diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 391919703fa..bfb6cf5efce 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -85,6 +85,7 @@ spec: - --mutation-annotations={{ .Values.mutationAnnotations }} - --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }} - --max-serving-threads={{ .Values.maxServingThreads }} + - --tls-min-version={{ .Values.controllerManager.tlsMinVersion }} - HELMSUBST_METRICS_BACKEND_ARG - HELMSUBST_TLS_HEALTHCHECK_ENABLED_ARG - HELMSUBST_MUTATION_ENABLED_ARG diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 4b759feeaf9..b9050540d7c 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -166,6 +166,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | | controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | | controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | | controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 52981ac782b..6ef1c32e7da 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -144,6 +144,7 @@ controllerManager: livenessTimeout: 1 priorityClassName: system-cluster-critical disableCertRotation: false + tlsMinVersion: 1.3 affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 4b759feeaf9..b9050540d7c 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -166,6 +166,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | | controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | | controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | | controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index fa7e8f527b3..266bbeba400 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -63,6 +63,7 @@ spec: - --mutation-annotations={{ .Values.mutationAnnotations }} - --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }} - --max-serving-threads={{ .Values.maxServingThreads }} + - --tls-min-version={{ .Values.controllerManager.tlsMinVersion }} {{- range .Values.metricsBackends}} - --metrics-backend={{ . }} diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 52981ac782b..6ef1c32e7da 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -144,6 +144,7 @@ controllerManager: livenessTimeout: 1 priorityClassName: system-cluster-critical disableCertRotation: false + tlsMinVersion: 1.3 affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: