From 78ffaa8df3ef0bbb0268adc01b1b0fbbec417820 Mon Sep 17 00:00:00 2001 From: Jacob Payne Date: Tue, 11 Aug 2020 10:28:46 -0700 Subject: [PATCH] (dev-v2.6-archive) added crd annotations for logging (partially cherry picked from commit ac8099a8e39c05a8f685c9c299581fa7ab654372) --- .../rancher-gatekeeper/overlay/CHANGELOG.md | 17 - .../overlay/templates/allowedrepos.yaml | 35 - .../templates/job-constraints-crd.yaml | 19 - .../overlay/templates/requiredlabels.yaml | 57 - packages/rancher-gatekeeper/package.yaml | 7 +- .../rancher-gatekeeper.patch | 1270 ++++------------- .../rancher-logging/rancher-logging.patch | 6 +- 7 files changed, 251 insertions(+), 1160 deletions(-) delete mode 100644 packages/rancher-gatekeeper/overlay/CHANGELOG.md delete mode 100644 packages/rancher-gatekeeper/overlay/templates/allowedrepos.yaml delete mode 100644 packages/rancher-gatekeeper/overlay/templates/job-constraints-crd.yaml delete mode 100644 packages/rancher-gatekeeper/overlay/templates/requiredlabels.yaml diff --git a/packages/rancher-gatekeeper/overlay/CHANGELOG.md b/packages/rancher-gatekeeper/overlay/CHANGELOG.md deleted file mode 100644 index 863e5fc81..000000000 --- a/packages/rancher-gatekeeper/overlay/CHANGELOG.md +++ /dev/null @@ -1,17 +0,0 @@ -# Changelog -All notable changes from the upstream OPA Gatekeeper chart will be added to this file - -## [Package Version 00] - 2020-07-27 -### Added -- Enabled the CRD chart generator in `package.yaml` - -### Modified -- Updated namespace to `cattle-gatekeeper-system` -- Updated `rancher/istio-kubectl` image to `1.5.8` -- Updated for Helm 3 compatibility - - Moved crds to `crds` directory - - Removed `crd-install` hooks and templates from crds - -### Removed -- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation -- Removed unnecessary `index.yaml` as we package and host our charts diff --git a/packages/rancher-gatekeeper/overlay/templates/allowedrepos.yaml b/packages/rancher-gatekeeper/overlay/templates/allowedrepos.yaml deleted file mode 100644 index 9abb84ecb..000000000 --- a/packages/rancher-gatekeeper/overlay/templates/allowedrepos.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - name: k8sallowedrepos -spec: - crd: - spec: - names: - kind: K8sAllowedRepos - validation: - # Schema for the `parameters` field - openAPIV3Schema: - properties: - repos: - type: array - items: - type: string - targets: - - target: admission.k8s.gatekeeper.sh - rego: | - package k8sallowedrepos - - violation[{"msg": msg}] { - container := input.review.object.spec.containers[_] - satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] - not any(satisfied) - msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) - } - - violation[{"msg": msg}] { - container := input.review.object.spec.initContainers[_] - satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] - not any(satisfied) - msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) - } diff --git a/packages/rancher-gatekeeper/overlay/templates/job-constraints-crd.yaml b/packages/rancher-gatekeeper/overlay/templates/job-constraints-crd.yaml deleted file mode 100644 index af31f9794..000000000 --- a/packages/rancher-gatekeeper/overlay/templates/job-constraints-crd.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - namespace: {{ .Release.Namespace }} - name: gatekeeper-delete-constraints-crd-job - annotations: - "helm.sh/hook": "pre-delete" - "helm.sh/hook-delete-policy": "hook-succeeded, before-hook-creation, hook-failed" -spec: - template: - spec: - serviceAccountName: gatekeeper-admin - containers: - - name: gatekeeper-delete-constraints-crd - image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - command: ["kubectl", "delete", "constrainttemplates", "--all"] - restartPolicy: Never - backoffLimit: 1 diff --git a/packages/rancher-gatekeeper/overlay/templates/requiredlabels.yaml b/packages/rancher-gatekeeper/overlay/templates/requiredlabels.yaml deleted file mode 100644 index e93e6a0a7..000000000 --- a/packages/rancher-gatekeeper/overlay/templates/requiredlabels.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - name: k8srequiredlabels -spec: - crd: - spec: - names: - kind: K8sRequiredLabels - validation: - # Schema for the `parameters` field - openAPIV3Schema: - properties: - message: - type: string - labels: - type: array - items: - type: object - properties: - key: - type: string - allowedRegex: - type: string - targets: - - target: admission.k8s.gatekeeper.sh - rego: | - package k8srequiredlabels - - get_message(parameters, _default) = msg { - not parameters.message - msg := _default - } - - get_message(parameters, _default) = msg { - msg := parameters.message - } - - violation[{"msg": msg, "details": {"missing_labels": missing}}] { - provided := {label | input.review.object.metadata.labels[label]} - required := {label | label := input.parameters.labels[_].key} - missing := required - provided - count(missing) > 0 - def_msg := sprintf("you must provide labels: %v", [missing]) - msg := get_message(input.parameters, def_msg) - } - - violation[{"msg": msg}] { - value := input.review.object.metadata.labels[key] - expected := input.parameters.labels[_] - expected.key == key - # do not match if allowedRegex is not defined, or is an empty string - expected.allowedRegex != "" - not re_match(expected.allowedRegex, value) - def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex]) - msg := get_message(input.parameters, def_msg) - } diff --git a/packages/rancher-gatekeeper/package.yaml b/packages/rancher-gatekeeper/package.yaml index 887bd105f..556b9d0ee 100644 --- a/packages/rancher-gatekeeper/package.yaml +++ b/packages/rancher-gatekeeper/package.yaml @@ -1,7 +1,4 @@ url: https://github.com/open-policy-agent/gatekeeper.git -subdirectory: charts/gatekeeper +subdirectory: chart/gatekeeper-operator type: git -commit: 9a8051ac8fa3dc407056ed0293a0d97210386115 -generateCRDChart: - enabled: true - providesGVR: configs.config.gatekeeper.sh/v1alpha1 +commit: 478aa0e193909a301cc7461f0f8c078d652e70fb \ No newline at end of file diff --git a/packages/rancher-gatekeeper/rancher-gatekeeper.patch b/packages/rancher-gatekeeper/rancher-gatekeeper.patch index 05a1c0f99..1b0a99ace 100644 --- a/packages/rancher-gatekeeper/rancher-gatekeeper.patch +++ b/packages/rancher-gatekeeper/rancher-gatekeeper.patch @@ -1,464 +1,164 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/Chart.yaml packages/rancher-gatekeeper/charts/Chart.yaml --- packages/rancher-gatekeeper/charts-original/Chart.yaml +++ packages/rancher-gatekeeper/charts/Chart.yaml -@@ -1,6 +1,6 @@ +@@ -1,10 +1,16 @@ apiVersion: v1 description: A Helm chart for Gatekeeper --name: gatekeeper +-name: gatekeeper-operator +name: rancher-gatekeeper keywords: - open policy agent - version: v3.1.0-beta.11 -@@ -8,3 +8,9 @@ +-version: v3.1.0-beta.7 ++version: 0.1.0 + home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git - appVersion: v3.1.0-beta.11 + appVersion: v3.1.0-beta.7 +icon: https://charts.rancher.io/assets/logos/gatekeeper.svg +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/experimental: true -+ catalog.cattle.io/namespace: cattle-gatekeeper-system ++ catalog.cattle.io/namespace: gatekeeper-system + catalog.cattle.io/release-name: rancher-gatekeeper -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/crds/config-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/crds/config-customresourcedefinition.yaml ---- packages/rancher-gatekeeper/charts-original/crds/config-customresourcedefinition.yaml -+++ packages/rancher-gatekeeper/charts/crds/config-customresourcedefinition.yaml -@@ -0,0 +1,118 @@ -+apiVersion: apiextensions.k8s.io/v1beta1 -+kind: CustomResourceDefinition -+metadata: -+ annotations: -+ controller-gen.kubebuilder.io/version: v0.3.0 -+ helm.sh/hook-delete-policy: before-hook-creation -+ creationTimestamp: null -+ labels: -+ app: '{{ .Chart.Name }}' -+ chart: '{{ .Chart.Name }}' -+ gatekeeper.sh/system: "yes" -+ heritage: '{{ .Release.Service }}' -+ release: '{{ .Release.Name }}' -+ name: configs.config.gatekeeper.sh -+spec: -+ group: config.gatekeeper.sh -+ names: -+ kind: Config -+ listKind: ConfigList -+ plural: configs -+ shortNames: -+ - config -+ singular: config -+ scope: Namespaced -+ validation: -+ openAPIV3Schema: -+ description: Config is the Schema for the configs API -+ properties: -+ apiVersion: -+ description: 'APIVersion defines the versioned schema of this representation -+ of an object. Servers should convert recognized schemas to the latest -+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -+ type: string -+ kind: -+ description: 'Kind is a string value representing the REST resource this -+ object represents. Servers may infer this from the endpoint the client -+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -+ type: string -+ metadata: -+ type: object -+ spec: -+ description: ConfigSpec defines the desired state of Config -+ properties: -+ match: -+ description: Configuration for namespace exclusion -+ items: -+ properties: -+ excludedNamespaces: -+ items: -+ type: string -+ type: array -+ processes: -+ items: -+ type: string -+ type: array -+ type: object -+ type: array -+ readiness: -+ description: Configuration for readiness tracker -+ properties: -+ statsEnabled: -+ type: boolean -+ type: object -+ sync: -+ description: Configuration for syncing k8s objects -+ properties: -+ syncOnly: -+ description: If non-empty, only entries on this list will be replicated -+ into OPA -+ items: -+ properties: -+ group: -+ type: string -+ kind: -+ type: string -+ version: -+ type: string -+ type: object -+ type: array -+ type: object -+ validation: -+ description: Configuration for validation -+ properties: -+ traces: -+ description: List of requests to trace. Both "user" and "kinds" -+ must be specified -+ items: -+ properties: -+ dump: -+ description: Also dump the state of OPA with the trace. Set -+ to `All` to dump everything. -+ type: string -+ kind: -+ description: Only trace requests of the following GroupVersionKind -+ properties: -+ group: -+ type: string -+ kind: -+ type: string -+ version: -+ type: string -+ type: object -+ user: -+ description: Only trace requests from the specified user -+ type: string -+ type: object -+ type: array -+ type: object -+ type: object -+ status: -+ description: ConfigStatus defines the observed state of Config -+ type: object -+ type: object -+ version: v1alpha1 -+ versions: -+ - name: v1alpha1 -+ served: true -+ storage: true -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/crds/constraintpodstatus-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/crds/constraintpodstatus-customresourcedefinition.yaml ---- packages/rancher-gatekeeper/charts-original/crds/constraintpodstatus-customresourcedefinition.yaml -+++ packages/rancher-gatekeeper/charts/crds/constraintpodstatus-customresourcedefinition.yaml -@@ -0,0 +1,86 @@ -+apiVersion: apiextensions.k8s.io/v1beta1 -+kind: CustomResourceDefinition -+metadata: -+ annotations: -+ controller-gen.kubebuilder.io/version: v0.3.0 -+ creationTimestamp: null -+ labels: -+ app: '{{ .Chart.Name }}' -+ chart: '{{ .Chart.Name }}' -+ gatekeeper.sh/system: "yes" -+ heritage: '{{ .Release.Service }}' -+ release: '{{ .Release.Name }}' -+ name: constraintpodstatuses.status.gatekeeper.sh -+spec: -+ group: status.gatekeeper.sh -+ names: -+ kind: ConstraintPodStatus -+ listKind: ConstraintPodStatusList -+ plural: constraintpodstatuses -+ singular: constraintpodstatus -+ scope: Namespaced -+ validation: -+ openAPIV3Schema: -+ description: ConstraintPodStatus is the Schema for the constraintpodstatuses -+ API -+ properties: -+ apiVersion: -+ description: 'APIVersion defines the versioned schema of this representation -+ of an object. Servers should convert recognized schemas to the latest -+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -+ type: string -+ kind: -+ description: 'Kind is a string value representing the REST resource this -+ object represents. Servers may infer this from the endpoint the client -+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -+ type: string -+ metadata: -+ type: object -+ status: -+ description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus -+ properties: -+ constraintUID: -+ description: Storing the constraint UID allows us to detect drift, such -+ as when a constraint has been recreated after its CRD was deleted -+ out from under it, interrupting the watch -+ type: string -+ enforced: -+ type: boolean -+ errors: -+ items: -+ description: Error represents a single error caught while adding a -+ constraint to OPA -+ properties: -+ code: -+ type: string -+ location: -+ type: string -+ message: -+ type: string -+ required: -+ - code -+ - message -+ type: object -+ type: array -+ id: -+ type: string -+ observedGeneration: -+ format: int64 -+ type: integer -+ operations: -+ items: -+ type: string -+ type: array -+ type: object -+ type: object -+ version: v1beta1 -+ versions: -+ - name: v1beta1 -+ served: true -+ storage: true -+status: -+ acceptedNames: -+ kind: "" -+ plural: "" -+ conditions: [] -+ storedVersions: [] -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/crds/constrainttemplate-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/crds/constrainttemplate-customresourcedefinition.yaml ---- packages/rancher-gatekeeper/charts-original/crds/constrainttemplate-customresourcedefinition.yaml -+++ packages/rancher-gatekeeper/charts/crds/constrainttemplate-customresourcedefinition.yaml -@@ -0,0 +1,110 @@ -+apiVersion: apiextensions.k8s.io/v1beta1 -+kind: CustomResourceDefinition -+metadata: -+ annotations: -+ helm.sh/hook-delete-policy: before-hook-creation -+ creationTimestamp: null -+ labels: -+ app: '{{ .Chart.Name }}' -+ chart: '{{ .Chart.Name }}' -+ controller-tools.k8s.io: "1.0" -+ gatekeeper.sh/system: "yes" -+ heritage: '{{ .Release.Service }}' -+ release: '{{ .Release.Name }}' -+ name: constrainttemplates.templates.gatekeeper.sh -+spec: -+ group: templates.gatekeeper.sh -+ names: -+ kind: ConstraintTemplate -+ plural: constrainttemplates -+ shortNames: -+ - constraints -+ scope: Cluster -+ subresources: -+ status: {} -+ validation: -+ openAPIV3Schema: -+ properties: -+ apiVersion: -+ description: 'APIVersion defines the versioned schema of this representation -+ of an object. Servers should convert recognized schemas to the latest -+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -+ type: string -+ kind: -+ description: 'Kind is a string value representing the REST resource this -+ object represents. Servers may infer this from the endpoint the client -+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -+ type: string -+ metadata: -+ type: object -+ spec: -+ properties: -+ crd: -+ properties: -+ spec: -+ properties: -+ names: -+ properties: -+ kind: -+ type: string -+ shortNames: -+ items: -+ type: string -+ type: array -+ type: object -+ validation: -+ type: object -+ type: object -+ type: object -+ targets: -+ items: -+ properties: -+ libs: -+ items: -+ type: string -+ type: array -+ rego: -+ type: string -+ target: -+ type: string -+ type: object -+ type: array -+ type: object -+ status: -+ properties: -+ byPod: -+ items: -+ properties: -+ errors: -+ items: -+ properties: -+ code: -+ type: string -+ location: -+ type: string -+ message: -+ type: string -+ required: -+ - code -+ - message -+ type: object -+ type: array -+ id: -+ description: a unique identifier for the pod that wrote the status -+ type: string -+ observedGeneration: -+ format: int64 -+ type: integer -+ type: object -+ type: array -+ created: -+ type: boolean -+ type: object -+ version: v1beta1 -+ versions: -+ - name: v1beta1 -+ served: true -+ storage: true -+ - name: v1alpha1 -+ served: true -+ storage: false -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/crds/constrainttemplatepodstatus-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/crds/constrainttemplatepodstatus-customresourcedefinition.yaml ---- packages/rancher-gatekeeper/charts-original/crds/constrainttemplatepodstatus-customresourcedefinition.yaml -+++ packages/rancher-gatekeeper/charts/crds/constrainttemplatepodstatus-customresourcedefinition.yaml -@@ -0,0 +1,88 @@ -+apiVersion: apiextensions.k8s.io/v1beta1 -+kind: CustomResourceDefinition -+metadata: -+ annotations: -+ controller-gen.kubebuilder.io/version: v0.3.0 -+ creationTimestamp: null -+ labels: -+ app: '{{ .Chart.Name }}' -+ chart: '{{ .Chart.Name }}' -+ gatekeeper.sh/system: "yes" -+ heritage: '{{ .Release.Service }}' -+ release: '{{ .Release.Name }}' -+ name: constrainttemplatepodstatuses.status.gatekeeper.sh -+spec: -+ group: status.gatekeeper.sh -+ names: -+ kind: ConstraintTemplatePodStatus -+ listKind: ConstraintTemplatePodStatusList -+ plural: constrainttemplatepodstatuses -+ singular: constrainttemplatepodstatus -+ scope: Namespaced -+ validation: -+ openAPIV3Schema: -+ description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses -+ API -+ properties: -+ apiVersion: -+ description: 'APIVersion defines the versioned schema of this representation -+ of an object. Servers should convert recognized schemas to the latest -+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -+ type: string -+ kind: -+ description: 'Kind is a string value representing the REST resource this -+ object represents. Servers may infer this from the endpoint the client -+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -+ type: string -+ metadata: -+ type: object -+ status: -+ description: ConstraintTemplatePodStatusStatus defines the observed state -+ of ConstraintTemplatePodStatus -+ properties: -+ errors: -+ items: -+ description: CreateCRDError represents a single error caught during -+ parsing, compiling, etc. -+ properties: -+ code: -+ type: string -+ location: -+ type: string -+ message: -+ type: string -+ required: -+ - code -+ - message -+ type: object -+ type: array -+ id: -+ description: 'Important: Run "make" to regenerate code after modifying -+ this file' -+ type: string -+ observedGeneration: -+ format: int64 -+ type: integer -+ operations: -+ items: -+ type: string -+ type: array -+ templateUID: -+ description: UID is a type that holds unique ID values, including UUIDs. Because -+ we don't ONLY use UUIDs, this is an alias to string. Being a type -+ captures intent and helps make sure that UIDs and names do not get -+ conflated. -+ type: string -+ type: object -+ type: object -+ version: v1beta1 -+ versions: -+ - name: v1beta1 -+ served: true -+ storage: true -+status: -+ acceptedNames: -+ kind: "" -+ plural: "" -+ conditions: [] -+ storedVersions: [] -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/index.yaml packages/rancher-gatekeeper/charts/index.yaml ---- packages/rancher-gatekeeper/charts-original/index.yaml -+++ packages/rancher-gatekeeper/charts/index.yaml -@@ -1,18 +0,0 @@ +diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/helm-modifications/helm-modifications.yaml packages/rancher-gatekeeper/charts/helm-modifications/helm-modifications.yaml +--- packages/rancher-gatekeeper/charts-original/helm-modifications/helm-modifications.yaml ++++ packages/rancher-gatekeeper/charts/helm-modifications/helm-modifications.yaml +@@ -1,61 +0,0 @@ -apiVersion: v1 --entries: -- gatekeeper: -- - apiVersion: v1 -- appVersion: v3.1.0-beta.11 -- created: "2020-07-24T16:56:23.670543818-07:00" -- description: A Helm chart for Gatekeeper -- digest: 937aeddadbeac8fa1b71169c4fcde5229fa8445b0caec6339dc7cae2ac10d43f -- home: https://github.com/open-policy-agent/gatekeeper -- keywords: -- - open policy agent -- name: gatekeeper -- sources: -- - https://github.com/open-policy-agent/gatekeeper.git -- urls: -- - https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.1.0-beta.11/charts/gatekeeper/gatekeeper-v3.1.0-beta.11.tgz -- version: v3.1.0-beta.11 --generated: "2020-07-24T16:56:23.669766565-07:00" +-kind: Service +-metadata: +- name: gatekeeper-webhook-service +- namespace: gatekeeper-system +-spec: +- selector: +- app: GATEKEEPER_APP_LABEL +---- +-apiVersion: apiextensions.k8s.io/v1beta1 +-kind: CustomResourceDefinition +-metadata: +- name: configs.config.gatekeeper.sh +- annotations: +- helm.sh/hook: crd-install +- helm.sh/hook-delete-policy: before-hook-creation +-status: null +-spec: +- names: +- shortNames: +- - config # add shortName to CRD until https://github.com/kubernetes-sigs/kubebuilder/issues/404 is solved +---- +-apiVersion: apiextensions.k8s.io/v1beta1 +-kind: CustomResourceDefinition +-metadata: +- name: constrainttemplates.templates.gatekeeper.sh +- annotations: +- helm.sh/hook: crd-install +- helm.sh/hook-delete-policy: before-hook-creation +-status: null +-spec: +- names: +- shortNames: +- - constraints # add shortName to CRD until https://github.com/kubernetes-sigs/kubebuilder/issues/404 is solved +---- +-apiVersion: apps/v1 +-kind: Deployment +-metadata: +- name: gatekeeper-controller-manager +- namespace: gatekeeper-system +-spec: +- replicas: HELMSUBST_DEPLOYMENT_REPLICAS +- selector: +- matchLabels: +- app: gatekeeper-operator +- release: RELEASE_NAME +- template: +- spec: +- containers: +- - name: manager +- args: +- - --audit-interval={{ .Values.auditInterval }} +- - --port=8443 +- - --logtostderr +- - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} +- - --audit-from-cache={{ .Values.auditFromCache }} +- - --exempt-namespace=gatekeeper-system +- imagePullPolicy: "{{ .Values.image.pullPolicy }}" +- image: "{{ .Values.image.repository }}:{{ .Values.image.release }}" +- resources: HELMSUBST_DEPLOYMENT_CONTAINER_RESOURCES +- nodeSelector: HELMSUBST_DEPLOYMENT_POD_SCHEDULING +diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/helm-modifications/kustomization.yaml packages/rancher-gatekeeper/charts/helm-modifications/kustomization.yaml +--- packages/rancher-gatekeeper/charts-original/helm-modifications/kustomization.yaml ++++ packages/rancher-gatekeeper/charts/helm-modifications/kustomization.yaml +@@ -1,9 +0,0 @@ +-commonLabels: +- app: '{{ template "gatekeeper-operator.name" . }}' +- chart: '{{ template "gatekeeper-operator.name" . }}' +- release: '{{ .Release.Name }}' +- heritage: '{{ .Release.Service }}' +-resources: +- - _temp.yaml +-patchesStrategicMerge: +- - helm-modifications.yaml +diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/allowedrepos.yaml packages/rancher-gatekeeper/charts/templates/allowedrepos.yaml +--- packages/rancher-gatekeeper/charts-original/templates/allowedrepos.yaml ++++ packages/rancher-gatekeeper/charts/templates/allowedrepos.yaml +@@ -0,0 +1,35 @@ ++apiVersion: templates.gatekeeper.sh/v1beta1 ++kind: ConstraintTemplate ++metadata: ++ name: k8sallowedrepos ++spec: ++ crd: ++ spec: ++ names: ++ kind: K8sAllowedRepos ++ validation: ++ # Schema for the `parameters` field ++ openAPIV3Schema: ++ properties: ++ repos: ++ type: array ++ items: ++ type: string ++ targets: ++ - target: admission.k8s.gatekeeper.sh ++ rego: | ++ package k8sallowedrepos ++ ++ violation[{"msg": msg}] { ++ container := input.review.object.spec.containers[_] ++ satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] ++ not any(satisfied) ++ msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) ++ } ++ ++ violation[{"msg": msg}] { ++ container := input.review.object.spec.initContainers[_] ++ satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] ++ not any(satisfied) ++ msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) ++ } +\ No newline at end of file +diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper.yaml +--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper.yaml ++++ packages/rancher-gatekeeper/charts/templates/gatekeeper.yaml +@@ -485,7 +485,7 @@ + valueFrom: + fieldRef: + fieldPath: metadata.name +- image: '{{ .Values.image.repository }}:{{ .Values.image.release }}' ++ image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' + imagePullPolicy: '{{ .Values.image.pullPolicy }}' + livenessProbe: + httpGet: +@@ -517,7 +517,7 @@ + - mountPath: /certs + name: cert + readOnly: true +- nodeSelector: ++ nodeSelector: + {{ toYaml .Values.nodeSelector | indent 8 }} + affinity: + {{ toYaml .Values.affinity | indent 8 }} diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/_helpers.tpl packages/rancher-gatekeeper/charts/templates/_helpers.tpl --- packages/rancher-gatekeeper/charts-original/templates/_helpers.tpl +++ packages/rancher-gatekeeper/charts/templates/_helpers.tpl @@ -474,596 +174,113 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/tem +{{- "" -}} +{{- end -}} +{{- end -}} -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/config-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/templates/config-customresourcedefinition.yaml ---- packages/rancher-gatekeeper/charts-original/templates/config-customresourcedefinition.yaml -+++ packages/rancher-gatekeeper/charts/templates/config-customresourcedefinition.yaml -@@ -1,119 +0,0 @@ --apiVersion: apiextensions.k8s.io/v1beta1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: v0.3.0 -- helm.sh/hook: crd-install -- helm.sh/hook-delete-policy: before-hook-creation -- creationTimestamp: null -- labels: -- app: '{{ template "gatekeeper.name" . }}' -- chart: '{{ template "gatekeeper.name" . }}' -- gatekeeper.sh/system: "yes" -- heritage: '{{ .Release.Service }}' -- release: '{{ .Release.Name }}' -- name: configs.config.gatekeeper.sh --spec: -- group: config.gatekeeper.sh -- names: -- kind: Config -- listKind: ConfigList -- plural: configs -- shortNames: -- - config -- singular: config -- scope: Namespaced -- validation: -- openAPIV3Schema: -- description: Config is the Schema for the configs API -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: ConfigSpec defines the desired state of Config -- properties: -- match: -- description: Configuration for namespace exclusion -- items: -- properties: -- excludedNamespaces: -- items: -- type: string -- type: array -- processes: -- items: -- type: string -- type: array -- type: object -- type: array -- readiness: -- description: Configuration for readiness tracker -- properties: -- statsEnabled: -- type: boolean -- type: object -- sync: -- description: Configuration for syncing k8s objects -- properties: -- syncOnly: -- description: If non-empty, only entries on this list will be replicated -- into OPA -- items: -- properties: -- group: -- type: string -- kind: -- type: string -- version: -- type: string -- type: object -- type: array -- type: object -- validation: -- description: Configuration for validation -- properties: -- traces: -- description: List of requests to trace. Both "user" and "kinds" -- must be specified -- items: -- properties: -- dump: -- description: Also dump the state of OPA with the trace. Set -- to `All` to dump everything. -- type: string -- kind: -- description: Only trace requests of the following GroupVersionKind -- properties: -- group: -- type: string -- kind: -- type: string -- version: -- type: string -- type: object -- user: -- description: Only trace requests from the specified user -- type: string -- type: object -- type: array -- type: object -- type: object -- status: -- description: ConfigStatus defines the observed state of Config -- type: object -- type: object -- version: v1alpha1 -- versions: -- - name: v1alpha1 -- served: true -- storage: true -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/constraintpodstatus-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/templates/constraintpodstatus-customresourcedefinition.yaml ---- packages/rancher-gatekeeper/charts-original/templates/constraintpodstatus-customresourcedefinition.yaml -+++ packages/rancher-gatekeeper/charts/templates/constraintpodstatus-customresourcedefinition.yaml -@@ -1,86 +0,0 @@ --apiVersion: apiextensions.k8s.io/v1beta1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: v0.3.0 -- creationTimestamp: null -- labels: -- app: '{{ template "gatekeeper.name" . }}' -- chart: '{{ template "gatekeeper.name" . }}' -- gatekeeper.sh/system: "yes" -- heritage: '{{ .Release.Service }}' -- release: '{{ .Release.Name }}' -- name: constraintpodstatuses.status.gatekeeper.sh --spec: -- group: status.gatekeeper.sh -- names: -- kind: ConstraintPodStatus -- listKind: ConstraintPodStatusList -- plural: constraintpodstatuses -- singular: constraintpodstatus -- scope: Namespaced -- validation: -- openAPIV3Schema: -- description: ConstraintPodStatus is the Schema for the constraintpodstatuses -- API -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- status: -- description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus -- properties: -- constraintUID: -- description: Storing the constraint UID allows us to detect drift, such -- as when a constraint has been recreated after its CRD was deleted -- out from under it, interrupting the watch -- type: string -- enforced: -- type: boolean -- errors: -- items: -- description: Error represents a single error caught while adding a -- constraint to OPA -- properties: -- code: -- type: string -- location: -- type: string -- message: -- type: string -- required: -- - code -- - message -- type: object -- type: array -- id: -- type: string -- observedGeneration: -- format: int64 -- type: integer -- operations: -- items: -- type: string -- type: array -- type: object -- type: object -- version: v1beta1 -- versions: -- - name: v1beta1 -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/constrainttemplate-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/templates/constrainttemplate-customresourcedefinition.yaml ---- packages/rancher-gatekeeper/charts-original/templates/constrainttemplate-customresourcedefinition.yaml -+++ packages/rancher-gatekeeper/charts/templates/constrainttemplate-customresourcedefinition.yaml -@@ -1,111 +0,0 @@ --apiVersion: apiextensions.k8s.io/v1beta1 --kind: CustomResourceDefinition --metadata: -- annotations: -- helm.sh/hook: crd-install -- helm.sh/hook-delete-policy: before-hook-creation -- creationTimestamp: null -- labels: -- app: '{{ template "gatekeeper.name" . }}' -- chart: '{{ template "gatekeeper.name" . }}' -- controller-tools.k8s.io: "1.0" -- gatekeeper.sh/system: "yes" -- heritage: '{{ .Release.Service }}' -- release: '{{ .Release.Name }}' -- name: constrainttemplates.templates.gatekeeper.sh --spec: -- group: templates.gatekeeper.sh -- names: -- kind: ConstraintTemplate -- plural: constrainttemplates -- shortNames: -- - constraints -- scope: Cluster -- subresources: -- status: {} -- validation: -- openAPIV3Schema: -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- properties: -- crd: -- properties: -- spec: -- properties: -- names: -- properties: -- kind: -- type: string -- shortNames: -- items: -- type: string -- type: array -- type: object -- validation: -- type: object -- type: object -- type: object -- targets: -- items: -- properties: -- libs: -- items: -- type: string -- type: array -- rego: -- type: string -- target: -- type: string -- type: object -- type: array -- type: object -- status: -- properties: -- byPod: -- items: -- properties: -- errors: -- items: -- properties: -- code: -- type: string -- location: -- type: string -- message: -- type: string -- required: -- - code -- - message -- type: object -- type: array -- id: -- description: a unique identifier for the pod that wrote the status -- type: string -- observedGeneration: -- format: int64 -- type: integer -- type: object -- type: array -- created: -- type: boolean -- type: object -- version: v1beta1 -- versions: -- - name: v1beta1 -- served: true -- storage: true -- - name: v1alpha1 -- served: true -- storage: false -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/constrainttemplatepodstatus-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/templates/constrainttemplatepodstatus-customresourcedefinition.yaml ---- packages/rancher-gatekeeper/charts-original/templates/constrainttemplatepodstatus-customresourcedefinition.yaml -+++ packages/rancher-gatekeeper/charts/templates/constrainttemplatepodstatus-customresourcedefinition.yaml -@@ -1,88 +0,0 @@ --apiVersion: apiextensions.k8s.io/v1beta1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: v0.3.0 -- creationTimestamp: null -- labels: -- app: '{{ template "gatekeeper.name" . }}' -- chart: '{{ template "gatekeeper.name" . }}' -- gatekeeper.sh/system: "yes" -- heritage: '{{ .Release.Service }}' -- release: '{{ .Release.Name }}' -- name: constrainttemplatepodstatuses.status.gatekeeper.sh --spec: -- group: status.gatekeeper.sh -- names: -- kind: ConstraintTemplatePodStatus -- listKind: ConstraintTemplatePodStatusList -- plural: constrainttemplatepodstatuses -- singular: constrainttemplatepodstatus -- scope: Namespaced -- validation: -- openAPIV3Schema: -- description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses -- API -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- status: -- description: ConstraintTemplatePodStatusStatus defines the observed state -- of ConstraintTemplatePodStatus -- properties: -- errors: -- items: -- description: CreateCRDError represents a single error caught during -- parsing, compiling, etc. -- properties: -- code: -- type: string -- location: -- type: string -- message: -- type: string -- required: -- - code -- - message -- type: object -- type: array -- id: -- description: 'Important: Run "make" to regenerate code after modifying -- this file' -- type: string -- observedGeneration: -- format: int64 -- type: integer -- operations: -- items: -- type: string -- type: array -- templateUID: -- description: UID is a type that holds unique ID values, including UUIDs. Because -- we don't ONLY use UUIDs, this is an alias to string. Being a type -- captures intent and helps make sure that UIDs and names do not get -- conflated. -- type: string -- type: object -- type: object -- version: v1beta1 -- versions: -- - name: v1beta1 -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-admin-serviceaccount.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-admin-serviceaccount.yaml ---- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-admin-serviceaccount.yaml -+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-admin-serviceaccount.yaml -@@ -8,4 +8,4 @@ - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-admin -- namespace: gatekeeper-system -+ namespace: '{{ .Release.Namespace }}' -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-audit-deployment.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-audit-deployment.yaml ---- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-audit-deployment.yaml -+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-audit-deployment.yaml -@@ -10,7 +10,7 @@ - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-audit -- namespace: gatekeeper-system -+ namespace: '{{ .Release.Namespace }}' - spec: - replicas: 1 - selector: -@@ -58,7 +58,7 @@ - valueFrom: - fieldRef: - fieldPath: metadata.name -- image: '{{ .Values.image.repository }}:{{ .Values.image.release }}' -+ image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' - imagePullPolicy: '{{ .Values.image.pullPolicy }}' - livenessProbe: - httpGet: -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-controller-manager-deployment.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-controller-manager-deployment.yaml ---- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-controller-manager-deployment.yaml -+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-controller-manager-deployment.yaml -@@ -10,7 +10,7 @@ - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-controller-manager -- namespace: gatekeeper-system -+ namespace: '{{ .Release.Namespace }}' - spec: - replicas: {{ .Values.replicas }} - selector: -@@ -67,7 +67,7 @@ - valueFrom: - fieldRef: - fieldPath: metadata.name -- image: '{{ .Values.image.repository }}:{{ .Values.image.release }}' -+ image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' - imagePullPolicy: '{{ .Values.image.pullPolicy }}' - livenessProbe: - httpGet: -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-manager-role-role.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-manager-role-role.yaml ---- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-manager-role-role.yaml -+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-manager-role-role.yaml -@@ -9,7 +9,7 @@ - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-manager-role -- namespace: gatekeeper-system -+ namespace: '{{ .Release.Namespace }}' - rules: - - apiGroups: - - "" -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml ---- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml -+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml -@@ -15,4 +15,4 @@ - subjects: - - kind: ServiceAccount - name: gatekeeper-admin -- namespace: gatekeeper-system -+ namespace: '{{ .Release.Namespace }}' -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-manager-rolebinding-rolebinding.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-manager-rolebinding-rolebinding.yaml ---- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-manager-rolebinding-rolebinding.yaml -+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-manager-rolebinding-rolebinding.yaml -@@ -8,7 +8,7 @@ - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-manager-rolebinding -- namespace: gatekeeper-system -+ namespace: '{{ .Release.Namespace }}' - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role -@@ -16,4 +16,4 @@ - subjects: - - kind: ServiceAccount - name: gatekeeper-admin -- namespace: gatekeeper-system -+ namespace: '{{ .Release.Namespace }}' -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-system-namespace.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-system-namespace.yaml ---- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-system-namespace.yaml -+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-system-namespace.yaml -@@ -1,12 +0,0 @@ --apiVersion: v1 --kind: Namespace --metadata: -- labels: -- admission.gatekeeper.sh/ignore: no-self-managing -- app: '{{ template "gatekeeper.name" . }}' -- chart: '{{ template "gatekeeper.name" . }}' -- control-plane: controller-manager -- gatekeeper.sh/system: "yes" -- heritage: '{{ .Release.Service }}' -- release: '{{ .Release.Name }}' -- name: gatekeeper-system -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml ---- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml -+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml -@@ -15,7 +15,7 @@ - caBundle: Cg== - service: - name: gatekeeper-webhook-service -- namespace: gatekeeper-system -+ namespace: '{{ .Release.Namespace }}' - path: /v1/admit - failurePolicy: Ignore - name: validation.gatekeeper.sh -@@ -41,7 +41,7 @@ - caBundle: Cg== - service: - name: gatekeeper-webhook-service -- namespace: gatekeeper-system -+ namespace: '{{ .Release.Namespace }}' - path: /v1/admitlabel - failurePolicy: Fail - name: check-ignore-label.gatekeeper.sh -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-webhook-server-cert-secret.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-webhook-server-cert-secret.yaml ---- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-webhook-server-cert-secret.yaml -+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-webhook-server-cert-secret.yaml -@@ -8,4 +8,4 @@ - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-webhook-server-cert -- namespace: gatekeeper-system -+ namespace: '{{ .Release.Namespace }}' -diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-webhook-service-service.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-webhook-service-service.yaml ---- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-webhook-service-service.yaml -+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-webhook-service-service.yaml -@@ -8,7 +8,7 @@ - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-webhook-service -- namespace: gatekeeper-system -+ namespace: '{{ .Release.Namespace }}' - spec: - ports: - - port: 443 +diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/job-constraints-crd.yaml packages/rancher-gatekeeper/charts/templates/job-constraints-crd.yaml +--- packages/rancher-gatekeeper/charts-original/templates/job-constraints-crd.yaml ++++ packages/rancher-gatekeeper/charts/templates/job-constraints-crd.yaml +@@ -0,0 +1,19 @@ ++apiVersion: batch/v1 ++kind: Job ++metadata: ++ namespace: {{ .Release.Namespace }} ++ name: gatekeeper-delete-constraints-crd-job ++ annotations: ++ "helm.sh/hook": "pre-delete" ++ "helm.sh/hook-delete-policy": "hook-succeeded, before-hook-creation, hook-failed" ++spec: ++ template: ++ spec: ++ serviceAccountName: gatekeeper-admin ++ containers: ++ - name: gatekeeper-delete-constraints-crd ++ image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" ++ imagePullPolicy: {{ .Values.global.imagePullPolicy }} ++ command: ["kubectl", "delete", "constrainttemplates", "--all"] ++ restartPolicy: Never ++ backoffLimit: 1 +\ No newline at end of file +diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/requiredlabels.yaml packages/rancher-gatekeeper/charts/templates/requiredlabels.yaml +--- packages/rancher-gatekeeper/charts-original/templates/requiredlabels.yaml ++++ packages/rancher-gatekeeper/charts/templates/requiredlabels.yaml +@@ -0,0 +1,57 @@ ++apiVersion: templates.gatekeeper.sh/v1beta1 ++kind: ConstraintTemplate ++metadata: ++ name: k8srequiredlabels ++spec: ++ crd: ++ spec: ++ names: ++ kind: K8sRequiredLabels ++ validation: ++ # Schema for the `parameters` field ++ openAPIV3Schema: ++ properties: ++ message: ++ type: string ++ labels: ++ type: array ++ items: ++ type: object ++ properties: ++ key: ++ type: string ++ allowedRegex: ++ type: string ++ targets: ++ - target: admission.k8s.gatekeeper.sh ++ rego: | ++ package k8srequiredlabels ++ ++ get_message(parameters, _default) = msg { ++ not parameters.message ++ msg := _default ++ } ++ ++ get_message(parameters, _default) = msg { ++ msg := parameters.message ++ } ++ ++ violation[{"msg": msg, "details": {"missing_labels": missing}}] { ++ provided := {label | input.review.object.metadata.labels[label]} ++ required := {label | label := input.parameters.labels[_].key} ++ missing := required - provided ++ count(missing) > 0 ++ def_msg := sprintf("you must provide labels: %v", [missing]) ++ msg := get_message(input.parameters, def_msg) ++ } ++ ++ violation[{"msg": msg}] { ++ value := input.review.object.metadata.labels[key] ++ expected := input.parameters.labels[_] ++ expected.key == key ++ # do not match if allowedRegex is not defined, or is an empty string ++ expected.allowedRegex != "" ++ not re_match(expected.allowedRegex, value) ++ def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex]) ++ msg := get_message(input.parameters, def_msg) ++ } +\ No newline at end of file diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/values.yaml packages/rancher-gatekeeper/charts/values.yaml --- packages/rancher-gatekeeper/charts-original/values.yaml +++ packages/rancher-gatekeeper/charts/values.yaml -@@ -1,5 +1,5 @@ - replicas: 3 +@@ -1,12 +1,12 @@ + replicas: 1 -auditInterval: 60 +auditInterval: 300 constraintViolationsLimit: 20 auditFromCache: false - disableValidatingWebhook: false -@@ -8,8 +8,8 @@ - emitAdmissionEvents: false - emitAuditEvents: false image: -- repository: openpolicyagent/gatekeeper -- release: v3.1.0-beta.11 +- repository: quay.io/open-policy-agent/gatekeeper +- release: v3.1.0-beta.7 + repository: rancher/opa-gatekeeper -+ tag: v3.1.0-beta.11 ++ tag: v3.1.0-beta.7 pullPolicy: IfNotPresent - nodeSelector: { kubernetes.io/os: linux } - affinity: {} -@@ -23,3 +23,8 @@ +-nodeSelector: {} ++nodeSelector: {"beta.kubernetes.io/os": "linux"} + tolerations: [] + resources: + limits: +@@ -15,3 +15,8 @@ requests: cpu: 100m memory: 256Mi @@ -1071,4 +288,5 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/val + systemDefaultRegistry: "" + kubectl: + repository: rancher/istio-kubectl -+ tag: 1.5.8 ++ tag: 1.4.6 +\ No newline at end of file diff --git a/packages/rancher-logging/rancher-logging.patch b/packages/rancher-logging/rancher-logging.patch index 4742fda97..50f02756d 100644 --- a/packages/rancher-logging/rancher-logging.patch +++ b/packages/rancher-logging/rancher-logging.patch @@ -1,7 +1,7 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/Chart.yaml packages/rancher-logging/charts/Chart.yaml --- packages/rancher-logging/charts-original/Chart.yaml +++ packages/rancher-logging/charts/Chart.yaml -@@ -1,5 +1,11 @@ +@@ -1,5 +1,15 @@ apiVersion: v1 appVersion: 3.4.0 -description: A Helm chart to install Banzai Cloud logging-operator @@ -15,6 +15,10 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/Chart. + catalog.cattle.io/namespace: cattle-logging-system + catalog.cattle.io/release-name: rancher-logging + catalog.cattle.io/ui-component: logging ++ ++ catalog.cattle.io/requires-gvr: logging.banzaicloud.io/v1beta1 ++ catalog.cattle.io/auto-install-gvr: logging.banzaicloud.io/v1beta1 ++ catalog.cattle.io/provides-gvr: logging.banzaicloud.io/v1beta1 diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values.yaml packages/rancher-logging/charts/values.yaml --- packages/rancher-logging/charts-original/values.yaml +++ packages/rancher-logging/charts/values.yaml