From 31648c9178be3472b55da0643a6d29a2f227aa70 Mon Sep 17 00:00:00 2001 From: Vaishnav Gaikwad Date: Wed, 15 Jun 2022 09:59:13 +0530 Subject: [PATCH] add gatekeeper:3.8.1 --- .../generated-changes/patch/Chart.yaml.patch | 8 ++--- .../generated-changes/patch/README.md.patch | 16 ++++----- .../gatekeeper-audit-deployment.yaml.patch | 24 +++++++++---- ...r-controller-manager-deployment.yaml.patch | 27 +++++++++------ .../templates/upgrade-crds-hook.yaml.patch | 14 +++++--- .../generated-changes/patch/values.yaml.patch | 34 +++++++++---------- packages/rancher-gatekeeper/package.yaml | 4 +-- .../crd-template/templates/_helpers.tpl | 15 ++++++++ release.yaml | 2 ++ 9 files changed, 90 insertions(+), 54 deletions(-) diff --git a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch index 6fd0fef19..67f4cba05 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch @@ -5,17 +5,17 @@ + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper -+ catalog.cattle.io/kube-version: '>= 1.16.0-0' ++ catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.25.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 -+ catalog.cattle.io/rancher-version: '>= 2.6.0-0 <= 2.6.100-0' ++ catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0' + catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper apiVersion: v2 - appVersion: v3.7.1 + appVersion: v3.8.1 -description: A Helm chart for Gatekeeper +description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments @@ -28,4 +28,4 @@ +name: rancher-gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git - version: 3.7.1 + version: 3.8.1 diff --git a/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch b/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch index 50bb6274d..a31725488 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch @@ -1,11 +1,11 @@ --- charts-original/README.md +++ charts/README.md -@@ -71,7 +71,7 @@ - | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | - | psp.enabled | Enabled PodSecurityPolicy | `true` | - | upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | --| auditInterval | The frequency with which audit is run | `60` | +@@ -79,7 +79,7 @@ + | psp.enabled | Enabled PodSecurityPolicy | `true` | + | upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | + | crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | +-| auditInterval | The frequency with which audit is run | `60` | +| auditInterval | The frequency with which audit is run | `300` | - | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | - | auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | - | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | + | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | + | auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | + | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch index 00dde3b33..f668175b0 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch @@ -1,30 +1,40 @@ --- charts-original/templates/gatekeeper-audit-deployment.yaml +++ charts/templates/gatekeeper-audit-deployment.yaml -@@ -67,8 +67,8 @@ +@@ -40,11 +40,7 @@ + {{- toYaml .Values.audit.affinity | nindent 8 }} + automountServiceAccountToken: true + containers: +- - {{- if .Values.image.release }} +- image: {{ .Values.image.repository }}:{{ .Values.image.release }} +- {{- else }} +- image: {{ .Values.image.repository }} +- {{- end }} ++ - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' + args: + - --audit-interval={{ .Values.auditInterval }} + - --log-level={{ .Values.logLevel }} +@@ -72,7 +68,7 @@ valueFrom: fieldRef: fieldPath: metadata.name -- image: '{{ .Values.image.repository }}:{{ .Values.image.release }}' - imagePullPolicy: '{{ .Values.image.pullPolicy }}' -+ image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}' livenessProbe: httpGet: path: /healthz -@@ -102,16 +102,20 @@ +@@ -99,16 +95,20 @@ dnsPolicy: {{ .Values.audit.dnsPolicy }} hostNetwork: {{ .Values.audit.hostNetwork }} imagePullSecrets: - {{- toYaml .Values.image.pullSecrets | nindent 8 }} - nodeSelector: - {{- toYaml .Values.audit.nodeSelector | nindent 8 }} -- {{- if .Values.audit.priorityClassName }} + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.audit.nodeSelector }} +{{ toYaml .Values.audit.nodeSelector | indent 8 }} +{{- end }} -+ {{- if .Values.audit.priorityClassName }} + {{- if .Values.audit.priorityClassName }} priorityClassName: {{ .Values.audit.priorityClassName }} {{- end }} serviceAccountName: gatekeeper-admin @@ -36,5 +46,5 @@ +{{ toYaml .Values.audit.tolerations | indent 8 }} +{{- end }} volumes: - {{- if .Values.audit.writeToRAMDisk }} + {{- if .Values.audit.writeToRAMDisk }} - emptyDir: diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch index c34d08055..5d954e7ab 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch @@ -1,17 +1,28 @@ --- charts-original/templates/gatekeeper-controller-manager-deployment.yaml +++ charts/templates/gatekeeper-controller-manager-deployment.yaml -@@ -76,8 +76,8 @@ +@@ -40,11 +40,8 @@ + {{- toYaml .Values.controllerManager.affinity | nindent 8 }} + automountServiceAccountToken: true + containers: +- - {{- if .Values.image.release }} +- image: {{ .Values.image.repository }}:{{ .Values.image.release }} +- {{- else }} +- image: {{ .Values.image.repository }} +- {{- end }} ++ - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' ++ imagePullPolicy: '{{ .Values.images.pullPolicy }}' + args: + - --port={{ .Values.controllerManager.port }} + - --health-addr=:{{ .Values.controllerManager.healthPort }} +@@ -84,7 +81,6 @@ valueFrom: fieldRef: fieldPath: metadata.name -- image: '{{ .Values.image.repository }}:{{ .Values.image.release }}' - imagePullPolicy: '{{ .Values.image.pullPolicy }}' -+ image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' -+ imagePullPolicy: '{{ .Values.images.pullPolicy }}' livenessProbe: httpGet: path: /healthz -@@ -115,18 +115,22 @@ +@@ -115,16 +111,20 @@ dnsPolicy: {{ .Values.controllerManager.dnsPolicy }} hostNetwork: {{ .Values.controllerManager.hostNetwork }} imagePullSecrets: @@ -23,7 +34,7 @@ +{{- if .Values.controllerManager.nodeSelector }} +{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }} +{{- end }} - {{- if .Values.controllerManager.priorityClassName }} + {{- if .Values.controllerManager.priorityClassName }} priorityClassName: {{ .Values.controllerManager.priorityClassName }} {{- end }} serviceAccountName: gatekeeper-admin @@ -37,7 +48,3 @@ volumes: - name: cert secret: - defaultMode: 420 -- secretName: gatekeeper-webhook-server-cert -+ secretName: gatekeeper-webhook-server-cert -\ No newline at end of file diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch index fdaf30866..173ed369f 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/upgrade-crds-hook.yaml +++ charts/templates/upgrade-crds-hook.yaml -@@ -75,14 +75,14 @@ +@@ -75,18 +75,14 @@ spec: serviceAccountName: gatekeeper-admin-upgrade-crds restartPolicy: Never @@ -12,17 +12,21 @@ {{- end }} containers: - name: crds-upgrade +- {{- if not .Values.image.release }} +- image: '{{ .Values.image.crdRepository }}' +- {{- else }} - image: '{{ .Values.image.crdRepository }}:{{ .Values.image.release }}' +- {{- end }} - imagePullPolicy: '{{ .Values.image.pullPolicy }}' + image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}' args: - apply - -f -@@ -98,7 +98,6 @@ - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 +@@ -95,7 +91,6 @@ + {{- toYaml .Values.crds.resources | nindent 10 }} + securityContext: + {{- toYaml .Values.crds.securityContext | nindent 10 }} - nodeSelector: - kubernetes.io/os: linux - diff --git a/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch index d575342de..88a50b94c 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch @@ -1,55 +1,53 @@ --- charts-original/values.yaml +++ charts/values.yaml -@@ -1,5 +1,5 @@ - replicas: 3 --auditInterval: 60 -+auditInterval: 300 - auditMatchKindOnly: false - constraintViolationsLimit: 20 - auditFromCache: false -@@ -22,14 +22,17 @@ +@@ -30,8 +30,8 @@ labelNamespace: enabled: true image: - repository: openpolicyagent/gatekeeper-crds -- tag: v3.7.1 +- tag: v3.8.1 + repository: rancher/kubectl + tag: v1.20.2 pullPolicy: IfNotPresent pullSecrets: [] + securityContext: +@@ -60,10 +60,13 @@ + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 -image: - repository: openpolicyagent/gatekeeper - crdRepository: openpolicyagent/gatekeeper-crds -- release: v3.7.1 +- release: v3.8.1 +images: + gatekeeper: + repository: rancher/mirrored-openpolicyagent-gatekeeper -+ tag: v3.7.1 ++ tag: v3.8.1 + gatekeepercrd: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds -+ tag: v3.7.1 ++ tag: v3.8.1 pullPolicy: IfNotPresent pullSecrets: [] podAnnotations: -@@ -59,7 +62,7 @@ +@@ -93,7 +96,7 @@ topologyKey: kubernetes.io/hostname weight: 100 tolerations: [] -- nodeSelector: { kubernetes.io/os: linux } +- nodeSelector: {kubernetes.io/os: linux} + nodeSelector: {} resources: limits: cpu: 1000m -@@ -75,7 +78,7 @@ +@@ -118,7 +121,7 @@ priorityClassName: system-cluster-critical affinity: {} tolerations: [] -- nodeSelector: { kubernetes.io/os: linux } +- nodeSelector: {kubernetes.io/os: linux} + nodeSelector: {} writeToRAMDisk: false resources: limits: -@@ -89,6 +92,12 @@ +@@ -150,6 +153,12 @@ pdb: controllerManager: minAvailable: 1 @@ -60,5 +58,5 @@ + repository: rancher/kubectl + tag: v1.20.2 service: {} - disabledBuiltins: + disabledBuiltins: ["{http.send}"] psp: diff --git a/packages/rancher-gatekeeper/package.yaml b/packages/rancher-gatekeeper/package.yaml index bf18d743c..ac75a2b77 100644 --- a/packages/rancher-gatekeeper/package.yaml +++ b/packages/rancher-gatekeeper/package.yaml @@ -1,5 +1,5 @@ -url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.7.1.tgz -version: 100.1.1 +url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.8.1.tgz +version: 100.2.0 additionalCharts: - workingDir: charts-crd crdOptions: diff --git a/packages/rancher-gatekeeper/templates/crd-template/templates/_helpers.tpl b/packages/rancher-gatekeeper/templates/crd-template/templates/_helpers.tpl index 39b26c195..6a89079bc 100644 --- a/packages/rancher-gatekeeper/templates/crd-template/templates/_helpers.tpl +++ b/packages/rancher-gatekeeper/templates/crd-template/templates/_helpers.tpl @@ -5,3 +5,18 @@ {{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} {{- end -}} {{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/release.yaml b/release.yaml index 03c3caaf3..daa75e9fe 100644 --- a/release.yaml +++ b/release.yaml @@ -10,8 +10,10 @@ system-upgrade-controller: - 100.0.3+up0.3.2 rancher-gatekeeper: - 100.1.1+up3.7.1 +- 100.2.0+up3.8.1 rancher-gatekeeper-crd: - 100.1.1+up3.7.1 +- 100.2.0+up3.8.1 rancher-aks-operator: - 100.0.5+up1.0.6-rc1 - 100.0.5+up1.0.6-rc2