andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add gatekeeper:3.8.1

pull/1941/head
Vaishnav Gaikwad 2022-06-15 09:59:13 +05:30
parent a4290a1b3f
commit 31648c9178
9 changed files with 90 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch
View File

@ -5,17 +5,17 @@
+ catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
+ catalog.cattle.io/certified: rancher
+ catalog.cattle.io/display-name: OPA Gatekeeper
+ catalog.cattle.io/kube-version: '>= 1.16.0-0'
+ catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.25.0-0'
+ catalog.cattle.io/namespace: cattle-gatekeeper-system
+ catalog.cattle.io/os: linux
+ catalog.cattle.io/permits-os: linux,windows
+ catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
+ catalog.cattle.io/rancher-version: '>= 2.6.0-0 <= 2.6.100-0'
+ catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0'
+ catalog.cattle.io/release-name: rancher-gatekeeper
+ catalog.cattle.io/type: cluster-tool
+ catalog.cattle.io/ui-component: gatekeeper
apiVersion: v2
appVersion: v3.7.1
appVersion: v3.8.1
-description: A Helm chart for Gatekeeper
+description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
+ policy-based control for cloud native environments
@ -28,4 +28,4 @@
+name: rancher-gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
version: 3.7.1
version: 3.8.1

16
packages/rancher-gatekeeper/generated-changes/patch/README.md.patch
View File

@ -1,11 +1,11 @@
--- charts-original/README.md
+++ charts/README.md
@@ -71,7 +71,7 @@
| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
| psp.enabled | Enabled PodSecurityPolicy | `true` |
| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` |
-| auditInterval | The frequency with which audit is run | `60` |
@@ -79,7 +79,7 @@
| psp.enabled | Enabled PodSecurityPolicy | `true` |
| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` |
| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
-| auditInterval | The frequency with which audit is run | `60` |
+| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |

24
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch
View File

@ -1,30 +1,40 @@
--- charts-original/templates/gatekeeper-audit-deployment.yaml
+++ charts/templates/gatekeeper-audit-deployment.yaml
@@ -67,8 +67,8 @@
@@ -40,11 +40,7 @@
{{- toYaml .Values.audit.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- - {{- if .Values.image.release }}
- image: {{ .Values.image.repository }}:{{ .Values.image.release }}
- {{- else }}
- image: {{ .Values.image.repository }}
- {{- end }}
+ - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
args:
- --audit-interval={{ .Values.auditInterval }}
- --log-level={{ .Values.logLevel }}
@@ -72,7 +68,7 @@
valueFrom:
fieldRef:
fieldPath: metadata.name
- image: '{{ .Values.image.repository }}:{{ .Values.image.release }}'
- imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+ image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
+ imagePullPolicy: '{{ .Values.images.pullPolicy }}'
livenessProbe:
httpGet:
path: /healthz
@@ -102,16 +102,20 @@
@@ -99,16 +95,20 @@
dnsPolicy: {{ .Values.audit.dnsPolicy }}
hostNetwork: {{ .Values.audit.hostNetwork }}
imagePullSecrets:
- {{- toYaml .Values.image.pullSecrets | nindent 8 }}
- nodeSelector:
- {{- toYaml .Values.audit.nodeSelector | nindent 8 }}
- {{- if .Values.audit.priorityClassName }}
+ {{- toYaml .Values.images.pullSecrets | nindent 8 }}
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.audit.nodeSelector }}
+{{ toYaml .Values.audit.nodeSelector | indent 8 }}
+{{- end }}
+ {{- if .Values.audit.priorityClassName }}
{{- if .Values.audit.priorityClassName }}
priorityClassName: {{ .Values.audit.priorityClassName }}
{{- end }}
serviceAccountName: gatekeeper-admin
@ -36,5 +46,5 @@
+{{ toYaml .Values.audit.tolerations | indent 8 }}
+{{- end }}
volumes:
{{- if .Values.audit.writeToRAMDisk }}
{{- if .Values.audit.writeToRAMDisk }}
- emptyDir:

27
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch
View File

@ -1,17 +1,28 @@
--- charts-original/templates/gatekeeper-controller-manager-deployment.yaml
+++ charts/templates/gatekeeper-controller-manager-deployment.yaml
@@ -76,8 +76,8 @@
@@ -40,11 +40,8 @@
{{- toYaml .Values.controllerManager.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- - {{- if .Values.image.release }}
- image: {{ .Values.image.repository }}:{{ .Values.image.release }}
- {{- else }}
- image: {{ .Values.image.repository }}
- {{- end }}
+ - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
+ imagePullPolicy: '{{ .Values.images.pullPolicy }}'
args:
- --port={{ .Values.controllerManager.port }}
- --health-addr=:{{ .Values.controllerManager.healthPort }}
@@ -84,7 +81,6 @@
valueFrom:
fieldRef:
fieldPath: metadata.name
- image: '{{ .Values.image.repository }}:{{ .Values.image.release }}'
- imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+ image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
+ imagePullPolicy: '{{ .Values.images.pullPolicy }}'
livenessProbe:
httpGet:
path: /healthz
@@ -115,18 +115,22 @@
@@ -115,16 +111,20 @@
dnsPolicy: {{ .Values.controllerManager.dnsPolicy }}
hostNetwork: {{ .Values.controllerManager.hostNetwork }}
imagePullSecrets:
@ -23,7 +34,7 @@
+{{- if .Values.controllerManager.nodeSelector }}
+{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }}
+{{- end }}
{{- if .Values.controllerManager.priorityClassName }}
{{- if .Values.controllerManager.priorityClassName }}
priorityClassName: {{ .Values.controllerManager.priorityClassName }}
{{- end }}
serviceAccountName: gatekeeper-admin
@ -37,7 +48,3 @@
volumes:
- name: cert
secret:
defaultMode: 420
- secretName: gatekeeper-webhook-server-cert
+ secretName: gatekeeper-webhook-server-cert
\ No newline at end of file

14
packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/upgrade-crds-hook.yaml
+++ charts/templates/upgrade-crds-hook.yaml
@@ -75,14 +75,14 @@
@@ -75,18 +75,14 @@
spec:
serviceAccountName: gatekeeper-admin-upgrade-crds
restartPolicy: Never
@ -12,17 +12,21 @@
{{- end }}
containers:
- name: crds-upgrade
- {{- if not .Values.image.release }}
- image: '{{ .Values.image.crdRepository }}'
- {{- else }}
- image: '{{ .Values.image.crdRepository }}:{{ .Values.image.release }}'
- {{- end }}
- imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+ image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}'
+ imagePullPolicy: '{{ .Values.images.pullPolicy }}'
args:
- apply
- -f
@@ -98,7 +98,6 @@
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
@@ -95,7 +91,6 @@
{{- toYaml .Values.crds.resources | nindent 10 }}
securityContext:
{{- toYaml .Values.crds.securityContext | nindent 10 }}
- nodeSelector:
- kubernetes.io/os: linux
-

34
packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch
View File

@ -1,55 +1,53 @@
--- charts-original/values.yaml
+++ charts/values.yaml
@@ -1,5 +1,5 @@
replicas: 3
-auditInterval: 60
+auditInterval: 300
auditMatchKindOnly: false
constraintViolationsLimit: 20
auditFromCache: false
@@ -22,14 +22,17 @@
@@ -30,8 +30,8 @@
labelNamespace:
enabled: true
image:
- repository: openpolicyagent/gatekeeper-crds
- tag: v3.7.1
- tag: v3.8.1
+ repository: rancher/kubectl
+ tag: v1.20.2
pullPolicy: IfNotPresent
pullSecrets: []
securityContext:
@@ -60,10 +60,13 @@
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
-image:
- repository: openpolicyagent/gatekeeper
- crdRepository: openpolicyagent/gatekeeper-crds
- release: v3.7.1
- release: v3.8.1
+images:
+ gatekeeper:
+ repository: rancher/mirrored-openpolicyagent-gatekeeper
+ tag: v3.7.1
+ tag: v3.8.1
+ gatekeepercrd:
+ repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+ tag: v3.7.1
+ tag: v3.8.1
pullPolicy: IfNotPresent
pullSecrets: []
podAnnotations:
@@ -59,7 +62,7 @@
@@ -93,7 +96,7 @@
topologyKey: kubernetes.io/hostname
weight: 100
tolerations: []
- nodeSelector: { kubernetes.io/os: linux }
- nodeSelector: {kubernetes.io/os: linux}
+ nodeSelector: {}
resources:
limits:
cpu: 1000m
@@ -75,7 +78,7 @@
@@ -118,7 +121,7 @@
priorityClassName: system-cluster-critical
affinity: {}
tolerations: []
- nodeSelector: { kubernetes.io/os: linux }
- nodeSelector: {kubernetes.io/os: linux}
+ nodeSelector: {}
writeToRAMDisk: false
resources:
limits:
@@ -89,6 +92,12 @@
@@ -150,6 +153,12 @@
pdb:
controllerManager:
minAvailable: 1
@ -60,5 +58,5 @@
+ repository: rancher/kubectl
+ tag: v1.20.2
service: {}
disabledBuiltins:
disabledBuiltins: ["{http.send}"]
psp:

4
packages/rancher-gatekeeper/package.yaml
View File

@ -1,5 +1,5 @@
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.7.1.tgz
version: 100.1.1
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.8.1.tgz
version: 100.2.0
additionalCharts:
- workingDir: charts-crd
crdOptions:

15
packages/rancher-gatekeeper/templates/crd-template/templates/_helpers.tpl
View File

@ -5,3 +5,18 @@
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
kubernetes.io/os: linux
{{- end -}}

2
release.yaml
View File

@ -10,8 +10,10 @@ system-upgrade-controller:
- 100.0.3+up0.3.2
rancher-gatekeeper:
- 100.1.1+up3.7.1
- 100.2.0+up3.8.1
rancher-gatekeeper-crd:
- 100.1.1+up3.7.1
- 100.2.0+up3.8.1
rancher-aks-operator:
- 100.0.5+up1.0.6-rc1
- 100.0.5+up1.0.6-rc2