diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index fea36744c98..cb77e720abc 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -160,7 +160,7 @@ spec: - --prometheus-port=HELMSUBST_DEPLOYMENT_AUDIT_METRICS_PORT - --enable-external-data={{ .Values.enableExternalData }} - HELMSUBST_METRICS_BACKEND_ARG - - --disable-cert-rotation={{ .Values.audit.disableCertRotation }} + - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} imagePullPolicy: "{{ .Values.image.pullPolicy }}" HELMSUBST_AUDIT_CONTROLLER_MANAGER_DEPLOYMENT_IMAGE_RELEASE: "" ports: diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go index 697e53d3052..0a65cb53b8a 100644 --- a/cmd/build/helmify/main.go +++ b/cmd/build/helmify/main.go @@ -113,6 +113,10 @@ func (ks *kindSet) Write() error { obj = "{{- if not .Values.disableMutation }}\n" + obj + "{{- end }}\n" } + if name == "gatekeeper-webhook-server-cert" && kind == "Secret" { + obj = "{{- if not .Values.externalCertInjection.enabled }}\n" + obj + "{{- end }}\n" + } + if name == "gatekeeper-critical-pods" && kind == "ResourceQuota" { obj = "{{- if .Values.resourceQuota }}\n" + obj + "{{- end }}\n" } diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 94fba79729b..f200d23f418 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -185,6 +185,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | service.loadBalancerIP | The IP address of LoadBalancer service | `` | | service.healthzPort | Service port to gatekeeper Webhook health port | `9090` | | rbac.create | Enable the creation of RBAC resources | `true` | +| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` | +| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` | ## Contributing Changes diff --git a/cmd/build/helmify/static/templates/_helpers.tpl b/cmd/build/helmify/static/templates/_helpers.tpl index f9a9d84a5c2..c99de40c2ed 100644 --- a/cmd/build/helmify/static/templates/_helpers.tpl +++ b/cmd/build/helmify/static/templates/_helpers.tpl @@ -81,5 +81,5 @@ Output post install webhook probe volume entry {{- define "gatekeeper.postInstallWebhookProbeVolume" -}} - name: cert secret: - secretName: gatekeeper-webhook-server-cert + secretName: {{ .Values.externalCertInjection.secretName }} {{- end -}} diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index f7baaa013f3..d8d199fa0d5 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -239,3 +239,6 @@ upgradeCRDs: extraRules: [] rbac: create: true +externalCertInjection: + enabled: false + secretName: gatekeeper-webhook-server-cert diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 94fba79729b..f200d23f418 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -185,6 +185,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | service.loadBalancerIP | The IP address of LoadBalancer service | `` | | service.healthzPort | Service port to gatekeeper Webhook health port | `9090` | | rbac.create | Enable the creation of RBAC resources | `true` | +| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` | +| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` | ## Contributing Changes diff --git a/manifest_staging/charts/gatekeeper/templates/_helpers.tpl b/manifest_staging/charts/gatekeeper/templates/_helpers.tpl index f9a9d84a5c2..c99de40c2ed 100644 --- a/manifest_staging/charts/gatekeeper/templates/_helpers.tpl +++ b/manifest_staging/charts/gatekeeper/templates/_helpers.tpl @@ -81,5 +81,5 @@ Output post install webhook probe volume entry {{- define "gatekeeper.postInstallWebhookProbeVolume" -}} - name: cert secret: - secretName: gatekeeper-webhook-server-cert + secretName: {{ .Values.externalCertInjection.secretName }} {{- end -}} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 1736d0d53bf..e4e86ccd99d 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -66,7 +66,7 @@ spec: {{- range .Values.metricsBackends}} - --metrics-backend={{ . }} {{- end }} - - --disable-cert-rotation={{ .Values.audit.disableCertRotation }} + - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} command: - /manager env: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml index d6e906a995d..a841780a555 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalCertInjection.enabled }} apiVersion: v1 kind: Secret metadata: @@ -10,3 +11,4 @@ metadata: release: '{{ .Release.Name }}' name: gatekeeper-webhook-server-cert namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index f7baaa013f3..d8d199fa0d5 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -239,3 +239,6 @@ upgradeCRDs: extraRules: [] rbac: create: true +externalCertInjection: + enabled: false + secretName: gatekeeper-webhook-server-cert