From 5bd3d5244184806065d19932475ae5e4c0de9eaa Mon Sep 17 00:00:00 2001 From: Julian Dolce Date: Mon, 15 Mar 2021 14:15:51 -0400 Subject: [PATCH] feat: deprecate Helm 2 Signed-off-by: Julian Dolce --- .github/workflows/upgrade.yaml | 2 +- .github/workflows/workflow.yaml | 2 +- Makefile | 49 ++++------ cmd/build/helmify/kustomization.yaml | 2 +- cmd/build/helmify/kustomize-for-helm.yaml | 2 +- cmd/build/helmify/main.go | 32 ++----- cmd/build/helmify/static/Chart.yaml | 2 +- cmd/build/helmify/static/README.md | 69 ++++++++++++- .../helmify/static/templates/_helpers.tpl | 11 --- cmd/build/helmify/static/templates/crds.yaml | 6 -- .../templates/namespace-post-install.yaml | 96 +++++++++++++++++++ cmd/build/helmify/static/values.yaml | 11 ++- helm_migrate.sh | 48 ++++++++++ manifest_staging/charts/gatekeeper/Chart.yaml | 2 +- manifest_staging/charts/gatekeeper/README.md | 69 ++++++++++++- .../charts/gatekeeper/templates/_helpers.tpl | 11 --- .../charts/gatekeeper/templates/crds.yaml | 6 -- .../gatekeeper-admin-serviceaccount.yaml | 2 +- .../gatekeeper-audit-deployment.yaml | 2 +- ...ekeeper-controller-manager-deployment.yaml | 4 +- ...ontroller-manager-poddisruptionbudget.yaml | 2 +- .../gatekeeper-manager-role-role.yaml | 2 +- ...anager-rolebinding-clusterrolebinding.yaml | 2 +- ...eeper-manager-rolebinding-rolebinding.yaml | 4 +- .../gatekeeper-system-namespace.yaml | 14 --- ...ration-validatingwebhookconfiguration.yaml | 4 +- ...gatekeeper-webhook-server-cert-secret.yaml | 2 +- .../gatekeeper-webhook-service-service.yaml | 2 +- .../templates/namespace-post-install.yaml | 96 +++++++++++++++++++ .../charts/gatekeeper/values.yaml | 11 ++- 30 files changed, 436 insertions(+), 131 deletions(-) delete mode 100644 cmd/build/helmify/static/templates/crds.yaml create mode 100644 cmd/build/helmify/static/templates/namespace-post-install.yaml create mode 100755 helm_migrate.sh delete mode 100644 manifest_staging/charts/gatekeeper/templates/crds.yaml delete mode 100644 manifest_staging/charts/gatekeeper/templates/gatekeeper-system-namespace.yaml create mode 100644 manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml diff --git a/.github/workflows/upgrade.yaml b/.github/workflows/upgrade.yaml index cbb639d6467..641ef01ec14 100644 --- a/.github/workflows/upgrade.yaml +++ b/.github/workflows/upgrade.yaml @@ -18,7 +18,7 @@ jobs: timeout-minutes: 15 strategy: matrix: - HELM_VERSION: ["2.17.0", "3.4.2"] + HELM_VERSION: ["3.4.2"] steps: - name: Check out code into the Go module directory uses: actions/checkout@v2 diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index cf59c8245b5..735bce92202 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -133,7 +133,7 @@ jobs: timeout-minutes: 15 strategy: matrix: - HELM_VERSION: ["2.17.0", "3.4.2"] + HELM_VERSION: ["3.4.2"] GATEKEEPER_NAMESPACE: ["gatekeeper-system", "custom-namespace"] steps: - name: Check out code into the Go module directory diff --git a/Makefile b/Makefile index f3530a6755f..27ab585eb23 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ KUSTOMIZE_VERSION ?= 3.8.8 BATS_VERSION ?= 1.2.1 BATS_TESTS_FILE ?= test/bats/test.bats KUBECTL_KUSTOMIZE_VERSION ?= 1.20.1-${KUSTOMIZE_VERSION} -HELM_VERSION ?= 2.17.0 +HELM_VERSION ?= 3.4.2 HELM_ARGS ?= GATEKEEPER_NAMESPACE ?= gatekeeper-system @@ -123,42 +123,27 @@ e2e-helm-install: ./.staging/helm/linux-amd64/helm version --client e2e-helm-deploy: e2e-helm-install -ifneq ($(GATEKEEPER_NAMESPACE),gatekeeper-system) - kubectl create namespace $(GATEKEEPER_NAMESPACE) --dry-run=client -o yaml | kubectl apply -f - - kubectl label ns $(GATEKEEPER_NAMESPACE) admission.gatekeeper.sh/ignore=no-self-managing - kubectl label ns $(GATEKEEPER_NAMESPACE) gatekeeper.sh/system="yes" - $(eval HELM_ARGS := --namespace $(GATEKEEPER_NAMESPACE) --set createNamespace=false) -endif - - @if [ $$(echo ${HELM_VERSION} | head -c 1) = "2" ]; then\ - kubectl create clusterrolebinding tiller-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default;\ - ./.staging/helm/linux-amd64/helm init --wait --history-max=5;\ - kubectl -n kube-system wait --for=condition=Ready pod -l name=tiller --timeout=300s;\ - ./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name=gatekeeper --debug ${HELM_ARGS} --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} --set emitAdmissionEvents=true --set emitAuditEvents=true;\ - else\ - ./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper ${HELM_ARGS} --debug --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} --set emitAdmissionEvents=true --set emitAuditEvents=true;\ - fi; + ./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper -n ${GATEKEEPER_NAMESPACE} --create-namespace --debug \ + --set image.repository=${HELM_REPO} \ + --set image.release=${HELM_RELEASE} \ + --set emitAdmissionEvents=true \ + --set emitAuditEvents=true \ + --set postInstall.labelNamespace.enabled=true;\ e2e-helm-upgrade-init: e2e-helm-install - @if [ $$(echo ${HELM_VERSION} | head -c 1) = "2" ]; then\ - kubectl create clusterrolebinding tiller-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default;\ - ./.staging/helm/linux-amd64/helm init --wait --history-max=5;\ - kubectl -n kube-system wait --for=condition=Ready pod -l name=tiller --timeout=300s;\ - ./.staging/helm/linux-amd64/helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts;\ - ./.staging/helm/linux-amd64/helm install gatekeeper/gatekeeper \ - --version ${BASE_RELEASE} --name gatekeeper \ - --set emitAdmissionEvents=true --set emitAuditEvents=true --debug --wait;\ - else\ ./.staging/helm/linux-amd64/helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts;\ - ./.staging/helm/linux-amd64/helm install gatekeeper/gatekeeper \ - --version ${BASE_RELEASE} --name-template gatekeeper \ - --set emitAdmissionEvents=true --set emitAuditEvents=true --debug --wait;\ - fi; + ./.staging/helm/linux-amd64/helm install gatekeeper gatekeeper/gatekeeper --version ${BASE_RELEASE} --debug --wait \ + --set emitAdmissionEvents=true \ + --set emitAuditEvents=true \ + --set customResourceDefinitions.create=false;\ e2e-helm-upgrade: - ./.staging/helm/linux-amd64/helm upgrade gatekeeper manifest_staging/charts/gatekeeper \ - --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} \ - --set emitAdmissionEvents=true --set emitAuditEvents=true --debug --wait;\ + ./helm_migrate.sh + ./.staging/helm/linux-amd64/helm install -n ${GATEKEEPER_NAMESPACE} gatekeeper manifest_staging/charts/gatekeeper --create-namespace --debug --wait \ + --set image.repository=${HELM_REPO} \ + --set image.release=${HELM_RELEASE} \ + --set emitAdmissionEvents=true \ + --set emitAuditEvents=true;\ # Build manager binary manager: generate diff --git a/cmd/build/helmify/kustomization.yaml b/cmd/build/helmify/kustomization.yaml index 373057259bf..49518475756 100644 --- a/cmd/build/helmify/kustomization.yaml +++ b/cmd/build/helmify/kustomization.yaml @@ -1,4 +1,4 @@ -namespace: '{{ include "gatekeeper.namespace" . }}' +namespace: "{{ .Release.Namespace }}" commonLabels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 5819bbb8e27..29bbc4950bc 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -64,7 +64,7 @@ spec: - --log-denies={{ .Values.logDenies }} - --emit-admission-events={{ .Values.emitAdmissionEvents }} - --log-level={{ .Values.logLevel }} - - --exempt-namespace={{ include "gatekeeper.namespace" . }} + - --exempt-namespace={{ .Release.Namespace }} - --operation=webhook imagePullPolicy: "{{ .Values.image.pullPolicy }}" image: "{{ .Values.image.repository }}:{{ .Values.image.release }}" diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go index 75ee472b3f0..f55c13bad11 100644 --- a/cmd/build/helmify/main.go +++ b/cmd/build/helmify/main.go @@ -15,8 +15,7 @@ import ( ) var ( - outputDir = flag.String("output-dir", "manifest_staging/charts/gatekeeper", "The root directory in which to write the Helm chart") - useCRDsDir = flag.Bool("use-crds-dir", true, `Use the "crds" subdirectory, which requires Helm v3`) + outputDir = flag.String("output-dir", "manifest_staging/charts/gatekeeper", "The root directory in which to write the Helm chart") ) var kindRegex = regexp.MustCompile(`(?m)^kind:[\s]+([\S]+)[\s]*$`) @@ -40,13 +39,6 @@ func extractName(s string) (string, error) { return strings.Trim(matches[1], `"'`), nil } -//extractNamespaceName returns the default "gatekeeper-system" namespace. -//Because the namespace is '{{ include "gatekeeper.namespace" . }}' it fails to be found in extractName. -//There should only ever be 1 Namespace so this should be safe -func extractNamespaceName(s string) (string, error) { - return "gatekeeper-system", nil -} - func extractCRDKind(obj string) (string, error) { crd := &apiextensionsv1beta1.CustomResourceDefinition{} if err := yaml.Unmarshal([]byte(obj), crd); err != nil { @@ -80,16 +72,16 @@ func (ks *kindSet) Write() error { nameExtractor := extractName if kind == "CustomResourceDefinition" { nameExtractor = extractCRDKind - if *useCRDsDir { - subPath = "crds" - parentDir := path.Join(*outputDir, subPath) - fmt.Printf("Making %s\n", parentDir) - if err := os.Mkdir(parentDir, 0750); err != nil { - return err - } + subPath = "crds" + parentDir := path.Join(*outputDir, subPath) + fmt.Printf("Making %s\n", parentDir) + if err := os.Mkdir(parentDir, 0750); err != nil { + return err } - } else if kind == "Namespace" { - nameExtractor = extractNamespaceName + } + + if kind == "Namespace" { + continue } for _, obj := range objs { @@ -105,10 +97,6 @@ func (ks *kindSet) Write() error { obj = "{{- if not .Values.disableValidatingWebhook }}\n" + obj + "{{- end }}\n" } - if name == "gatekeeper-system" { - obj = "{{- if .Values.createNamespace }}\n" + obj + "{{- end }}\n" - } - if kind == "Deployment" { obj = strings.Replace(obj, " labels:", " labels:\n{{- include \"gatekeeper.podLabels\" . }}", 1) } diff --git a/cmd/build/helmify/static/Chart.yaml b/cmd/build/helmify/static/Chart.yaml index 6e1c8dcc2a9..6062e4a9b99 100644 --- a/cmd/build/helmify/static/Chart.yaml +++ b/cmd/build/helmify/static/Chart.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v2 description: A Helm chart for Gatekeeper name: gatekeeper keywords: diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 328395de24f..51045ce520e 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -1,9 +1,75 @@ # Gatekeeper Helm Chart +## Get Repo Info + +```console +helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +# Helm install with gatekeeper-system namespace already created +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper + +# Helm install and create namespace +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +_See [parameters](#parameters) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Upgrade Chart + +**Upgrading from < v3.4.0** +Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. + +Option 1: +A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. + +```console +$ helm uninstall gatekeeper +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +Option 2: +Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. + +```console +$ helm_migrate.sh +$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper +``` + +**Upgrading from >= v3.4.0** +```console +$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper +``` + +_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._ + + +## Exempting Namespace + +The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook. + +_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._ + + ## Parameters | Parameter | Description | Default | | :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | +| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | true | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | line/kubectl-kustomize | +| postInstall.labelNamespace.image.tag | Image tag | 1.20.4-4.0.5 | +| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | IfNotPresent | +| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | [] | | auditInterval | The frequency with which audit is run | `60` | | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | | auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | @@ -30,8 +96,7 @@ | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | | podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | | podLabels | The labels to add to the Gatekeeper pods | `{}` | -| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | -| customResourceDefinitions.create | Whether the release should install CRDs. Regardless of this value, Helm v3+ will install the CRDs if those are not present already. Use --skip-crds with helm install if you want to skip CRD creation | `true` | +| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | | | pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | 1 | ## Contributing Changes diff --git a/cmd/build/helmify/static/templates/_helpers.tpl b/cmd/build/helmify/static/templates/_helpers.tpl index 9c68e63f914..0ba50e64034 100644 --- a/cmd/build/helmify/static/templates/_helpers.tpl +++ b/cmd/build/helmify/static/templates/_helpers.tpl @@ -1,14 +1,3 @@ -{{/* -If createNamespace is set to true, sets the namespace to "gatekeeper-system" -If createNamespace is set to false, sets the namespace to the {{ .Release.Namespace }} -*/}} -{{- define "gatekeeper.namespace" -}} -{{- if .Values.createNamespace }} -{{- printf "gatekeeper-system" }} -{{- else }} -{{- .Release.Namespace }} -{{- end }} -{{- end -}} {{/* Expand the name of the chart. diff --git a/cmd/build/helmify/static/templates/crds.yaml b/cmd/build/helmify/static/templates/crds.yaml deleted file mode 100644 index 46d2ef3cb44..00000000000 --- a/cmd/build/helmify/static/templates/crds.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.customResourceDefinitions.create }} -{{- range $path, $bytes := .Files.Glob "crds/*.yaml" }} -{{ $.Files.Get $path }} ---- -{{- end }} -{{- end }} diff --git a/cmd/build/helmify/static/templates/namespace-post-install.yaml b/cmd/build/helmify/static/templates/namespace-post-install.yaml new file mode 100644 index 00000000000..da57d381b41 --- /dev/null +++ b/cmd/build/helmify/static/templates/namespace-post-install.yaml @@ -0,0 +1,96 @@ +{{- if .Values.postInstall.labelNamespace.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-namespace-label + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.postInstall.labelNamespace.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-update-namespace-label + containers: + - name: kubectl-label + image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}" + imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} + command: + - kubectl + - label + - ns + - {{ .Release.Namespace }} + - admission.gatekeeper.sh/ignore=no-self-managing + - --overwrite +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gatekeeper-update-namespace-label +subjects: + - kind: ServiceAccount + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} + +{{- end }} diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index dcbe43d12e1..fedb4d46cfe 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -2,7 +2,6 @@ replicas: 3 auditInterval: 60 constraintViolationsLimit: 20 auditFromCache: false -createNamespace: true disableValidatingWebhook: false validatingWebhookTimeoutSeconds: 3 enableDeleteOperations: false @@ -11,6 +10,14 @@ logLevel: INFO logDenies: false emitAdmissionEvents: false emitAuditEvents: false +postInstall: + labelNamespace: + enabled: true + image: + repository: line/kubectl-kustomize + tag: 1.20.4-4.0.5 + pullPolicy: IfNotPresent + pullSecrets: [] image: repository: openpolicyagent/gatekeeper release: v3.4.0-rc.1 @@ -57,8 +64,6 @@ audit: requests: cpu: 100m memory: 256Mi -customResourceDefinitions: - create: true pdb: controllerManager: minAvailable: 1 diff --git a/helm_migrate.sh b/helm_migrate.sh new file mode 100755 index 00000000000..01c25cd4352 --- /dev/null +++ b/helm_migrate.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# Delete the Helm release secret but keeps the resources +# Updates the annotations so the resources can be imported by re-installed chart. + + +RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-default} +RELEASE_NAME=${RELEASE_NAME:-gatekeeper} +NEW_NAMESPACE=${NEW_NAMESPACE:-gatekeeper-system} + + + +kubectl -n ${RELEASE_NAMESPACE} delete secrets --field-selector type=helm.sh/release.v1 -l name=${RELEASE_NAME} || true +kubectl annotate --overwrite psp gatekeeper-admin meta.helm.sh/release-name=${RELEASE_NAME} || true +kubectl annotate --overwrite psp gatekeeper-admin meta.helm.sh/release-namespace=${NEW_NAMESPACE} || true + +kubectl annotate --overwrite clusterrole gatekeeper-manager-role meta.helm.sh/release-name=${RELEASE_NAME} || true +kubectl annotate --overwrite clusterrole gatekeeper-manager-role meta.helm.sh/release-namespace=${NEW_NAMESPACE} || true + +kubectl annotate --overwrite clusterrolebinding gatekeeper-manager-rolebinding meta.helm.sh/release-name=${RELEASE_NAME} || true +kubectl annotate --overwrite clusterrolebinding gatekeeper-manager-rolebinding meta.helm.sh/release-namespace=${NEW_NAMESPACE} || true + +kubectl annotate --overwrite ValidatingWebhookConfiguration gatekeeper-validating-webhook-configuration meta.helm.sh/release-name=${RELEASE_NAME} || true +kubectl annotate --overwrite ValidatingWebhookConfiguration gatekeeper-validating-webhook-configuration meta.helm.sh/release-namespace=${NEW_NAMESPACE} || true + +kubectl annotate --overwrite -n gatekeeper-system sa gatekeeper-admin meta.helm.sh/release-name=${RELEASE_NAME} || true +kubectl annotate --overwrite -n gatekeeper-system sa gatekeeper-admin meta.helm.sh/release-namespace=${NEW_NAMESPACE} || true + +kubectl annotate --overwrite -n gatekeeper-system secret gatekeeper-webhook-server-cert meta.helm.sh/release-name=${RELEASE_NAME} || true +kubectl annotate --overwrite -n gatekeeper-system secret gatekeeper-webhook-server-cert meta.helm.sh/release-namespace=${NEW_NAMESPACE} || true + +kubectl annotate --overwrite -n gatekeeper-system role gatekeeper-manager-role meta.helm.sh/release-name=${RELEASE_NAME} || true +kubectl annotate --overwrite -n gatekeeper-system role gatekeeper-manager-role meta.helm.sh/release-namespace=${NEW_NAMESPACE} || true + +kubectl annotate --overwrite -n gatekeeper-system rolebinding gatekeeper-manager-rolebinding meta.helm.sh/release-name=${RELEASE_NAME} || true +kubectl annotate --overwrite -n gatekeeper-system rolebinding gatekeeper-manager-rolebinding meta.helm.sh/release-namespace=${NEW_NAMESPACE} || true + +kubectl annotate --overwrite -n gatekeeper-system service gatekeeper-webhook-service meta.helm.sh/release-name=${RELEASE_NAME} || true +kubectl annotate --overwrite -n gatekeeper-system service gatekeeper-webhook-service meta.helm.sh/release-namespace=${NEW_NAMESPACE} || true + +kubectl annotate --overwrite -n gatekeeper-system deployment gatekeeper-audit meta.helm.sh/release-name=${RELEASE_NAME} || true +kubectl annotate --overwrite -n gatekeeper-system deployment gatekeeper-audit meta.helm.sh/release-namespace=${NEW_NAMESPACE} || true + +kubectl annotate --overwrite -n gatekeeper-system deployment gatekeeper-controller-manager meta.helm.sh/release-name=${RELEASE_NAME} || true +kubectl annotate --overwrite -n gatekeeper-system deployment gatekeeper-controller-manager meta.helm.sh/release-namespace=${NEW_NAMESPACE} || true + +kubectl annotate --overwrite -n gatekeeper-system PodDisruptionBudget gatekeeper-controller-manager meta.helm.sh/release-name=${RELEASE_NAME} || true +kubectl annotate --overwrite -n gatekeeper-system PodDisruptionBudget gatekeeper-controller-manager meta.helm.sh/release-namespace=${NEW_NAMESPACE} || true diff --git a/manifest_staging/charts/gatekeeper/Chart.yaml b/manifest_staging/charts/gatekeeper/Chart.yaml index 6e1c8dcc2a9..6062e4a9b99 100644 --- a/manifest_staging/charts/gatekeeper/Chart.yaml +++ b/manifest_staging/charts/gatekeeper/Chart.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v2 description: A Helm chart for Gatekeeper name: gatekeeper keywords: diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 328395de24f..51045ce520e 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -1,9 +1,75 @@ # Gatekeeper Helm Chart +## Get Repo Info + +```console +helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +# Helm install with gatekeeper-system namespace already created +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper + +# Helm install and create namespace +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +_See [parameters](#parameters) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Upgrade Chart + +**Upgrading from < v3.4.0** +Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. + +Option 1: +A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. + +```console +$ helm uninstall gatekeeper +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +Option 2: +Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. + +```console +$ helm_migrate.sh +$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper +``` + +**Upgrading from >= v3.4.0** +```console +$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper +``` + +_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._ + + +## Exempting Namespace + +The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook. + +_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._ + + ## Parameters | Parameter | Description | Default | | :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | +| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | true | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | line/kubectl-kustomize | +| postInstall.labelNamespace.image.tag | Image tag | 1.20.4-4.0.5 | +| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | IfNotPresent | +| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | [] | | auditInterval | The frequency with which audit is run | `60` | | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | | auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | @@ -30,8 +96,7 @@ | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | | podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | | podLabels | The labels to add to the Gatekeeper pods | `{}` | -| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | -| customResourceDefinitions.create | Whether the release should install CRDs. Regardless of this value, Helm v3+ will install the CRDs if those are not present already. Use --skip-crds with helm install if you want to skip CRD creation | `true` | +| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | | | pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | 1 | ## Contributing Changes diff --git a/manifest_staging/charts/gatekeeper/templates/_helpers.tpl b/manifest_staging/charts/gatekeeper/templates/_helpers.tpl index 9c68e63f914..0ba50e64034 100644 --- a/manifest_staging/charts/gatekeeper/templates/_helpers.tpl +++ b/manifest_staging/charts/gatekeeper/templates/_helpers.tpl @@ -1,14 +1,3 @@ -{{/* -If createNamespace is set to true, sets the namespace to "gatekeeper-system" -If createNamespace is set to false, sets the namespace to the {{ .Release.Namespace }} -*/}} -{{- define "gatekeeper.namespace" -}} -{{- if .Values.createNamespace }} -{{- printf "gatekeeper-system" }} -{{- else }} -{{- .Release.Namespace }} -{{- end }} -{{- end -}} {{/* Expand the name of the chart. diff --git a/manifest_staging/charts/gatekeeper/templates/crds.yaml b/manifest_staging/charts/gatekeeper/templates/crds.yaml deleted file mode 100644 index 46d2ef3cb44..00000000000 --- a/manifest_staging/charts/gatekeeper/templates/crds.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.customResourceDefinitions.create }} -{{- range $path, $bytes := .Files.Glob "crds/*.yaml" }} -{{ $.Files.Get $path }} ---- -{{- end }} -{{- end }} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-serviceaccount.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-serviceaccount.yaml index e110bd9300b..4b68998cb48 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-serviceaccount.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-serviceaccount.yaml @@ -8,4 +8,4 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-admin - namespace: '{{ include "gatekeeper.namespace" . }}' + namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index f99bea0be1e..57e086e7a30 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -10,7 +10,7 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-audit - namespace: '{{ include "gatekeeper.namespace" . }}' + namespace: '{{ .Release.Namespace }}' spec: replicas: 1 selector: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index da8d868b4ec..57eb0168f1a 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -10,7 +10,7 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-controller-manager - namespace: '{{ include "gatekeeper.namespace" . }}' + namespace: '{{ .Release.Namespace }}' spec: replicas: {{ .Values.replicas }} selector: @@ -46,7 +46,7 @@ spec: - --log-denies={{ .Values.logDenies }} - --emit-admission-events={{ .Values.emitAdmissionEvents }} - --log-level={{ .Values.logLevel }} - - --exempt-namespace={{ include "gatekeeper.namespace" . }} + - --exempt-namespace={{ .Release.Namespace }} - --operation=webhook command: - /manager diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml index f33c454ee32..258a42f340e 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml @@ -8,7 +8,7 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-controller-manager - namespace: '{{ include "gatekeeper.namespace" . }}' + namespace: '{{ .Release.Namespace }}' spec: minAvailable: {{ .Values.pdb.controllerManager.minAvailable }} selector: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml index 28617a41028..73e2c5cf701 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml @@ -9,7 +9,7 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-manager-role - namespace: '{{ include "gatekeeper.namespace" . }}' + namespace: '{{ .Release.Namespace }}' rules: - apiGroups: - "" diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml index 0dfdfe57681..22194d2ad25 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml @@ -15,4 +15,4 @@ roleRef: subjects: - kind: ServiceAccount name: gatekeeper-admin - namespace: '{{ include "gatekeeper.namespace" . }}' + namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml index 9b3ecfcab3c..4bf6087dcec 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml @@ -8,7 +8,7 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-manager-rolebinding - namespace: '{{ include "gatekeeper.namespace" . }}' + namespace: '{{ .Release.Namespace }}' roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -16,4 +16,4 @@ roleRef: subjects: - kind: ServiceAccount name: gatekeeper-admin - namespace: '{{ include "gatekeeper.namespace" . }}' + namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-system-namespace.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-system-namespace.yaml deleted file mode 100644 index 9e6f1cc688a..00000000000 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-system-namespace.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.createNamespace }} -apiVersion: v1 -kind: Namespace -metadata: - labels: - admission.gatekeeper.sh/ignore: no-self-managing - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - control-plane: controller-manager - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: '{{ include "gatekeeper.namespace" . }}' -{{- end }} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index b4c381792c0..dfa23a33500 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -14,7 +14,7 @@ webhooks: caBundle: Cg== service: name: gatekeeper-webhook-service - namespace: '{{ include "gatekeeper.namespace" . }}' + namespace: '{{ .Release.Namespace }}' path: /v1/admit failurePolicy: Ignore name: validation.gatekeeper.sh @@ -41,7 +41,7 @@ webhooks: caBundle: Cg== service: name: gatekeeper-webhook-service - namespace: '{{ include "gatekeeper.namespace" . }}' + namespace: '{{ .Release.Namespace }}' path: /v1/admitlabel failurePolicy: Fail name: check-ignore-label.gatekeeper.sh diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml index 48f92640760..d6e906a995d 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml @@ -9,4 +9,4 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-webhook-server-cert - namespace: '{{ include "gatekeeper.namespace" . }}' + namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml index a37cb1af254..473bc4b254f 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml @@ -8,7 +8,7 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-webhook-service - namespace: '{{ include "gatekeeper.namespace" . }}' + namespace: '{{ .Release.Namespace }}' spec: ports: - port: 443 diff --git a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml new file mode 100644 index 00000000000..da57d381b41 --- /dev/null +++ b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml @@ -0,0 +1,96 @@ +{{- if .Values.postInstall.labelNamespace.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-namespace-label + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.postInstall.labelNamespace.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-update-namespace-label + containers: + - name: kubectl-label + image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}" + imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} + command: + - kubectl + - label + - ns + - {{ .Release.Namespace }} + - admission.gatekeeper.sh/ignore=no-self-managing + - --overwrite +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gatekeeper-update-namespace-label +subjects: + - kind: ServiceAccount + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} + +{{- end }} diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index dcbe43d12e1..fedb4d46cfe 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -2,7 +2,6 @@ replicas: 3 auditInterval: 60 constraintViolationsLimit: 20 auditFromCache: false -createNamespace: true disableValidatingWebhook: false validatingWebhookTimeoutSeconds: 3 enableDeleteOperations: false @@ -11,6 +10,14 @@ logLevel: INFO logDenies: false emitAdmissionEvents: false emitAuditEvents: false +postInstall: + labelNamespace: + enabled: true + image: + repository: line/kubectl-kustomize + tag: 1.20.4-4.0.5 + pullPolicy: IfNotPresent + pullSecrets: [] image: repository: openpolicyagent/gatekeeper release: v3.4.0-rc.1 @@ -57,8 +64,6 @@ audit: requests: cpu: 100m memory: 256Mi -customResourceDefinitions: - create: true pdb: controllerManager: minAvailable: 1