rancher-charts/packages/rancher-gatekeeper/rancher-gatekeeper.patch

diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/Chart.yaml packages/rancher-gatekeeper/charts/Chart.yaml
--- packages/rancher-gatekeeper/charts-original/Chart.yaml
+++ packages/rancher-gatekeeper/charts/Chart.yaml
@@ -1,10 +1,16 @@
 apiVersion: v1
 description: A Helm chart for Gatekeeper
-name: gatekeeper-operator
+name: rancher-gatekeeper
 keywords:
   - open policy agent
-version: v3.1.0-beta.7
+version: 0.1.0
 home: https://github.com/open-policy-agent/gatekeeper
 sources:
   - https://github.com/open-policy-agent/gatekeeper.git
 appVersion: v3.1.0-beta.7
+icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/experimental: true
+  catalog.cattle.io/namespace: gatekeeper-system
+  catalog.cattle.io/release-name: rancher-gatekeeper
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/helm-modifications/helm-modifications.yaml packages/rancher-gatekeeper/charts/helm-modifications/helm-modifications.yaml
--- packages/rancher-gatekeeper/charts-original/helm-modifications/helm-modifications.yaml
+++ packages/rancher-gatekeeper/charts/helm-modifications/helm-modifications.yaml
@@ -1,61 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: gatekeeper-webhook-service
-  namespace: gatekeeper-system
-spec:
-  selector:
-    app: GATEKEEPER_APP_LABEL
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: configs.config.gatekeeper.sh
-  annotations:
-    helm.sh/hook: crd-install
-    helm.sh/hook-delete-policy: before-hook-creation
-status: null
-spec:
-  names:
-    shortNames:
-      - config # add shortName to CRD until https://github.com/kubernetes-sigs/kubebuilder/issues/404 is solved
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: constrainttemplates.templates.gatekeeper.sh
-  annotations:
-    helm.sh/hook: crd-install
-    helm.sh/hook-delete-policy: before-hook-creation
-status: null
-spec:
-  names:
-    shortNames:
-      - constraints # add shortName to CRD until https://github.com/kubernetes-sigs/kubebuilder/issues/404 is solved
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: gatekeeper-controller-manager
-  namespace: gatekeeper-system
-spec:
-  replicas: HELMSUBST_DEPLOYMENT_REPLICAS
-  selector:
-    matchLabels:
-      app: gatekeeper-operator
-      release: RELEASE_NAME
-  template:
-    spec:
-      containers:
-        - name: manager
-          args:
-            - --audit-interval={{ .Values.auditInterval }}
-            - --port=8443
-            - --logtostderr
-            - --constraint-violations-limit={{ .Values.constraintViolationsLimit }}
-            - --audit-from-cache={{ .Values.auditFromCache }}
-            - --exempt-namespace=gatekeeper-system
-          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
-          image: "{{ .Values.image.repository }}:{{ .Values.image.release }}"
-          resources: HELMSUBST_DEPLOYMENT_CONTAINER_RESOURCES
-      nodeSelector: HELMSUBST_DEPLOYMENT_POD_SCHEDULING
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/helm-modifications/kustomization.yaml packages/rancher-gatekeeper/charts/helm-modifications/kustomization.yaml
--- packages/rancher-gatekeeper/charts-original/helm-modifications/kustomization.yaml
+++ packages/rancher-gatekeeper/charts/helm-modifications/kustomization.yaml
@@ -1,9 +0,0 @@
-commonLabels:
-  app: '{{ template "gatekeeper-operator.name" . }}'
-  chart: '{{ template "gatekeeper-operator.name" . }}'
-  release: '{{ .Release.Name }}'
-  heritage: '{{ .Release.Service }}'
-resources:
-  - _temp.yaml
-patchesStrategicMerge:
-  - helm-modifications.yaml
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/allowedrepos.yaml packages/rancher-gatekeeper/charts/templates/allowedrepos.yaml
--- packages/rancher-gatekeeper/charts-original/templates/allowedrepos.yaml
+++ packages/rancher-gatekeeper/charts/templates/allowedrepos.yaml
@@ -0,0 +1,35 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sallowedrepos
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAllowedRepos
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          properties:
+            repos:
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sallowedrepos
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.initContainers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
\ No newline at end of file
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper.yaml
--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper.yaml
+++ packages/rancher-gatekeeper/charts/templates/gatekeeper.yaml
@@ -485,7 +485,7 @@
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: '{{ .Values.image.repository }}:{{ .Values.image.release }}'
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
         imagePullPolicy: '{{ .Values.image.pullPolicy }}'
         livenessProbe:
           httpGet:
@@ -517,7 +517,7 @@
         - mountPath: /certs
           name: cert
           readOnly: true
-      nodeSelector: 
+      nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 8 }}
       affinity:
 {{ toYaml .Values.affinity | indent 8 }}
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/_helpers.tpl packages/rancher-gatekeeper/charts/templates/_helpers.tpl
--- packages/rancher-gatekeeper/charts-original/templates/_helpers.tpl
+++ packages/rancher-gatekeeper/charts/templates/_helpers.tpl
@@ -42,3 +42,11 @@
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/job-constraints-crd.yaml packages/rancher-gatekeeper/charts/templates/job-constraints-crd.yaml
--- packages/rancher-gatekeeper/charts-original/templates/job-constraints-crd.yaml
+++ packages/rancher-gatekeeper/charts/templates/job-constraints-crd.yaml
@@ -0,0 +1,19 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: gatekeeper-delete-constraints-crd-job
+  annotations:
+    "helm.sh/hook": "pre-delete"
+    "helm.sh/hook-delete-policy": "hook-succeeded, before-hook-creation, hook-failed"
+spec:
+  template:
+    spec:
+      serviceAccountName: gatekeeper-admin
+      containers:
+      - name: gatekeeper-delete-constraints-crd
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        command: ["kubectl",  "delete", "constrainttemplates", "--all"]
+      restartPolicy: Never
+  backoffLimit: 1
\ No newline at end of file
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/requiredlabels.yaml packages/rancher-gatekeeper/charts/templates/requiredlabels.yaml
--- packages/rancher-gatekeeper/charts-original/templates/requiredlabels.yaml
+++ packages/rancher-gatekeeper/charts/templates/requiredlabels.yaml
@@ -0,0 +1,57 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          properties:
+            message:
+              type: string
+            labels:
+              type: array
+              items:
+                type: object
+                properties:
+                  key:
+                    type: string
+                  allowedRegex:
+                    type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8srequiredlabels
+
+        get_message(parameters, _default) = msg {
+          not parameters.message
+          msg := _default
+        }
+
+        get_message(parameters, _default) = msg {
+          msg := parameters.message
+        }
+
+        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
+          provided := {label | input.review.object.metadata.labels[label]}
+          required := {label | label := input.parameters.labels[_].key}
+          missing := required - provided
+          count(missing) > 0
+          def_msg := sprintf("you must provide labels: %v", [missing])
+          msg := get_message(input.parameters, def_msg)
+        }
+
+        violation[{"msg": msg}] {
+          value := input.review.object.metadata.labels[key]
+          expected := input.parameters.labels[_]
+          expected.key == key
+          # do not match if allowedRegex is not defined, or is an empty string
+          expected.allowedRegex != ""
+          not re_match(expected.allowedRegex, value)
+          def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
+          msg := get_message(input.parameters, def_msg)
+        }
\ No newline at end of file
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/values.yaml packages/rancher-gatekeeper/charts/values.yaml
--- packages/rancher-gatekeeper/charts-original/values.yaml
+++ packages/rancher-gatekeeper/charts/values.yaml
@@ -1,12 +1,12 @@
 replicas: 1
-auditInterval: 60
+auditInterval: 300
 constraintViolationsLimit: 20
 auditFromCache: false
 image:
-  repository: quay.io/open-policy-agent/gatekeeper
-  release: v3.1.0-beta.7
+  repository: rancher/opa-gatekeeper
+  tag: v3.1.0-beta.7
   pullPolicy: IfNotPresent
-nodeSelector: {}
+nodeSelector: {"beta.kubernetes.io/os": "linux"}
 tolerations: []
 resources:
   limits:
@@ -15,3 +15,8 @@
   requests:
     cpu: 100m
     memory: 256Mi
+global:
+  systemDefaultRegistry: ""
+  kubectl:
+    repository: rancher/istio-kubectl
+    tag: 1.4.6
\ No newline at end of file