feat: deprecate Helm 2

Signed-off-by: Julian Dolce <jdolce@qnx.com>

.github/workflows/upgrade.yaml

@@ -18,7 +18,7 @@ jobs:
     timeout-minutes: 15
     strategy:
       matrix:
-        HELM_VERSION: ["2.17.0", "3.4.2"]
+        HELM_VERSION: ["3.4.2"]
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@v2

.github/workflows/workflow.yaml

@@ -133,7 +133,7 @@ jobs:
     timeout-minutes: 15
     strategy:
       matrix:
-        HELM_VERSION: ["2.17.0", "3.4.2"]
+        HELM_VERSION: ["3.4.2"]
         GATEKEEPER_NAMESPACE: ["gatekeeper-system", "custom-namespace"]
     steps:
       - name: Check out code into the Go module directory

Makefile

@@ -15,7 +15,7 @@ KUSTOMIZE_VERSION ?= 3.8.8
 BATS_VERSION ?= 1.2.1
 BATS_TESTS_FILE ?= test/bats/test.bats
 KUBECTL_KUSTOMIZE_VERSION ?= 1.20.1-${KUSTOMIZE_VERSION}
-HELM_VERSION ?= 2.17.0
+HELM_VERSION ?= 3.4.2
 HELM_ARGS ?=
 GATEKEEPER_NAMESPACE ?= gatekeeper-system
 
@@ -123,42 +123,27 @@ e2e-helm-install:
 	./.staging/helm/linux-amd64/helm version --client
 
 e2e-helm-deploy: e2e-helm-install
-ifneq ($(GATEKEEPER_NAMESPACE),gatekeeper-system)
-	kubectl create namespace $(GATEKEEPER_NAMESPACE) --dry-run=client -o yaml | kubectl apply -f -
-	kubectl label ns $(GATEKEEPER_NAMESPACE) admission.gatekeeper.sh/ignore=no-self-managing
-	kubectl label ns $(GATEKEEPER_NAMESPACE) gatekeeper.sh/system="yes"
-	$(eval HELM_ARGS := --namespace $(GATEKEEPER_NAMESPACE) --set createNamespace=false)
-endif
-
-	@if [ $$(echo ${HELM_VERSION} | head -c 1) = "2" ]; then\
-		kubectl create clusterrolebinding tiller-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default;\
-		./.staging/helm/linux-amd64/helm init --wait --history-max=5;\
-		kubectl -n kube-system wait --for=condition=Ready pod -l name=tiller --timeout=300s;\
-		./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name=gatekeeper --debug ${HELM_ARGS} --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} --set emitAdmissionEvents=true --set emitAuditEvents=true;\
-	else\
-		./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper ${HELM_ARGS} --debug --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} --set emitAdmissionEvents=true --set emitAuditEvents=true;\
-	fi;
+	./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper -n ${GATEKEEPER_NAMESPACE} --create-namespace --debug \
+	--set image.repository=${HELM_REPO} \
+	--set image.release=${HELM_RELEASE} \
+	--set emitAdmissionEvents=true \
+	--set emitAuditEvents=true \
+	--set postInstall.labelNamespace.enabled=true;\
 
 e2e-helm-upgrade-init: e2e-helm-install
-	@if [ $$(echo ${HELM_VERSION} | head -c 1) = "2" ]; then\
-		kubectl create clusterrolebinding tiller-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default;\
-		./.staging/helm/linux-amd64/helm init --wait --history-max=5;\
-		kubectl -n kube-system wait --for=condition=Ready pod -l name=tiller --timeout=300s;\
-		./.staging/helm/linux-amd64/helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts;\
-		./.staging/helm/linux-amd64/helm install gatekeeper/gatekeeper \
-			--version ${BASE_RELEASE} --name gatekeeper \
-			--set emitAdmissionEvents=true --set emitAuditEvents=true --debug --wait;\
-	else\
 		./.staging/helm/linux-amd64/helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts;\
-		./.staging/helm/linux-amd64/helm install gatekeeper/gatekeeper \
-			--version ${BASE_RELEASE} --name-template gatekeeper \
-			--set emitAdmissionEvents=true --set emitAuditEvents=true --debug --wait;\
-	fi;
+		./.staging/helm/linux-amd64/helm install gatekeeper gatekeeper/gatekeeper --version ${BASE_RELEASE} --debug --wait \
+		 --set emitAdmissionEvents=true \
+		 --set emitAuditEvents=true \
+		 --set customResourceDefinitions.create=false;\
 
 e2e-helm-upgrade:
-	./.staging/helm/linux-amd64/helm upgrade gatekeeper manifest_staging/charts/gatekeeper \
-		--set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} \
-		--set emitAdmissionEvents=true --set emitAuditEvents=true --debug --wait;\
+	./helm_migrate.sh
+	./.staging/helm/linux-amd64/helm install -n ${GATEKEEPER_NAMESPACE} gatekeeper manifest_staging/charts/gatekeeper --create-namespace --debug --wait \
+		--set image.repository=${HELM_REPO} \
+		--set image.release=${HELM_RELEASE} \
+		--set emitAdmissionEvents=true \
+		--set emitAuditEvents=true;\
 
 # Build manager binary
 manager: generate

cmd/build/helmify/kustomization.yaml

@@ -1,4 +1,4 @@
-namespace: '{{ include "gatekeeper.namespace" . }}'
+namespace: "{{ .Release.Namespace }}"
 commonLabels:
   app: '{{ template "gatekeeper.name" . }}'
   chart: '{{ template "gatekeeper.name" . }}'

cmd/build/helmify/kustomize-for-helm.yaml

@@ -82,7 +82,7 @@ spec:
             - --log-denies={{ .Values.logDenies }}
             - --emit-admission-events={{ .Values.emitAdmissionEvents }}
             - --log-level={{ .Values.logLevel }}
-            - --exempt-namespace={{ include "gatekeeper.namespace" . }}
+            - --exempt-namespace={{ .Release.Namespace }}
             - --operation=webhook
             - --enable-mutation={{ .Values.experimentalEnableMutation}}
           imagePullPolicy: "{{ .Values.image.pullPolicy }}"

cmd/build/helmify/main.go

@@ -15,8 +15,7 @@ import (
 )
 
 var (
-	outputDir  = flag.String("output-dir", "manifest_staging/charts/gatekeeper", "The root directory in which to write the Helm chart")
-	useCRDsDir = flag.Bool("use-crds-dir", true, `Use the "crds" subdirectory, which requires Helm v3`)
+	outputDir = flag.String("output-dir", "manifest_staging/charts/gatekeeper", "The root directory in which to write the Helm chart")
 )
 
 var kindRegex = regexp.MustCompile(`(?m)^kind:[\s]+([\S]+)[\s]*$`)
@@ -40,13 +39,6 @@ func extractName(s string) (string, error) {
 	return strings.Trim(matches[1], `"'`), nil
 }
 
-//extractNamespaceName returns the default "gatekeeper-system" namespace.
-//Because the namespace is '{{ include "gatekeeper.namespace" . }}' it fails to be found in extractName.
-//There should only ever be 1 Namespace so this should be safe
-func extractNamespaceName(s string) (string, error) {
-	return "gatekeeper-system", nil
-}
-
 func extractCRDKind(obj string) (string, error) {
 	crd := &apiextensionsv1beta1.CustomResourceDefinition{}
 	if err := yaml.Unmarshal([]byte(obj), crd); err != nil {
@@ -80,16 +72,16 @@ func (ks *kindSet) Write() error {
 		nameExtractor := extractName
 		if kind == "CustomResourceDefinition" {
 			nameExtractor = extractCRDKind
-			if *useCRDsDir {
-				subPath = "crds"
-				parentDir := path.Join(*outputDir, subPath)
-				fmt.Printf("Making %s\n", parentDir)
-				if err := os.Mkdir(parentDir, 0750); err != nil {
-					return err
-				}
+			subPath = "crds"
+			parentDir := path.Join(*outputDir, subPath)
+			fmt.Printf("Making %s\n", parentDir)
+			if err := os.Mkdir(parentDir, 0750); err != nil {
+				return err
 			}
-		} else if kind == "Namespace" {
-			nameExtractor = extractNamespaceName
+		}
+
+		if kind == "Namespace" {
+			continue
 		}
 
 		for _, obj := range objs {
@@ -109,10 +101,6 @@ func (ks *kindSet) Write() error {
 				obj = "{{- if .Values.experimentalEnableMutation }}\n" + obj + "{{- end }}\n"
 			}
 
-			if name == "gatekeeper-system" {
-				obj = "{{- if .Values.createNamespace }}\n" + obj + "{{- end }}\n"
-			}
-
 			if kind == "Deployment" {
 				obj = strings.Replace(obj, "      labels:", "      labels:\n{{- include \"gatekeeper.podLabels\" . }}", 1)
 			}

cmd/build/helmify/static/Chart.yaml

@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v2
 description: A Helm chart for Gatekeeper
 name: gatekeeper
 keywords:

cmd/build/helmify/static/README.md

@@ -1,9 +1,75 @@
 # Gatekeeper Helm Chart
 
+## Get Repo Info
+
+```console
+helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Install Chart
+
+```console
+# Helm install with gatekeeper-system namespace already created
+$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
+
+# Helm install and create namespace
+$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
+
+```
+
+_See [parameters](#parameters) below._
+
+_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+
+## Upgrade Chart
+
+**Upgrading from < v3.4.0**
+Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices.
+
+Option 1:  
+A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. 
+
+```console
+$ helm uninstall gatekeeper
+$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
+
+```
+
+Option 2:  
+Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.
+
+```console
+$ helm_migrate.sh
+$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper
+```
+
+**Upgrading from >= v3.4.0**
+```console
+$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
+```
+
+_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._
+
+
+## Exempting Namespace
+
+The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook.
+
+_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._
+
+
 ## Parameters
 
 | Parameter                           | Description                                                                                                                                                                                            | Default                                                                   |
 | :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ |
+| postInstall.labelNamespace.enabled  | Add labels to the namespace during post install hooks | true | 
+| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | line/kubectl-kustomize |
+| postInstall.labelNamespace.image.tag | Image tag | 1.20.4-4.0.5 | 
+| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | IfNotPresent | 
+| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | [] | 
 | auditInterval                       | The frequency with which audit is run                                                                                                                                                                  | `60`                                                                      |
 | constraintViolationsLimit           | The maximum # of audit violations reported on a constraint                                                                                                                                             | `20`                                                                      |
 | auditFromCache                      | Take the roster of resources to audit from the OPA cache                                                                                                                                               | `false`                                                                   |
@@ -30,8 +96,7 @@
 | replicas                            | The number of Gatekeeper replicas to deploy for the webhook                                                                                                                                            | `3`                                                                       |
 | podAnnotations                      | The annotations to add to the Gatekeeper pods                                                                                                                                                          | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
 | podLabels                           | The labels to add to the Gatekeeper pods                                                                                                                                                               | `{}`                                                                      |
-| secretAnnotations                   | The annotations to add to the Gatekeeper secrets                                                                                                                                                       | `{}`                                                                      |
-| customResourceDefinitions.create    | Whether the release should install CRDs. Regardless of this value, Helm v3+ will install the CRDs if those are not present already. Use --skip-crds with helm install if you want to skip CRD creation | `true`                                                                    |
+| secretAnnotations                   | The annotations to add to the Gatekeeper secrets                                                                                                                                                       | `{}`                                                                      |                                                                 |
 | pdb.controllerManager.minAvailable  | The number of controller manager pods that must still be available after an eviction                                                                                                                   | 1                                                                         |
 
 ## Contributing Changes

cmd/build/helmify/static/templates/_helpers.tpl

@@ -1,14 +1,3 @@
-{{/*
-If createNamespace is set to true, sets the namespace to "gatekeeper-system"
-If createNamespace is set to false, sets the namespace to the {{ .Release.Namespace }}
-*/}}
-{{- define "gatekeeper.namespace" -}}
-{{- if .Values.createNamespace }}
-{{- printf "gatekeeper-system" }}
-{{- else }}
-{{- .Release.Namespace }}
-{{- end }}
-{{- end -}}
 
 {{/*
 Expand the name of the chart.

cmd/build/helmify/static/templates/namespace-post-install.yaml

@@ -0,0 +1,96 @@
+{{- if .Values.postInstall.labelNamespace.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gatekeeper-update-namespace-label
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: '{{ template "gatekeeper.name" . }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      restartPolicy: OnFailure
+      {{- if .Values.postInstall.labelNamespace.image.pullSecrets }}
+      imagePullSecrets:
+      {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
+      {{- end }}
+      serviceAccount: gatekeeper-update-namespace-label
+      containers:
+        - name: kubectl-label
+          image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}"
+          imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }}
+          command:
+            - kubectl
+            - label
+            - ns
+            - {{ .Release.Namespace }}
+            - admission.gatekeeper.sh/ignore=no-self-managing
+            - --overwrite
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gatekeeper-update-namespace-label
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: gatekeeper-update-namespace-label
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - update
+      - patch
+    resourceNames:
+      - {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gatekeeper-update-namespace-label
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gatekeeper-update-namespace-label
+subjects:
+  - kind: ServiceAccount
+    name: gatekeeper-update-namespace-label
+    namespace: {{ .Release.Namespace | quote }}
+
+{{- end }}