd/build/helmify/main.go | 4 +++ cmd/build/helmify/static/values.yaml | 1 + ...ration-validatingwebhookconfiguration.yaml | 25 ++++++++++++++++++- ...gatekeeper-webhook-server-cert-secret.yaml | 2 ++ .../charts/gatekeeper/values.yaml | 1 + 5 files changed, 32 insertions(+), 1 deletion(-) diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go index 95964067116..a7256e92f9e 100644 --- a/cmd/build/helmify/main.go +++ b/cmd/build/helmify/main.go @@ -101,6 +101,10 @@ func (ks *kindSet) Write() error { obj = "{{- if .Values.experimentalEnableMutation }}\n" + obj + "{{- end }}\n" } + if name == "gatekeeper-webhook-server-cert" && kind == "Secret" { + obj = "{{- if ! .Values.controllerManager.generateCertificate }}\n" + obj + "{{- end }}\n" + } + if kind == "Deployment" { obj = strings.Replace(obj, " labels:", " labels:\n{{- include \"gatekeeper.podLabels\" . }}", 1) } diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 6a5a12c7876..c570a06edaa 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -57,6 +57,7 @@ controllerManager: cpu: 100m memory: 256Mi certificateSecretName: gatekeeper-webhook-server-cert + generateCertificate: true audit: hostNetwork: false priorityClassName: system-cluster-critical diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index 0b042834b8d..608e56d8bcf 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -32,7 +32,7 @@ webhooks: - '*' apiVersions: - '*' - operations: + operations: - CREATE - UPDATE {{- if .Values.enableDeleteOperations }} @@ -42,4 +42,27 @@ webhooks: - '*' sideEffects: None timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/admitlabel + failurePolicy: Fail + matchPolicy: Exact + name: check-ignore-label.gatekeeper.sh + rules: + - apiGroups: + - "" + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - namespaces + sideEffects: None + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} {{- end }} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml index d6e906a995d..aee57fd5a6b 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml @@ -1,3 +1,4 @@ +{{- if ! .Values.controllerManager.generateCertificate }} apiVersion: v1 kind: Secret metadata: @@ -10,3 +11,4 @@ metadata: release: '{{ .Release.Name }}' name: gatekeeper-webhook-server-cert namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 6a5a12c7876..c570a06edaa 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -57,6 +57,7 @@ controllerManager: cpu: 100m memory: 256Mi certificateSecretName: gatekeeper-webhook-server-cert + generateCertificate: true audit: hostNetwork: false priorityClassName: system-cluster-critical From b977372fc58ea5642a01f43342c11c2ae10fb0b9 Mon Sep 17 00:00:00 2001 From: Romain Chalumeau Date: Fri, 11 Jun 2021 15:08:43 +0200 Subject: [PATCH 05/10] Fix typo in test for certificateSecret Signed-off-by: Romain Chalumeau --- cmd/build/helmify/main.go | 2 +- .../templates/gatekeeper-webhook-server-cert-secret.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go index a7256e92f9e..31eefa2890c 100644 --- a/cmd/build/helmify/main.go +++ b/cmd/build/helmify/main.go @@ -102,7 +102,7 @@ func (ks *kindSet) Write() error { } if name == "gatekeeper-webhook-server-cert" && kind == "Secret" { - obj = "{{- if ! .Values.controllerManager.generateCertificate }}\n" + obj + "{{- end }}\n" + obj = "{{- if .Values.controllerManager.generateCertificate }}\n" + obj + "{{- end }}\n" } if kind == "Deployment" { diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml index aee57fd5a6b..ee31f5347d0 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml @@ -1,4 +1,4 @@ -{{- if ! .Values.controllerManager.generateCertificate }} +{{- if .Values.controllerManager.generateCertificate }} apiVersion: v1 kind: Secret metadata: From 9e94010a0e61c0a6aa02c96750cce37ed7626042 Mon Sep 17 00:00:00 2001 From: Romain Chalumeau Date: Fri, 11 Jun 2021 16:29:02 +0200 Subject: [PATCH 06/10] Disable cert-rotation when certificates.generate is false Signed-off-by: Romain Chalumeau --- cmd/build/helmify/kustomize-for-helm.yaml | 3 ++- cmd/build/helmify/static/README.md | 3 ++- cmd/build/helmify/static/values.yaml | 9 +++++---- manifest_staging/charts/gatekeeper/README.md | 3 ++- .../gatekeeper-controller-manager-deployment.yaml | 3 ++- manifest_staging/charts/gatekeeper/values.yaml | 9 +++++---- 6 files changed, 18 insertions(+), 12 deletions(-) diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index bcbf9da0232..f67dd2f3e08 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -65,6 +65,7 @@ spec: - --exempt-namespace={{ .Release.Namespace }} - --operation=webhook - --enable-mutation={{ .Values.experimentalEnableMutation}} + - --disableCertRotation={{ not .Values.certificates.generate }} - HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_DISABLED_BUILTIN imagePullPolicy: "{{ .Values.image.pullPolicy }}" image: "{{ .Values.image.repository }}:{{ .Values.image.release }}" @@ -83,7 +84,7 @@ spec: volumes: - name: cert secret: - secretName: "{{ .Values.controllerManager.certificateSecretName }}" + secretName: "{{ .Values.certificates.secretName }}" --- apiVersion: apps/v1 kind: Deployment diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index f06785391d6..c169fea377d 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -92,9 +92,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | affinity | The node affinity to use for pod scheduling | `{}` | | tolerations | The tolerations to use for pod scheduling | `[]` | +| certificates.generate | Generates a secret named `gatekeeper-webhook-server-cert` with CA and certificate | `true` | +| certificates.secretName | The name of the secret storing the certificate to be mounted in controller | `gatekeeper-webhook-server-cert` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | -| controllerManager.certificateSecretName | The name of the secret storing the TLS certificate | `gatekeeper-webhook-server-cert` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index c570a06edaa..ee8dd9fd20d 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -5,8 +5,10 @@ constraintViolationsLimit: 20 auditFromCache: false disableValidatingWebhook: false validatingWebhookTimeoutSeconds: 3 +validatingWebhookAnnotations: {} enableDeleteOperations: false experimentalEnableMutation: false +mutatingWebhookAnnotations: {} auditChunkSize: 0 logLevel: INFO logDenies: false @@ -30,8 +32,9 @@ podAnnotations: podLabels: {} podCountLimit: 100 secretAnnotations: {} -mutatingWebhookAnnotations: {} -validatingWebhookAnnotations: {} +certificates: + generate: true + secretName: gatekeeper-webhook-server-cert controllerManager: hostNetwork: false priorityClassName: system-cluster-critical @@ -56,8 +59,6 @@ controllerManager: requests: cpu: 100m memory: 256Mi - certificateSecretName: gatekeeper-webhook-server-cert - generateCertificate: true audit: hostNetwork: false priorityClassName: system-cluster-critical diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index f06785391d6..c169fea377d 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -92,9 +92,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | affinity | The node affinity to use for pod scheduling | `{}` | | tolerations | The tolerations to use for pod scheduling | `[]` | +| certificates.generate | Generates a secret named `gatekeeper-webhook-server-cert` with CA and certificate | `true` | +| certificates.secretName | The name of the secret storing the certificate to be mounted in controller | `gatekeeper-webhook-server-cert` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | -| controllerManager.certificateSecretName | The name of the secret storing the TLS certificate | `gatekeeper-webhook-server-cert` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 4794cf3cf69..2d45ac98d6f 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -49,6 +49,7 @@ spec: - --exempt-namespace={{ .Release.Namespace }} - --operation=webhook - --enable-mutation={{ .Values.experimentalEnableMutation}} + - --disableCertRotation={{ not .Values.certificates.generate }} {{- range .Values.disabledBuiltins}} - --disable-opa-builtin={{ . }} @@ -115,4 +116,4 @@ spec: - name: cert secret: defaultMode: 420 - secretName: '{{ .Values.controllerManager.certificateSecretName }}' + secretName: '{{ .Values.certificates.secretName }}' diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index c570a06edaa..ee8dd9fd20d 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -5,8 +5,10 @@ constraintViolationsLimit: 20 auditFromCache: false disableValidatingWebhook: false validatingWebhookTimeoutSeconds: 3 +validatingWebhookAnnotations: {} enableDeleteOperations: false experimentalEnableMutation: false +mutatingWebhookAnnotations: {} auditChunkSize: 0 logLevel: INFO logDenies: false @@ -30,8 +32,9 @@ podAnnotations: podLabels: {} podCountLimit: 100 secretAnnotations: {} -mutatingWebhookAnnotations: {} -validatingWebhookAnnotations: {} +certificates: + generate: true + secretName: gatekeeper-webhook-server-cert controllerManager: hostNetwork: false priorityClassName: system-cluster-critical @@ -56,8 +59,6 @@ controllerManager: requests: cpu: 100m memory: 256Mi - certificateSecretName: gatekeeper-webhook-server-cert - generateCertificate: true audit: hostNetwork: false priorityClassName: system-cluster-critical From 5dc4203f15e3b8bb9622264855333bf8a971353d Mon Sep 17 00:00:00 2001 From: Romain Chalumeau Date: Fri, 11 Jun 2021 16:45:19 +0200 Subject: [PATCH 07/10] Fix typo disable-cert-rotation Signed-off-by: Romain Chalumeau --- cmd/build/helmify/kustomize-for-helm.yaml | 2 +- .../templates/gatekeeper-controller-manager-deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index f67dd2f3e08..777b3d376a4 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -65,7 +65,7 @@ spec: - --exempt-namespace={{ .Release.Namespace }} - --operation=webhook - --enable-mutation={{ .Values.experimentalEnableMutation}} - - --disableCertRotation={{ not .Values.certificates.generate }} + - --disable-cert-rotation={{ not .Values.certificates.generate }} - HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_DISABLED_BUILTIN imagePullPolicy: "{{ .Values.image.pullPolicy }}" image: "{{ .Values.image.repository }}:{{ .Values.image.release }}" diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 2d45ac98d6f..1a61a5f59e1 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -49,7 +49,7 @@ spec: - --exempt-namespace={{ .Release.Namespace }} - --operation=webhook - --enable-mutation={{ .Values.experimentalEnableMutation}} - - --disableCertRotation={{ not .Values.certificates.generate }} + - --disable-cert-rotation={{ not .Values.certificates.generate }} {{- range .Values.disabledBuiltins}} - --disable-opa-builtin={{ . }} From 4e4b6b7282863bc48f8fedcdefa4a58ddc262233 Mon Sep 17 00:00:00 2001 From: Romain Chalumeau Date: Fri, 11 Jun 2021 17:40:26 +0200 Subject: [PATCH 08/10] Add doc for cert-manager Signed-off-by: Romain Chalumeau --- website/docs/cert-manager.md | 134 +++++++++++++++++++++++++++++++++++ 1 file changed, 134 insertions(+) create mode 100644 website/docs/cert-manager.md diff --git a/website/docs/cert-manager.md b/website/docs/cert-manager.md new file mode 100644 index 00000000000..eb3d71b01e8 --- /dev/null +++ b/website/docs/cert-manager.md @@ -0,0 +1,134 @@ +--- +id: cert-manager +title: Injecting Certificates from Cert Manager +--- + +Gatekeeper controller generates by default and rotates a self signed CA and TLS certificate. The CA is injected into the admission webhooks, the TLS secret is mounted into the controller pod. This tutorial is about using [cert-manager](https://cert-manager.io/docs/) to manage the CA and the certificate. + +## Generating issuers and certificates + +We will create a simple self signed CA certificate with cert-manager. From this CA, we will create a certificate that we will associate to the controller. + +### Issuing a CA certificate + +Let's create the CA certificate for our example : + +```yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: gatekeeper-selfsigning-issuer + namespace: gatekeeper-system +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gatekeeper-ca-certificate + namespace: gatekeeper-system +spec: + secretName: gatekeeper-ca-certificate + isCA: true + commonName: gatekeeper-ca + issuerRef: + name: gatekeeper-selfsigning-issuer +``` + +If successful, you should have a valid certificate and an associated secret : +``` +$ kubectl -n gatekeeper-system get cert gatekeeper-ca-certificate +NAME READY SECRET AGE +gatekeeper-ca-certificate True gatekeeper-ca-certificate 3h6m +$ kubectl -n gatekeeper-system get secret gatekeeper-ca-certificate +NAME TYPE DATA AGE +gatekeeper-ca-certificate kubernetes.io/tls 3 3h6m +``` + +You can check the content of the CA certificate as following : +``` +kubectl -n gatekeeper-system get secret gatekeeper-ca-certificate -o go-template='{{index .data "ca.crt"}}' | base64 -d | openssl x509 -noout -text +``` + +In the real world, there is no reason why you would generate a self signed CA certificate. Tis is for te purpose of the example. The CA was most probably issued by a trusted authority at the organisation level. + +### TLS certificate + +Let's create now a TLS certificate for the service `gatekeeper-webhook-service` from our authority : + +```yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: gatekeeper-ca-issuer + namespace: gatekeeper-system +spec: + ca: + secretName: gatekeeper-ca-certificate +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gatekeeper-certificate + namespace: gatekeeper-system +spec: + secretName: gatekeeper-certificate + commonName: gatekeeper-webhook-service.gatekeeper-system.svc + issuerRef: + name: gatekeeper-ca-issuer + name: gatekeeper-selfsigning-issuer + kind: Issuer +``` + +If successful, you should have a valid certificate and a related TLS secret similar to : +``` +$ kubectl -n gatekeeper-system get cert gatekeeper-certificate +NAME READY SECRET AGE +gatekeeper-certificate True gatekeeper-certificate 3h9m +$ kubectl -n gatekeeper-system get secret gatekeeper-certificate +NAME TYPE DATA AGE +gatekeeper-certificate kubernetes.io/tls 3 3h8m +``` + +You can check the content of the generated certificate : +``` +kubectl -n gatekeeper-system get secret gatekeeper-certificate -o go-template='{{index .data "tls.crt"}}' | base64 -d | openssl x509 -noout -text +``` + +## Configure the helm chart parameters + +The helm chart generates automatically a self signed certificate (`gatekeeper-webhook-server-cert`) by default. This has to be disabled to pass the generated secret (here `gatekeeper-certificate`). + +```yaml +certificates: + generate: false + secretName: gatekeeper-certificate +``` + +*Warning* : Not disabling the genration of certifictes will genrate a race condition between the cert-manager and the controller : both manage the `caBundle` value of the webhooks. The `metadata.generation` of the webhooks will quickly increment with potentialy no evident change. + +We annotate the admission webhooks with [`cainjector` from cert-manager](https://cert-manager.io/docs/concepts/ca-injector/) to configure the CABundle with our CA certificate. + +This can be done with the parameters `validatingWebhookAnnotations` and `mutatingWebhookAnnotations`. Here, we pass the name of the certificate we have created to the validating webhook. A secret storing the CA can also be used. + +```yaml +validatingWebhookAnnotations: + cert-manager.io/inject-ca-from: gatekeeper-system/gatekeeper-ca-certificate +``` + +The `certificates.secretName` is used to mount the secret storing the TLS cert that was generated by cert-manager. + +## Check the injection + +The CABundles injected in the webhook must be identical to the CA certificate stored in the related secret : + +``` +kubectl -n gatekeeper-system get secret gatekeeper-ca-certificate -o go-template='{{index .data "ca.crt"}}' +``` + +``` +kubectl get validatingWebhookConfiguration gatekeeper-validating-webhook-configuration -o go-template='{{range .webhooks }}{{ printf "%s\n" .clientConfig.caBundle }}{{ end }}' +``` + +The three values must be identical. + From aa68b8420072440158ec1e2b4f5717733e3a4a47 Mon Sep 17 00:00:00 2001 From: Romain Chalumeau Date: Fri, 11 Jun 2021 17:57:58 +0200 Subject: [PATCH 09/10] Clean dead code Signed-off-by: Romain Chalumeau --- cmd/build/helmify/replacements.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index e15dd60a76a..c60bc9a1a51 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -35,8 +35,6 @@ var replacements = map[string]string{ "HELMSUBST_SECRET_ANNOTATIONS": `{{- toYaml .Values.secretAnnotations | trim | nindent 4 }}`, - "HELMSUBST_SECRET_NAME": `{{- .Values.controllerManager.certificateSecretName }}`, - "HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT": `{{ .Values.validatingWebhookTimeoutSeconds }}`, `HELMSUBST_VALIDATING_WEBHOOK_ANNOTATIONS: ""`: `{{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }}`, From 637ea84f11a444704871ca7272b1b8b961859042 Mon Sep 17 00:00:00 2001 From: Romain Chalumeau Date: Mon, 14 Jun 2021 10:51:14 +0200 Subject: [PATCH 10/10] Adjust parameter description --- cmd/build/helmify/static/README.md | 88 ++++++++++---------- manifest_staging/charts/gatekeeper/README.md | 88 ++++++++++---------- 2 files changed, 88 insertions(+), 88 deletions(-) diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index c169fea377d..ac777e16037 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -62,50 +62,50 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi ## Parameters -| Parameter | Description | Default | -| :------------------------------------------- | :------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | -| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | -| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `line/kubectl-kustomize` | -| postInstall.labelNamespace.image.tag | Image tag | `1.20.4-4.0.5` | -| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | -| auditInterval | The frequency with which audit is run | `60` | -| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | -| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | -| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | -| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | -| disableValidatingWebhook | Disable the validating webhook | `false` | -| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | -| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | -| enableDeleteOperations | Enable validating webhook for delete operations | `false` | -| experimentalEnableMutation | Enable mutation (alpha feature) | `false` | -| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | -| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | -| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` | -| logDenies | Log detailed info on each deny | `false` | -| logLevel | Minimum log level | `INFO` | -| image.pullPolicy | The image pull policy | `IfNotPresent` | -| image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.5.0-rc.1` | -| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | -| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| affinity | The node affinity to use for pod scheduling | `{}` | -| tolerations | The tolerations to use for pod scheduling | `[]` | -| certificates.generate | Generates a secret named `gatekeeper-webhook-server-cert` with CA and certificate | `true` | -| certificates.secretName | The name of the secret storing the certificate to be mounted in controller | `gatekeeper-webhook-server-cert` | -| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | -| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | -| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | -| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | -| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | -| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | -| podLabels | The labels to add to the Gatekeeper pods | `{}` | -| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | -| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | -| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | -| service.type | Service type | `ClusterIP` | -| service.loadBalancerIP | The IP address of LoadBalancer service | `` | +| Parameter | Description | Default | +| :------------------------------------------- | :------------------------------------------------------------------------------------------------------------------ | :------------------------------------------------------------------------ | +| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `line/kubectl-kustomize` | +| postInstall.labelNamespace.image.tag | Image tag | `1.20.4-4.0.5` | +| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | +| auditInterval | The frequency with which audit is run | `60` | +| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | +| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | +| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| disableValidatingWebhook | Disable the validating webhook | `false` | +| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | +| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | +| enableDeleteOperations | Enable validating webhook for delete operations | `false` | +| experimentalEnableMutation | Enable mutation (alpha feature) | `false` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | +| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | +| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` | +| logDenies | Log detailed info on each deny | `false` | +| logLevel | Minimum log level | `INFO` | +| image.pullPolicy | The image pull policy | `IfNotPresent` | +| image.repository | Image repository | `openpolicyagent/gatekeeper` | +| image.release | The image release tag to use | Current release version: `v3.5.0-rc.1` | +| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | +| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| affinity | The node affinity to use for pod scheduling | `{}` | +| tolerations | The tolerations to use for pod scheduling | `[]` | +| certificates.generate | When `true`, certificate generation is handled by Gatekeeper. Disable to support third-party certificate management | `true` | +| certificates.secretName | The name of the secret storing the certificate to be mounted in controller | `gatekeeper-webhook-server-cert` | +| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | +| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | +| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | +| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | +| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | +| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | +| podLabels | The labels to add to the Gatekeeper pods | `{}` | +| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | +| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | +| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | +| service.type | Service type | `ClusterIP` | +| service.loadBalancerIP | The IP address of LoadBalancer service | `` | ## Contributing Changes diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index c169fea377d..ac777e16037 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -62,50 +62,50 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi ## Parameters -| Parameter | Description | Default | -| :------------------------------------------- | :------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | -| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | -| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `line/kubectl-kustomize` | -| postInstall.labelNamespace.image.tag | Image tag | `1.20.4-4.0.5` | -| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | -| auditInterval | The frequency with which audit is run | `60` | -| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | -| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | -| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | -| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | -| disableValidatingWebhook | Disable the validating webhook | `false` | -| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | -| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | -| enableDeleteOperations | Enable validating webhook for delete operations | `false` | -| experimentalEnableMutation | Enable mutation (alpha feature) | `false` | -| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | -| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | -| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` | -| logDenies | Log detailed info on each deny | `false` | -| logLevel | Minimum log level | `INFO` | -| image.pullPolicy | The image pull policy | `IfNotPresent` | -| image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.5.0-rc.1` | -| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | -| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| affinity | The node affinity to use for pod scheduling | `{}` | -| tolerations | The tolerations to use for pod scheduling | `[]` | -| certificates.generate | Generates a secret named `gatekeeper-webhook-server-cert` with CA and certificate | `true` | -| certificates.secretName | The name of the secret storing the certificate to be mounted in controller | `gatekeeper-webhook-server-cert` | -| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | -| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | -| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | -| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | -| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | -| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | -| podLabels | The labels to add to the Gatekeeper pods | `{}` | -| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | -| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | -| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | -| service.type | Service type | `ClusterIP` | -| service.loadBalancerIP | The IP address of LoadBalancer service | `` | +| Parameter | Description | Default | +| :------------------------------------------- | :------------------------------------------------------------------------------------------------------------------ | :------------------------------------------------------------------------ | +| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `line/kubectl-kustomize` | +| postInstall.labelNamespace.image.tag | Image tag | `1.20.4-4.0.5` | +| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | +| auditInterval | The frequency with which audit is run | `60` | +| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | +| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | +| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| disableValidatingWebhook | Disable the validating webhook | `false` | +| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | +| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | +| enableDeleteOperations | Enable validating webhook for delete operations | `false` | +| experimentalEnableMutation | Enable mutation (alpha feature) | `false` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | +| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | +| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` | +| logDenies | Log detailed info on each deny | `false` | +| logLevel | Minimum log level | `INFO` | +| image.pullPolicy | The image pull policy | `IfNotPresent` | +| image.repository | Image repository | `openpolicyagent/gatekeeper` | +| image.release | The image release tag to use | Current release version: `v3.5.0-rc.1` | +| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | +| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| affinity | The node affinity to use for pod scheduling | `{}` | +| tolerations | The tolerations to use for pod scheduling | `[]` | +| certificates.generate | When `true`, certificate generation is handled by Gatekeeper. Disable to support third-party certificate management | `true` | +| certificates.secretName | The name of the secret storing the certificate to be mounted in controller | `gatekeeper-webhook-server-cert` | +| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | +| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | +| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | +| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | +| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | +| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | +| podLabels | The labels to add to the Gatekeeper pods | `{}` | +| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | +| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | +| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | +| service.type | Service type | `ClusterIP` | +| service.loadBalancerIP | The IP address of LoadBalancer service | `` | ## Contributing Changes