feat: Add Recommended Helm/K8s labels

cmd/build/helmify/static/templates/_helpers.tpl

@@ -36,10 +36,44 @@ Adds additional pod labels to the common ones
 */}}
 {{- define "gatekeeper.podLabels" -}}
 {{- if .Values.podLabels }}
-{{- toYaml .Values.podLabels | nindent 8 }}
+{{- toYaml .Values.podLabels }}
 {{- end }}
 {{- end -}}
 
+{{/*
+Mandatory labels
+*/}}
+{{- define "gatekeeper.mandatoryLabels" -}}
+app: {{ include "gatekeeper.name" . }}
+chart: {{ include "gatekeeper.name" . }}
+gatekeeper.sh/system: "yes"
+heritage: {{ .Release.Service }}
+release: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "gatekeeper.commonLabels" -}}
+helm.sh/chart: {{ include "gatekeeper.chart" . }}
+{{ include "gatekeeper.selectorLabels" . }}
+{{- if .Chart.Version }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.commonLabels }}
+{{ toYaml .Values.commonLabels }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "gatekeeper.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "gatekeeper.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
 {{/*
 Output post install webhook probe container entry
 */}}

cmd/build/helmify/static/templates/gatekeeper-admin-podsecuritypolicy.yaml

@@ -5,11 +5,8 @@ metadata:
   annotations:
     seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
   labels:
-    app: '{{ template "gatekeeper.name" . }}'
-    chart: '{{ template "gatekeeper.name" . }}'
-    gatekeeper.sh/system: "yes"
-    heritage: '{{ .Release.Service }}'
-    release: '{{ .Release.Name }}'
+    {{- include "gatekeeper.mandatoryLabels" . | nindent 4 }}
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
   name: gatekeeper-admin
 spec:
   allowPrivilegeEscalation: false

cmd/build/helmify/static/templates/gatekeeper-controller-manager-network-policy.yaml

@@ -3,28 +3,24 @@ kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
   labels:
-    app: '{{ template "gatekeeper.name" . }}'
-    chart: '{{ template "gatekeeper.name" . }}'
-    heritage: '{{ .Release.Service }}'
-    release: '{{ .Release.Name }}'
+    {{- include "gatekeeper.mandatoryLabels" . | nindent 4 }}
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
   name: gatekeeper-controller-manager
 spec:
   ingress:
     - from:
         - podSelector:
             matchLabels:
+              {{- include "gatekeeper.commonLabels" . | nindent 14 }}
               app: '{{ template "gatekeeper.name" . }}'
               release: '{{ .Release.Name }}'
     {{- with .Values.controllerManager.networkPolicy.ingress }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   podSelector:
     matchLabels:
-      app: '{{ template "gatekeeper.name" . }}'
-      chart: '{{ template "gatekeeper.name" . }}'
+      {{- include "gatekeeper.mandatoryLabels" . | nindent 6 }}
+      {{- include "gatekeeper.commonLabels" . | nindent 6 }}
       control-plane: controller-manager
       gatekeeper.sh/operation: webhook
-      gatekeeper.sh/system: "yes"
-      heritage: '{{ .Release.Service }}'
-      release: '{{ .Release.Name }}'
 {{- end -}}

cmd/build/helmify/static/templates/namespace-post-install.yaml

@@ -5,11 +5,8 @@ metadata:
   name: gatekeeper-update-namespace-label
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: '{{ template "gatekeeper.name" . }}'
-    chart: '{{ template "gatekeeper.name" . }}'
-    gatekeeper.sh/system: "yes"
-    heritage: '{{ .Release.Service }}'
-    release: '{{ .Release.Name }}'
+    {{- include "gatekeeper.mandatoryLabels" . | nindent 4 }}
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": post-install
     "helm.sh/hook-weight": "-5"
@@ -23,12 +20,9 @@ spec:
       annotations:
         {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
       labels:
-        {{- include "gatekeeper.podLabels" . }}
-        app: '{{ template "gatekeeper.name" . }}'
-        chart: '{{ template "gatekeeper.name" . }}'
-        gatekeeper.sh/system: "yes"
-        heritage: '{{ .Release.Service }}'
-        release: '{{ .Release.Name }}'
+        {{- include "gatekeeper.podLabels" . | nindent 8 }}
+        {{- include "gatekeeper.mandatoryLabels" . | nindent 8 }}
+        {{- include "gatekeeper.commonLabels" . | nindent 8 }}
     spec:
       restartPolicy: OnFailure
       {{- if .Values.postInstall.labelNamespace.priorityClassName }}
@@ -102,6 +96,7 @@ metadata:
   name: gatekeeper-update-namespace-label
   namespace: {{ .Release.Namespace | quote }}
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:
@@ -115,6 +110,7 @@ kind: ClusterRole
 metadata:
   name: gatekeeper-update-namespace-label
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:
@@ -146,6 +142,7 @@ kind: ClusterRoleBinding
 metadata:
   name: gatekeeper-update-namespace-label
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:

cmd/build/helmify/static/templates/namespace-post-upgrade.yaml

@@ -5,11 +5,8 @@ metadata:
   name: gatekeeper-update-namespace-label-post-upgrade
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: '{{ template "gatekeeper.name" . }}'
-    chart: '{{ template "gatekeeper.name" . }}'
-    gatekeeper.sh/system: "yes"
-    heritage: '{{ .Release.Service }}'
-    release: '{{ .Release.Name }}'
+    {{- include "gatekeeper.mandatoryLabels" . | nindent 4 }}
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": post-upgrade
     "helm.sh/hook-weight": "-5"
@@ -21,12 +18,9 @@ spec:
   template:
     metadata:
       labels:
-        {{- include "gatekeeper.podLabels" . }}
-        app: '{{ template "gatekeeper.name" . }}'
-        chart: '{{ template "gatekeeper.name" . }}'
-        gatekeeper.sh/system: "yes"
-        heritage: '{{ .Release.Service }}'
-        release: '{{ .Release.Name }}'
+        {{- include "gatekeeper.podLabels" . | nindent 8 }}
+        {{- include "gatekeeper.mandatoryLabels" . | nindent 8 }}
+        {{- include "gatekeeper.commonLabels" . | nindent 8 }}
     spec:
       restartPolicy: OnFailure
       {{- if .Values.postUpgrade.labelNamespace.image.pullSecrets }}
@@ -93,6 +87,7 @@ kind: ServiceAccount
 metadata:
   name: gatekeeper-update-namespace-label-post-upgrade
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:
@@ -106,6 +101,7 @@ kind: ClusterRole
 metadata:
   name: gatekeeper-update-namespace-label-post-upgrade
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:
@@ -134,6 +130,7 @@ kind: ClusterRoleBinding
 metadata:
   name: gatekeeper-update-namespace-label-post-upgrade
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:

cmd/build/helmify/static/templates/probe-webhook-post-install.yaml

@@ -5,11 +5,8 @@ kind: Job
 metadata:
   name: gatekeeper-probe-webhook-post-install
   labels:
-    app: '{{ template "gatekeeper.name" . }}'
-    chart: '{{ template "gatekeeper.name" . }}'
-    gatekeeper.sh/system: "yes"
-    heritage: '{{ .Release.Service }}'
-    release: '{{ .Release.Name }}'
+    {{- include "gatekeeper.mandatoryLabels" . | nindent 4 }}
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": post-install
     "helm.sh/hook-weight": "-5"
@@ -20,12 +17,9 @@ spec:
       annotations:
         {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
       labels:
-        {{- include "gatekeeper.podLabels" . }}
-        app: '{{ template "gatekeeper.name" . }}'
-        chart: '{{ template "gatekeeper.name" . }}'
-        gatekeeper.sh/system: "yes"
-        heritage: '{{ .Release.Service }}'
-        release: '{{ .Release.Name }}'
+        {{- include "gatekeeper.podLabels" . | nindent 8 }}
+        {{- include "gatekeeper.mandatoryLabels" . | nindent 8 }}
+        {{- include "gatekeeper.commonLabels" . | nindent 8 }}
     spec:
       restartPolicy: Never
       {{- if .Values.postInstall.probeWebhook.priorityClassName }}

cmd/build/helmify/static/templates/upgrade-crds-hook.yaml

@@ -5,6 +5,7 @@ kind: ClusterRole
 metadata:
   name: gatekeeper-admin-upgrade-crds
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:
@@ -26,6 +27,7 @@ kind: ClusterRoleBinding
 metadata:
   name: gatekeeper-admin-upgrade-crds
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:
@@ -46,6 +48,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   name: gatekeeper-admin-upgrade-crds
@@ -61,11 +64,8 @@ metadata:
   name: gatekeeper-update-crds-hook
   namespace: {{ .Release.Namespace }}
   labels:
-    app: {{ template "gatekeeper.name" . }}
-    chart: {{ template "gatekeeper.name" . }}
-    gatekeeper.sh/system: "yes"
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
+    {{- include "gatekeeper.mandatoryLabels" . | nindent 4 }}
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-weight: "1"
@@ -78,12 +78,9 @@ spec:
       annotations:
         {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
       labels:
-        {{- include "gatekeeper.podLabels" . }}
-        app: '{{ template "gatekeeper.name" . }}'
-        chart: '{{ template "gatekeeper.name" . }}'
-        gatekeeper.sh/system: "yes"
-        heritage: '{{ .Release.Service }}'
-        release: '{{ .Release.Name }}'
+        {{- include "gatekeeper.podLabels" . | nindent 8 }}
+        {{- include "gatekeeper.mandatoryLabels" . | nindent 8 }}
+        {{- include "gatekeeper.commonLabels" . | nindent 8 }}
     spec:
       serviceAccountName: gatekeeper-admin-upgrade-crds
       restartPolicy: Never

cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml

@@ -5,11 +5,8 @@ metadata:
   name: gatekeeper-delete-webhook-configs
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: '{{ template "gatekeeper.name" . }}'
-    chart: '{{ template "gatekeeper.name" . }}'
-    gatekeeper.sh/system: "yes"
-    heritage: '{{ .Release.Service }}'
-    release: '{{ .Release.Name }}'
+    {{- include "gatekeeper.mandatoryLabels" . | nindent 4 }}
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-delete
     "helm.sh/hook-weight": "-5"
@@ -20,12 +17,9 @@ spec:
       annotations:
         {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
       labels:
-        {{- include "gatekeeper.podLabels" . }}
-        app: '{{ template "gatekeeper.name" . }}'
-        chart: '{{ template "gatekeeper.name" . }}'
-        gatekeeper.sh/system: "yes"
-        heritage: '{{ .Release.Service }}'
-        release: '{{ .Release.Name }}'
+        {{- include "gatekeeper.podLabels" . | nindent 8 }}
+        {{- include "gatekeeper.mandatoryLabels" . | nindent 8 }}
+        {{- include "gatekeeper.commonLabels" . | nindent 8 }}
     spec:
       restartPolicy: OnFailure
       {{- if .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets }}
@@ -71,6 +65,7 @@ metadata:
   name: gatekeeper-delete-webhook-configs
   namespace: {{ .Release.Namespace | quote }}
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:
@@ -84,6 +79,7 @@ kind: ClusterRole
 metadata:
   name: gatekeeper-delete-webhook-configs
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:
@@ -122,6 +118,7 @@ kind: ClusterRoleBinding
 metadata:
   name: gatekeeper-delete-webhook-configs
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:

manifest_staging/charts/gatekeeper/templates/_helpers.tpl

@@ -36,10 +36,44 @@ Adds additional pod labels to the common ones
 */}}
 {{- define "gatekeeper.podLabels" -}}
 {{- if .Values.podLabels }}
-{{- toYaml .Values.podLabels | nindent 8 }}
+{{- toYaml .Values.podLabels }}
 {{- end }}
 {{- end -}}
 
+{{/*
+Mandatory labels
+*/}}
+{{- define "gatekeeper.mandatoryLabels" -}}
+app: {{ include "gatekeeper.name" . }}
+chart: {{ include "gatekeeper.name" . }}
+gatekeeper.sh/system: "yes"
+heritage: {{ .Release.Service }}
+release: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "gatekeeper.commonLabels" -}}
+helm.sh/chart: {{ include "gatekeeper.chart" . }}
+{{ include "gatekeeper.selectorLabels" . }}
+{{- if .Chart.Version }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.commonLabels }}
+{{ toYaml .Values.commonLabels }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "gatekeeper.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "gatekeeper.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
 {{/*
 Output post install webhook probe container entry
 */}}

manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-podsecuritypolicy.yaml

@@ -5,11 +5,8 @@ metadata:
   annotations:
     seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
   labels:
-    app: '{{ template "gatekeeper.name" . }}'
-    chart: '{{ template "gatekeeper.name" . }}'
-    gatekeeper.sh/system: "yes"
-    heritage: '{{ .Release.Service }}'
-    release: '{{ .Release.Name }}'
+    {{- include "gatekeeper.mandatoryLabels" . | nindent 4 }}
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
   name: gatekeeper-admin
 spec:
   allowPrivilegeEscalation: false