allow helm chart to override failurePolicy (#1417)

Signed-off-by: Heba Elayoty <hebaelayoty@gmail.com> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> Co-authored-by: Max Smythe <smythe@google.com>
open-policy-agent · Jul 10, 2021 · b791188 · b791188
1 parent d9495ad
commit b791188
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 2 deletions.
diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml
@@ -148,6 +148,7 @@ webhooks:
       path: /v1/admit
   name: validation.gatekeeper.sh
   timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT
+  failurePolicy: HELMSUBST_VALIDATING_WEBHOOK_FAILURE_POLICY
   rules:
   - apiGroups:
     - "*"
@@ -163,6 +164,7 @@ webhooks:
       path: /v1/admitlabel
   name: check-ignore-label.gatekeeper.sh
   timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT
+  failurePolicy: HELMSUBST_VALIDATING_WEBHOOK_CHECK_IGNORE_FAILURE_POLICY
 ---
 apiVersion: policy/v1beta1
 kind: PodDisruptionBudget

diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go
@@ -37,6 +37,10 @@ var replacements = map[string]string{
 
 	"HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT": `{{ .Values.validatingWebhookTimeoutSeconds }}`,
 
+	"HELMSUBST_VALIDATING_WEBHOOK_FAILURE_POLICY": `{{ .Values.validatingWebhookFailurePolicy }}`,
+
+	"HELMSUBST_VALIDATING_WEBHOOK_CHECK_IGNORE_FAILURE_POLICY": `{{ .Values.validatingWebhookCheckIgnoreFailurePolicy }}`,
+
 	"HELMSUBST_RESOURCEQUOTA_POD_LIMIT": `{{ .Values.podCountLimit }}`,
 
 	"HELMSUBST_VALIDATING_WEBHOOK_OPERATION_RULES": `

diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md
@@ -76,6 +76,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
 | auditMatchKindOnly                           | Only check resources of the kinds specified in all constraints defined in the cluster. | `false`                                                                        |
 | disableValidatingWebhook                     | Disable the validating webhook                                                         | `false`                                                                   |
 | validatingWebhookTimeoutSeconds              | The timeout for the validating webhook in seconds                                      | `3`                                                                       |
+| validatingWebhookFailurePolicy               | The failurePolicy for the validating webhook                                           | `Ignore`                                                                       |
+| validatingWebhookCheckIgnoreFailurePolicy    | The failurePolicy for the check-ignore-label validating webhook                        | `Fail`                                                                       |
 | enableDeleteOperations                       | Enable validating webhook for delete operations                                        | `false`                                                                   |
 | experimentalEnableMutation                   | Enable mutation  (alpha feature)                                                       | `false`                                                                   |
 | emitAdmissionEvents                          | Emit K8s events in gatekeeper namespace for admission violations (alpha feature)       | `false`                                                                   |

diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml
@@ -5,6 +5,8 @@ constraintViolationsLimit: 20
 auditFromCache: false
 disableValidatingWebhook: false
 validatingWebhookTimeoutSeconds: 3
+validatingWebhookFailurePolicy: Ignore
+validatingWebhookCheckIgnoreFailurePolicy: Fail
 enableDeleteOperations: false
 experimentalEnableMutation: false
 auditChunkSize: 0

diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md
@@ -76,6 +76,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
 | auditMatchKindOnly                           | Only check resources of the kinds specified in all constraints defined in the cluster. | `false`                                                                        |
 | disableValidatingWebhook                     | Disable the validating webhook                                                         | `false`                                                                   |
 | validatingWebhookTimeoutSeconds              | The timeout for the validating webhook in seconds                                      | `3`                                                                       |
+| validatingWebhookFailurePolicy               | The failurePolicy for the validating webhook                                           | `Ignore`                                                                       |
+| validatingWebhookCheckIgnoreFailurePolicy    | The failurePolicy for the check-ignore-label validating webhook                        | `Fail`                                                                       |
 | enableDeleteOperations                       | Enable validating webhook for delete operations                                        | `false`                                                                   |
 | experimentalEnableMutation                   | Enable mutation  (alpha feature)                                                       | `false`                                                                   |
 | emitAdmissionEvents                          | Emit K8s events in gatekeeper namespace for admission violations (alpha feature)       | `false`                                                                   |

diff --git a/...templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/...templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
@@ -18,7 +18,7 @@ webhooks:
       name: gatekeeper-webhook-service
       namespace: '{{ .Release.Namespace }}'
       path: /v1/admit
-  failurePolicy: Ignore
+  failurePolicy: {{ .Values.validatingWebhookFailurePolicy }}
   matchPolicy: Exact
   name: validation.gatekeeper.sh
   namespaceSelector:
@@ -48,7 +48,7 @@ webhooks:
       name: gatekeeper-webhook-service
       namespace: '{{ .Release.Namespace }}'
       path: /v1/admitlabel
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }}
   matchPolicy: Exact
   name: check-ignore-label.gatekeeper.sh
   rules:

diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml
@@ -5,6 +5,8 @@ constraintViolationsLimit: 20
 auditFromCache: false
 disableValidatingWebhook: false
 validatingWebhookTimeoutSeconds: 3
+validatingWebhookFailurePolicy: Ignore
+validatingWebhookCheckIgnoreFailurePolicy: Fail
 enableDeleteOperations: false
 experimentalEnableMutation: false
 auditChunkSize: 0