andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add gatekeeper:3.8.1

pull/1941/head
Vaishnav Gaikwad 2022-06-15 09:59:13 +05:30
parent a4290a1b3f
commit 31648c9178
9 changed files with 90 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch
View File

@ -5,17 +5,17 @@
+ catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
+ catalog.cattle.io/certified: rancher + catalog.cattle.io/certified: rancher
+ catalog.cattle.io/display-name: OPA Gatekeeper + catalog.cattle.io/display-name: OPA Gatekeeper
+ catalog.cattle.io/kube-version: '>= 1.16.0-0' + catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.25.0-0'
+ catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/namespace: cattle-gatekeeper-system
+ catalog.cattle.io/os: linux + catalog.cattle.io/os: linux
+ catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/permits-os: linux,windows
+ catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
+ catalog.cattle.io/rancher-version: '>= 2.6.0-0 <= 2.6.100-0' + catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0'
+ catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/release-name: rancher-gatekeeper
+ catalog.cattle.io/type: cluster-tool + catalog.cattle.io/type: cluster-tool
+ catalog.cattle.io/ui-component: gatekeeper + catalog.cattle.io/ui-component: gatekeeper
apiVersion: v2 apiVersion: v2
appVersion: v3.7.1 appVersion: v3.8.1
-description: A Helm chart for Gatekeeper -description: A Helm chart for Gatekeeper
+description: Modifies Open Policy Agent's upstream gatekeeper chart that provides +description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
+ policy-based control for cloud native environments + policy-based control for cloud native environments
@ -28,4 +28,4 @@
+name: rancher-gatekeeper +name: rancher-gatekeeper
sources: sources:
- https://github.com/open-policy-agent/gatekeeper.git - https://github.com/open-policy-agent/gatekeeper.git
version: 3.7.1 version: 3.8.1

4
packages/rancher-gatekeeper/generated-changes/patch/README.md.patch
View File

@ -1,9 +1,9 @@
--- charts-original/README.md --- charts-original/README.md
+++ charts/README.md +++ charts/README.md
@@ -71,7 +71,7 @@ @@ -79,7 +79,7 @@
| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
| psp.enabled | Enabled PodSecurityPolicy | `true` | | psp.enabled | Enabled PodSecurityPolicy | `true` |
| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | | upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` |
| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
-| auditInterval | The frequency with which audit is run | `60` | -| auditInterval | The frequency with which audit is run | `60` |
+| auditInterval | The frequency with which audit is run | `300` | +| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |

22
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch
View File

@ -1,30 +1,40 @@
--- charts-original/templates/gatekeeper-audit-deployment.yaml --- charts-original/templates/gatekeeper-audit-deployment.yaml
+++ charts/templates/gatekeeper-audit-deployment.yaml +++ charts/templates/gatekeeper-audit-deployment.yaml
@@ -67,8 +67,8 @@ @@ -40,11 +40,7 @@
{{- toYaml .Values.audit.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- - {{- if .Values.image.release }}
- image: {{ .Values.image.repository }}:{{ .Values.image.release }}
- {{- else }}
- image: {{ .Values.image.repository }}
- {{- end }}
+ - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
args:
- --audit-interval={{ .Values.auditInterval }}
- --log-level={{ .Values.logLevel }}
@@ -72,7 +68,7 @@
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
- image: '{{ .Values.image.repository }}:{{ .Values.image.release }}'
- imagePullPolicy: '{{ .Values.image.pullPolicy }}' - imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+ image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
+ imagePullPolicy: '{{ .Values.images.pullPolicy }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}'
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz
@@ -102,16 +102,20 @@ @@ -99,16 +95,20 @@
dnsPolicy: {{ .Values.audit.dnsPolicy }} dnsPolicy: {{ .Values.audit.dnsPolicy }}
hostNetwork: {{ .Values.audit.hostNetwork }} hostNetwork: {{ .Values.audit.hostNetwork }}
imagePullSecrets: imagePullSecrets:
- {{- toYaml .Values.image.pullSecrets | nindent 8 }} - {{- toYaml .Values.image.pullSecrets | nindent 8 }}
- nodeSelector: - nodeSelector:
- {{- toYaml .Values.audit.nodeSelector | nindent 8 }} - {{- toYaml .Values.audit.nodeSelector | nindent 8 }}
- {{- if .Values.audit.priorityClassName }}
+ {{- toYaml .Values.images.pullSecrets | nindent 8 }} + {{- toYaml .Values.images.pullSecrets | nindent 8 }}
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.audit.nodeSelector }} +{{- if .Values.audit.nodeSelector }}
+{{ toYaml .Values.audit.nodeSelector | indent 8 }} +{{ toYaml .Values.audit.nodeSelector | indent 8 }}
+{{- end }} +{{- end }}
+ {{- if .Values.audit.priorityClassName }} {{- if .Values.audit.priorityClassName }}
priorityClassName: {{ .Values.audit.priorityClassName }} priorityClassName: {{ .Values.audit.priorityClassName }}
{{- end }} {{- end }}
serviceAccountName: gatekeeper-admin serviceAccountName: gatekeeper-admin

25
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch
View File

@ -1,17 +1,28 @@
--- charts-original/templates/gatekeeper-controller-manager-deployment.yaml --- charts-original/templates/gatekeeper-controller-manager-deployment.yaml
+++ charts/templates/gatekeeper-controller-manager-deployment.yaml +++ charts/templates/gatekeeper-controller-manager-deployment.yaml
@@ -76,8 +76,8 @@ @@ -40,11 +40,8 @@
{{- toYaml .Values.controllerManager.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- - {{- if .Values.image.release }}
- image: {{ .Values.image.repository }}:{{ .Values.image.release }}
- {{- else }}
- image: {{ .Values.image.repository }}
- {{- end }}
+ - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
+ imagePullPolicy: '{{ .Values.images.pullPolicy }}'
args:
- --port={{ .Values.controllerManager.port }}
- --health-addr=:{{ .Values.controllerManager.healthPort }}
@@ -84,7 +81,6 @@
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
- image: '{{ .Values.image.repository }}:{{ .Values.image.release }}'
- imagePullPolicy: '{{ .Values.image.pullPolicy }}' - imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+ image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
+ imagePullPolicy: '{{ .Values.images.pullPolicy }}'
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz
@@ -115,18 +115,22 @@ @@ -115,16 +111,20 @@
dnsPolicy: {{ .Values.controllerManager.dnsPolicy }} dnsPolicy: {{ .Values.controllerManager.dnsPolicy }}
hostNetwork: {{ .Values.controllerManager.hostNetwork }} hostNetwork: {{ .Values.controllerManager.hostNetwork }}
imagePullSecrets: imagePullSecrets:
@ -37,7 +48,3 @@
volumes: volumes:
- name: cert - name: cert
secret: secret:
defaultMode: 420
- secretName: gatekeeper-webhook-server-cert
+ secretName: gatekeeper-webhook-server-cert
\ No newline at end of file

14
packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/upgrade-crds-hook.yaml --- charts-original/templates/upgrade-crds-hook.yaml
+++ charts/templates/upgrade-crds-hook.yaml +++ charts/templates/upgrade-crds-hook.yaml
@@ -75,14 +75,14 @@ @@ -75,18 +75,14 @@
spec: spec:
serviceAccountName: gatekeeper-admin-upgrade-crds serviceAccountName: gatekeeper-admin-upgrade-crds
restartPolicy: Never restartPolicy: Never
@ -12,17 +12,21 @@
{{- end }} {{- end }}
containers: containers:
- name: crds-upgrade - name: crds-upgrade
- {{- if not .Values.image.release }}
- image: '{{ .Values.image.crdRepository }}'
- {{- else }}
- image: '{{ .Values.image.crdRepository }}:{{ .Values.image.release }}' - image: '{{ .Values.image.crdRepository }}:{{ .Values.image.release }}'
- {{- end }}
- imagePullPolicy: '{{ .Values.image.pullPolicy }}' - imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+ image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}' + image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}'
+ imagePullPolicy: '{{ .Values.images.pullPolicy }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}'
args: args:
- apply - apply
- -f - -f
@@ -98,7 +98,6 @@ @@ -95,7 +91,6 @@
runAsGroup: 65532 {{- toYaml .Values.crds.resources | nindent 10 }}
runAsNonRoot: true securityContext:
runAsUser: 65532 {{- toYaml .Values.crds.securityContext | nindent 10 }}
- nodeSelector: - nodeSelector:
- kubernetes.io/os: linux - kubernetes.io/os: linux
- -

30
packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch
View File

@ -1,37 +1,35 @@
--- charts-original/values.yaml --- charts-original/values.yaml
+++ charts/values.yaml +++ charts/values.yaml
@@ -1,5 +1,5 @@ @@ -30,8 +30,8 @@
replicas: 3
-auditInterval: 60
+auditInterval: 300
auditMatchKindOnly: false
constraintViolationsLimit: 20
auditFromCache: false
@@ -22,14 +22,17 @@
labelNamespace: labelNamespace:
enabled: true enabled: true
image: image:
- repository: openpolicyagent/gatekeeper-crds - repository: openpolicyagent/gatekeeper-crds
- tag: v3.7.1 - tag: v3.8.1
+ repository: rancher/kubectl + repository: rancher/kubectl
+ tag: v1.20.2 + tag: v1.20.2
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
pullSecrets: [] pullSecrets: []
securityContext:
@@ -60,10 +60,13 @@
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
-image: -image:
- repository: openpolicyagent/gatekeeper - repository: openpolicyagent/gatekeeper
- crdRepository: openpolicyagent/gatekeeper-crds - crdRepository: openpolicyagent/gatekeeper-crds
- release: v3.7.1 - release: v3.8.1
+images: +images:
+ gatekeeper: + gatekeeper:
+ repository: rancher/mirrored-openpolicyagent-gatekeeper + repository: rancher/mirrored-openpolicyagent-gatekeeper
+ tag: v3.7.1 + tag: v3.8.1
+ gatekeepercrd: + gatekeepercrd:
+ repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+ tag: v3.7.1 + tag: v3.8.1
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
pullSecrets: [] pullSecrets: []
podAnnotations: podAnnotations:
@@ -59,7 +62,7 @@ @@ -93,7 +96,7 @@
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
weight: 100 weight: 100
tolerations: [] tolerations: []
@ -40,7 +38,7 @@
resources: resources:
limits: limits:
cpu: 1000m cpu: 1000m
@@ -75,7 +78,7 @@ @@ -118,7 +121,7 @@
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
affinity: {} affinity: {}
tolerations: [] tolerations: []
@ -49,7 +47,7 @@
writeToRAMDisk: false writeToRAMDisk: false
resources: resources:
limits: limits:
@@ -89,6 +92,12 @@ @@ -150,6 +153,12 @@
pdb: pdb:
controllerManager: controllerManager:
minAvailable: 1 minAvailable: 1
@ -60,5 +58,5 @@
+ repository: rancher/kubectl + repository: rancher/kubectl
+ tag: v1.20.2 + tag: v1.20.2
service: {} service: {}
disabledBuiltins: disabledBuiltins: ["{http.send}"]
psp: psp:

4
packages/rancher-gatekeeper/package.yaml
View File

@ -1,5 +1,5 @@
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.7.1.tgz url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.8.1.tgz
version: 100.1.1 version: 100.2.0
additionalCharts: additionalCharts:
- workingDir: charts-crd - workingDir: charts-crd
crdOptions: crdOptions:

15
packages/rancher-gatekeeper/templates/crd-template/templates/_helpers.tpl
View File

@ -5,3 +5,18 @@
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} {{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
kubernetes.io/os: linux
{{- end -}}

2
release.yaml
View File

@ -10,8 +10,10 @@ system-upgrade-controller:
- 100.0.3+up0.3.2 - 100.0.3+up0.3.2
rancher-gatekeeper: rancher-gatekeeper:
- 100.1.1+up3.7.1 - 100.1.1+up3.7.1
- 100.2.0+up3.8.1
rancher-gatekeeper-crd: rancher-gatekeeper-crd:
- 100.1.1+up3.7.1 - 100.1.1+up3.7.1
- 100.2.0+up3.8.1
rancher-aks-operator: rancher-aks-operator:
- 100.0.5+up1.0.6-rc1 - 100.0.5+up1.0.6-rc1
- 100.0.5+up1.0.6-rc2 - 100.0.5+up1.0.6-rc2