chore: Prepare v3.18.0-rc.0 release

Makefile

@@ -22,7 +22,7 @@ LOG_LEVEL ?= "INFO"
 GENERATE_VAP ?= false
 GENERATE_VAPBINDING ?= false
 
-VERSION := v3.18.0-beta.0
+VERSION := v3.18.0-rc.0
 
 KIND_VERSION ?= 0.17.0
 KIND_CLUSTER_FILE ?= test/bats/tests/kindcluster.yml

charts/gatekeeper/Chart.yaml

@@ -4,8 +4,8 @@ name: gatekeeper
 icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg
 keywords:
   - open policy agent
-version: 3.18.0-beta.0
+version: 3.18.0-rc.0
 home: https://github.com/open-policy-agent/gatekeeper
 sources:
   - https://github.com/open-policy-agent/gatekeeper.git
-appVersion: v3.18.0-beta.0
+appVersion: v3.18.0-rc.0

charts/gatekeeper/crds/config-customresourcedefinition.yaml

@@ -112,7 +112,41 @@ spec:
             type: object
           status:
             description: ConfigStatus defines the observed state of Config.
+            properties:
+              byPod:
+                items:
+                  properties:
+                    configUID:
+                      description: |-
+                        UID is a type that holds unique ID values, including UUIDs.  Because we
+                        don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+                        intent and helps make sure that UIDs and names do not get conflated.
+                      type: string
+                    errors:
+                      items:
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
             type: object
         type: object
     served: true
     storage: true
+    subresources:
+      status: {}

charts/gatekeeper/crds/configpodstatus-customresourcedefinition.yaml

@@ -0,0 +1,72 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: configpodstatuses.status.gatekeeper.sh
+spec:
+  group: status.gatekeeper.sh
+  names:
+    kind: ConfigPodStatus
+    listKind: ConfigPodStatusList
+    plural: configpodstatuses
+    singular: configpodstatus
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          status:
+            properties:
+              configUID:
+                description: |-
+                  UID is a type that holds unique ID values, including UUIDs.  Because we
+                  don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+                  intent and helps make sure that UIDs and names do not get conflated.
+                type: string
+              errors:
+                items:
+                  properties:
+                    message:
+                      type: string
+                    type:
+                      type: string
+                  required:
+                  - message
+                  type: object
+                type: array
+              id:
+                type: string
+              observedGeneration:
+                format: int64
+                type: integer
+              operations:
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true

charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml

@@ -50,6 +50,24 @@ spec:
                 type: string
               enforced:
                 type: boolean
+              enforcementPointsStatus:
+                items:
+                  description: EnforcementPointStatus represents the status of a single enforcement point.
+                  properties:
+                    enforcementPoint:
+                      type: string
+                    message:
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    state:
+                      type: string
+                  required:
+                  - enforcementPoint
+                  - state
+                  type: object
+                type: array
               errors:
                 items:
                   description: Error represents a single error caught while adding a constraint to engine.

charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml

@@ -73,6 +73,17 @@ spec:
                   don't ONLY use UUIDs, this is an alias to string.  Being a type captures
                   intent and helps make sure that UIDs and names do not get conflated.
                 type: string
+              vapGenerationStatus:
+                description: VAPGenerationStatus represents the status of VAP generation.
+                properties:
+                  observedGeneration:
+                    format: int64
+                    type: integer
+                  state:
+                    type: string
+                  warning:
+                    type: string
+                type: object
             type: object
         type: object
     served: true

charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml

@@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     app: '{{ template "gatekeeper.name" . }}'
     chart: '{{ template "gatekeeper.name" . }}'
     control-plane: audit-controller
@@ -62,15 +63,21 @@ spec:
         - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }}
         - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }}
         - --audit-from-cache={{ .Values.auditFromCache }}
-        - --audit-chunk-size={{ .Values.auditChunkSize }}
+        {{ if hasKey .Values "auditChunkSize" }}- --audit-chunk-size={{ .Values.auditChunkSize }}{{- end }}
         - --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
-        - --emit-audit-events={{ .Values.emitAuditEvents }}
+        {{ if hasKey .Values "emitAuditEvents" }}- --emit-audit-events={{ .Values.emitAuditEvents }}{{- end }}
+        {{ if hasKey .Values "logStatsAudit" }}- --log-stats-audit={{ .Values.logStatsAudit }}{{- end }}
         - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
         - --operation=audit
         - --operation=status
-        {{ if .Values.audit.enablePubsub}}
+        - --operation=generate
+        {{ if hasKey .Values.audit "enablePubsub" }}
         - --enable-pub-sub={{ .Values.audit.enablePubsub }}
+        {{- end }}
+        {{ if hasKey .Values.audit "connection" }}
         - --audit-connection={{ .Values.audit.connection }}
+        {{- end }}
+        {{ if hasKey .Values.audit "channel" }}
         - --audit-channel={{ .Values.audit.channel }}
         {{- end }}
         {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }}
@@ -98,6 +105,9 @@ spec:
         {{- if hasKey .Values "defaultCreateVAPBindingForConstraints"}}
         - --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }}
         {{- end }}
+        {{ if hasKey .Values "defaultWaitForVAPBGeneration"}}
+        - --default-wait-for-vapb-generation={{ .Values.defaultWaitForVAPBGeneration }}
+        {{- end }}
         command:
         - /manager
         env:

charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml

@@ -3,6 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
+    {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     app: '{{ template "gatekeeper.name" . }}'
     chart: '{{ template "gatekeeper.name" . }}'
     control-plane: controller-manager
@@ -63,7 +64,8 @@ spec:
         - --prometheus-port={{ .Values.controllerManager.metricsPort }}
         - --logtostderr
         - --log-denies={{ .Values.logDenies }}
-        - --emit-admission-events={{ .Values.emitAdmissionEvents }}
+        {{ if hasKey .Values "emitAdmissionEvents" }}- --emit-admission-events={{ .Values.emitAdmissionEvents }}{{- end }}
+        {{ if hasKey .Values "logStatsAdmission" }}- --log-stats-admission={{ .Values.logStatsAdmission }}{{- end }}
         - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }}
         - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }}
         - --exempt-namespace={{ .Release.Namespace }}

charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml

@@ -1,6 +1,6 @@
 ---
-{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
-{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}}
+{{ $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
+{{ $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}}
 apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}
 kind: PodDisruptionBudget
 metadata:

charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml

@@ -63,6 +63,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - config.gatekeeper.sh
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - config.gatekeeper.sh
   resources:

charts/gatekeeper/values.yaml

@@ -39,8 +39,6 @@ auditChunkSize: 500
 logLevel: INFO
 logDenies: false
 logMutations: false
-emitAdmissionEvents: false
-emitAuditEvents: false
 admissionEventsInvolvedNamespace: false
 auditEventsInvolvedNamespace: false
 resourceQuota: true
@@ -49,14 +47,14 @@ enableK8sNativeValidation: true
 image:
   repository: openpolicyagent/gatekeeper
   crdRepository: openpolicyagent/gatekeeper-crds
-  release: v3.18.0-beta.0
+  release: v3.18.0-rc.0
   pullPolicy: IfNotPresent
   pullSecrets: []
 preInstall:
   crdRepository:
     image:
       repository: null
-      tag: v3.18.0-beta.0
+      tag: v3.18.0-rc.0
 postUpgrade:
   labelNamespace:
     serviceAccount:
@@ -65,7 +63,7 @@ postUpgrade:
     enabled: false
     image:
       repository: openpolicyagent/gatekeeper-crds
-      tag: v3.18.0-beta.0
+      tag: v3.18.0-rc.0
       pullPolicy: IfNotPresent
       pullSecrets: []
     extraNamespaces: []
@@ -99,7 +97,7 @@ postInstall:
     extraRules: []
     image:
       repository: openpolicyagent/gatekeeper-crds
-      tag: v3.18.0-beta.0
+      tag: v3.18.0-rc.0
       pullPolicy: IfNotPresent
       pullSecrets: []
     extraNamespaces: []
@@ -143,7 +141,7 @@ preUninstall:
     enabled: false
     image:
       repository: openpolicyagent/gatekeeper-crds
-      tag: v3.18.0-beta.0
+      tag: v3.18.0-rc.0
       pullPolicy: IfNotPresent
       pullSecrets: []
     priorityClassName: ""
@@ -222,16 +220,13 @@ controllerManager:
   extraRules: []
   networkPolicy:
     enabled: false
-    ingress: { }
+    ingress: []
       # - from:
       #   - ipBlock:
       #       cidr: 0.0.0.0/0
 audit:
   serviceAccount:
     name: gatekeeper-admin
-  enablePubsub: false
-  connection: audit-connection
-  channel: audit-channel
   hostNetwork: false
   dnsPolicy: ClusterFirst
   metricsPort: 8888

cmd/build/helmify/static/Chart.yaml

@@ -4,8 +4,8 @@ name: gatekeeper
 icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg
 keywords:
   - open policy agent
-version: 3.18.0-beta.0
+version: 3.18.0-rc.0
 home: https://github.com/open-policy-agent/gatekeeper
 sources:
   - https://github.com/open-policy-agent/gatekeeper.git
-appVersion: v3.18.0-beta.0
+appVersion: v3.18.0-rc.0