Skip to content

feat(helm): add options for hook jobs #2202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ritazh merged 3 commits into from
Aug 5, 2022
Merged

feat(helm): add options for hook jobs #2202

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f0c0fe2
feat(helm): add options for hook jobs (fix #2200)
stek29 Jul 29, 2022
b59cfd0
docs: update Chart README
stek29 Aug 3, 2022
4ace446
Merge branch 'master' into helmaffinity
ritazh Aug 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions cmd/build/helmify/static/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,24 +79,40 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` |
| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` |
| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` |
| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` |
| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` |
| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` |
| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` |
| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` |
| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` |
| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` |
| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.10.0-beta.0` |
| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]`
| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` |
| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` |
| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` |
| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` |
| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` |
| preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` |
| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.10.0-beta.0` |
| preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` |
| preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` |
| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` |
| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` |
| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` |
| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` |
| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| psp.enabled | Enabled PodSecurityPolicy | `true` |
| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` |
| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` |
| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` |
| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` |
| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` |
| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` |
| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
| auditInterval | The frequency with which audit is run | `60` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/static/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@ Output post install webhook probe container entry
{{- end }}
- "-v"
- "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s"
resources:
{{- toYaml .Values.postInstall.resources | nindent 4 }}
securityContext:
{{- toYaml .Values.postInstall.securityContext | nindent 4 }}
volumeMounts:
Expand Down
12 changes: 10 additions & 2 deletions cmd/build/helmify/static/templates/namespace-post-install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,6 @@ spec:
{{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
serviceAccount: gatekeeper-update-namespace-label
nodeSelector:
kubernetes.io/os: linux
{{- if .Values.postInstall.probeWebhook.enabled }}
volumes:
{{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
Expand All @@ -56,12 +54,22 @@ spec:
- {{ . }}
{{- end }}
- --overwrite
resources:
{{- toYaml .Values.postInstall.resources | nindent 12 }}
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.postInstall.securityContext | nindent 12 }}
{{- with .Values.postInstall }}
nodeSelector:
{{- toYaml .nodeSelector | nindent 8 }}
affinity:
{{- toYaml .affinity | nindent 8 }}
tolerations:
{{- toYaml .tolerations | nindent 8 }}
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
Expand Down
12 changes: 10 additions & 2 deletions cmd/build/helmify/static/templates/namespace-post-upgrade.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,6 @@ spec:
{{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
serviceAccount: gatekeeper-update-namespace-label-post-upgrade
nodeSelector:
kubernetes.io/os: linux
containers:
- name: kubectl-label
image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}"
Expand All @@ -48,8 +46,18 @@ spec:
- {{ . }}
{{- end }}
- --overwrite
resources:
{{- toYaml .Values.postUpgrade.resources | nindent 12 }}
securityContext:
{{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
{{- with .Values.postUpgrade }}
affinity:
{{- toYaml .affinity | nindent 8 }}
tolerations:
{{- toYaml .tolerations | nindent 8 }}
nodeSelector:
{{- toYaml .nodeSelector | nindent 8 }}
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
Expand Down
10 changes: 8 additions & 2 deletions cmd/build/helmify/static/templates/probe-webhook-post-install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,17 @@ spec:
imagePullSecrets:
{{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
nodeSelector:
kubernetes.io/os: linux
volumes:
{{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
containers:
{{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }}
{{- with .Values.postInstall }}
affinity:
{{- toYaml .affinity | nindent 8 }}
tolerations:
{{- toYaml .tolerations | nindent 8 }}
nodeSelector:
{{- toYaml .nodeSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
10 changes: 6 additions & 4 deletions cmd/build/helmify/static/templates/upgrade-crds-hook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,10 +111,12 @@ spec:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.crds.securityContext | nindent 10 }}
{{- with .Values.crds }}
affinity:
{{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }}
nodeSelector:
kubernetes.io/os: linux
{{- toYaml .affinity | nindent 8 }}
tolerations:
{{- toYaml .Values.upgradeCRDs.tolerations | nindent 8 }}
{{- toYaml .tolerations | nindent 8 }}
nodeSelector:
{{- toYaml .nodeSelector | nindent 8 }}
{{- end }}
{{- end }}
12 changes: 10 additions & 2 deletions cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,6 @@ spec:
{{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
serviceAccount: gatekeeper-delete-webhook-configs
nodeSelector:
kubernetes.io/os: linux
containers:
- name: kubectl-delete
image: "{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}"
Expand All @@ -46,12 +44,22 @@ spec:
{{- if not .Values.disableMutation }}
- mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration
{{- end }}
resources:
{{- toYaml .Values.preUninstall.resources | nindent 10 }}
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.preUninstall.securityContext | nindent 10 }}
{{- with .Values.preUninstall }}
nodeSelector:
{{- toYaml .nodeSelector | nindent 8 }}
affinity:
{{- toYaml .affinity | nindent 8 }}
tolerations:
{{- toYaml .tolerations | nindent 8 }}
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
Expand Down
Loading