mirror of https://git.rancher.io/charts
(dev-v2.6-archive) Merge pull request #1357 from cmurphy/externalip-webhook-0.1.7
Add external-ip-webhook package for 1.0.0
(partially cherry picked from commit 1c519b3c52)
pull/1680/head
Caleb Bron
Arvind Iyengar
parent
c3956adc58
commit
efa5ea1d2a
|
|
@ -0,0 +1,27 @@
|
|||
--- charts-original/Chart.yaml
|
||||
+++ charts/Chart.yaml
|
||||
@@ -3,12 +3,12 @@
|
||||
catalog.cattle.io/display-name: External IP Webhook
|
||||
catalog.cattle.io/namespace: cattle-externalip-system
|
||||
catalog.cattle.io/os: linux
|
||||
- catalog.cattle.io/release-name: rancher-externalip-webhook
|
||||
- catalog.cattle.io/ui-component: rancher-externalip-webhook
|
||||
+ catalog.cattle.io/release-name: rancher-external-ip-webhook
|
||||
+ catalog.cattle.io/ui-component: rancher-external-ip-webhook
|
||||
apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: |
|
||||
- Deploy the externalip-webhook to mitigate k8s CVE-2020-8554
|
||||
+ Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554
|
||||
home: https://github.com/rancher/externalip-webhook
|
||||
keywords:
|
||||
- cve
|
||||
@@ -18,7 +18,7 @@
|
||||
maintainers:
|
||||
- email: raul@rancher.com
|
||||
name: rawmind0
|
||||
-name: rancher-externalip-webhook
|
||||
+name: rancher-external-ip-webhook
|
||||
sources:
|
||||
- https://github.com/rancher/externalip-webhook
|
||||
version: 1.0.0
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- charts-original/values.yaml
|
||||
+++ charts/values.yaml
|
||||
@@ -30,7 +30,7 @@
|
||||
image:
|
||||
pullPolicy: IfNotPresent
|
||||
pullSecrets: []
|
||||
- repository: rancher/kube-rbac-proxy
|
||||
+ repository: rancher/mirrored-kube-rbac-proxy
|
||||
tag: v0.5.0
|
||||
resources:
|
||||
limits:
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
url: https://github.com/rancher/externalip-webhook/releases/download/v1.0.0/rancher-externalip-webhook-1.0.0.tgz
|
||||
version: 1.0.0
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
{{- if .Values.customResourceDefinitions.create }}
|
||||
{{- range $path, $bytes := .Files.Glob "crds/*.yaml" }}
|
||||
{{ $.Files.Get $path }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
{{- if .Values.createNamespace }}
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
labels:
|
||||
admission.gatekeeper.sh/ignore: no-self-managing
|
||||
app: '{{ template "gatekeeper.name" . }}'
|
||||
chart: '{{ template "gatekeeper.name" . }}'
|
||||
control-plane: controller-manager
|
||||
gatekeeper.sh/system: "yes"
|
||||
heritage: '{{ .Release.Service }}'
|
||||
release: '{{ .Release.Name }}'
|
||||
name: gatekeeper-system
|
||||
{{- end }}
|
||||
|
|
@ -1,8 +1,8 @@
|
|||
--- charts-original/Chart.yaml
|
||||
+++ charts/Chart.yaml
|
||||
@@ -1,10 +1,21 @@
|
||||
apiVersion: v2
|
||||
appVersion: v3.5.1
|
||||
apiVersion: v1
|
||||
appVersion: v3.3.0
|
||||
-description: A Helm chart for Gatekeeper
|
||||
+description: Modifies Open Policy Agent's upstream gatekeeper chart that provides policy-based control for cloud native environments
|
||||
home: https://github.com/open-policy-agent/gatekeeper
|
||||
|
|
@ -13,7 +13,7 @@
|
|||
+name: rancher-gatekeeper
|
||||
sources:
|
||||
- https://github.com/open-policy-agent/gatekeeper.git
|
||||
version: 3.5.1
|
||||
version: 3.3.0
|
||||
+icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
|
||||
+annotations:
|
||||
+ catalog.cattle.io/certified: rancher
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
--- charts-original/README.md
|
||||
+++ charts/README.md
|
||||
@@ -69,7 +69,7 @@
|
||||
| postInstall.labelNamespace.image.tag | Image tag | `1.20.4-4.0.5` |
|
||||
| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
|
||||
| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
|
||||
-| auditInterval | The frequency with which audit is run | `60` |
|
||||
+| auditInterval | The frequency with which audit is run | `300` |
|
||||
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
|
||||
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
|
||||
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |
|
||||
@@ -4,7 +4,7 @@
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ |
|
||||
-| auditInterval | The frequency with which audit is run | `60` |
|
||||
+| auditInterval | The frequency with which audit is run | `300` |
|
||||
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
|
||||
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
|
||||
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
--- charts-original/crds/config-customresourcedefinition.yaml
|
||||
+++ charts/crds/config-customresourcedefinition.yaml
|
||||
@@ -3,8 +3,6 @@
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.3.0
|
||||
- helm.sh/hook: crd-install
|
||||
- helm.sh/hook-delete-policy: before-hook-creation
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
gatekeeper.sh/system: "yes"
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- charts-original/crds/constraintpodstatus-customresourcedefinition.yaml
|
||||
+++ charts/crds/constraintpodstatus-customresourcedefinition.yaml
|
||||
@@ -3,8 +3,6 @@
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.3.0
|
||||
- helm.sh/hook: crd-install
|
||||
- helm.sh/hook-delete-policy: before-hook-creation
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
gatekeeper.sh/system: "yes"
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
--- charts-original/crds/constrainttemplate-customresourcedefinition.yaml
|
||||
+++ charts/crds/constrainttemplate-customresourcedefinition.yaml
|
||||
@@ -1,9 +1,6 @@
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
- annotations:
|
||||
- helm.sh/hook: crd-install
|
||||
- helm.sh/hook-delete-policy: before-hook-creation
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
gatekeeper.sh/system: "yes"
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- charts-original/crds/constrainttemplatepodstatus-customresourcedefinition.yaml
|
||||
+++ charts/crds/constrainttemplatepodstatus-customresourcedefinition.yaml
|
||||
@@ -3,8 +3,6 @@
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.3.0
|
||||
- helm.sh/hook: crd-install
|
||||
- helm.sh/hook-delete-policy: before-hook-creation
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
gatekeeper.sh/system: "yes"
|
||||
|
|
@ -1,12 +1,9 @@
|
|||
--- charts-original/templates/_helpers.tpl
|
||||
+++ charts/templates/_helpers.tpl
|
||||
@@ -38,4 +38,12 @@
|
||||
{{- if .Values.podLabels }}
|
||||
{{- toYaml .Values.podLabels | nindent 8 }}
|
||||
@@ -42,3 +42,11 @@
|
||||
{{- end }}
|
||||
-{{- end -}}
|
||||
\ No newline at end of file
|
||||
+{{- end -}}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end -}}
|
||||
+
|
||||
+{{- define "system_default_registry" -}}
|
||||
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
--- charts-original/templates/gatekeeper-admin-serviceaccount.yaml
|
||||
+++ charts/templates/gatekeeper-admin-serviceaccount.yaml
|
||||
@@ -8,4 +8,4 @@
|
||||
heritage: '{{ .Release.Service }}'
|
||||
release: '{{ .Release.Name }}'
|
||||
name: gatekeeper-admin
|
||||
- namespace: gatekeeper-system
|
||||
+ namespace: '{{ .Release.Namespace }}'
|
||||
|
|
@ -1,6 +1,15 @@
|
|||
--- charts-original/templates/gatekeeper-audit-deployment.yaml
|
||||
+++ charts/templates/gatekeeper-audit-deployment.yaml
|
||||
@@ -63,7 +63,7 @@
|
||||
@@ -10,7 +10,7 @@
|
||||
heritage: '{{ .Release.Service }}'
|
||||
release: '{{ .Release.Name }}'
|
||||
name: gatekeeper-audit
|
||||
- namespace: gatekeeper-system
|
||||
+ namespace: '{{ .Release.Namespace }}'
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -59,7 +59,7 @@
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
|
|
|
|||
|
|
@ -1,6 +1,15 @@
|
|||
--- charts-original/templates/gatekeeper-controller-manager-deployment.yaml
|
||||
+++ charts/templates/gatekeeper-controller-manager-deployment.yaml
|
||||
@@ -65,7 +65,7 @@
|
||||
@@ -10,7 +10,7 @@
|
||||
heritage: '{{ .Release.Service }}'
|
||||
release: '{{ .Release.Name }}'
|
||||
name: gatekeeper-controller-manager
|
||||
- namespace: gatekeeper-system
|
||||
+ namespace: '{{ .Release.Namespace }}'
|
||||
spec:
|
||||
replicas: {{ .Values.replicas }}
|
||||
selector:
|
||||
@@ -68,7 +68,7 @@
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
--- charts-original/templates/gatekeeper-manager-role-role.yaml
|
||||
+++ charts/templates/gatekeeper-manager-role-role.yaml
|
||||
@@ -9,7 +9,7 @@
|
||||
heritage: '{{ .Release.Service }}'
|
||||
release: '{{ .Release.Name }}'
|
||||
name: gatekeeper-manager-role
|
||||
- namespace: gatekeeper-system
|
||||
+ namespace: '{{ .Release.Namespace }}'
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
--- charts-original/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
|
||||
+++ charts/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
|
||||
@@ -15,4 +15,4 @@
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: gatekeeper-admin
|
||||
- namespace: gatekeeper-system
|
||||
+ namespace: '{{ .Release.Namespace }}'
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
--- charts-original/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
|
||||
+++ charts/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
|
||||
@@ -8,7 +8,7 @@
|
||||
heritage: '{{ .Release.Service }}'
|
||||
release: '{{ .Release.Name }}'
|
||||
name: gatekeeper-manager-rolebinding
|
||||
- namespace: gatekeeper-system
|
||||
+ namespace: '{{ .Release.Namespace }}'
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
@@ -16,4 +16,4 @@
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: gatekeeper-admin
|
||||
- namespace: gatekeeper-system
|
||||
+ namespace: '{{ .Release.Namespace }}'
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
--- charts-original/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
|
||||
+++ charts/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
|
||||
@@ -15,7 +15,7 @@
|
||||
caBundle: Cg==
|
||||
service:
|
||||
name: gatekeeper-webhook-service
|
||||
- namespace: gatekeeper-system
|
||||
+ namespace: '{{ .Release.Namespace }}'
|
||||
path: /v1/admit
|
||||
failurePolicy: Ignore
|
||||
name: validation.gatekeeper.sh
|
||||
@@ -42,7 +42,7 @@
|
||||
caBundle: Cg==
|
||||
service:
|
||||
name: gatekeeper-webhook-service
|
||||
- namespace: gatekeeper-system
|
||||
+ namespace: '{{ .Release.Namespace }}'
|
||||
path: /v1/admitlabel
|
||||
failurePolicy: Fail
|
||||
name: check-ignore-label.gatekeeper.sh
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
--- charts-original/templates/gatekeeper-webhook-server-cert-secret.yaml
|
||||
+++ charts/templates/gatekeeper-webhook-server-cert-secret.yaml
|
||||
@@ -10,4 +10,4 @@
|
||||
heritage: '{{ .Release.Service }}'
|
||||
release: '{{ .Release.Name }}'
|
||||
name: gatekeeper-webhook-server-cert
|
||||
- namespace: gatekeeper-system
|
||||
+ namespace: '{{ .Release.Namespace }}'
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- charts-original/templates/gatekeeper-webhook-service-service.yaml
|
||||
+++ charts/templates/gatekeeper-webhook-service-service.yaml
|
||||
@@ -8,7 +8,7 @@
|
||||
heritage: '{{ .Release.Service }}'
|
||||
release: '{{ .Release.Name }}'
|
||||
name: gatekeeper-webhook-service
|
||||
- namespace: gatekeeper-system
|
||||
+ namespace: '{{ .Release.Namespace }}'
|
||||
spec:
|
||||
ports:
|
||||
- port: 443
|
||||
|
|
@ -1,39 +1,35 @@
|
|||
--- charts-original/values.yaml
|
||||
+++ charts/values.yaml
|
||||
@@ -1,5 +1,5 @@
|
||||
@@ -1,8 +1,7 @@
|
||||
replicas: 3
|
||||
-auditInterval: 60
|
||||
+auditInterval: 300
|
||||
auditMatchKindOnly: false
|
||||
constraintViolationsLimit: 20
|
||||
auditFromCache: false
|
||||
@@ -16,13 +16,13 @@
|
||||
labelNamespace:
|
||||
enabled: true
|
||||
image:
|
||||
- repository: line/kubectl-kustomize
|
||||
- tag: 1.20.4-4.0.5
|
||||
+ repository: rancher/kubectl
|
||||
+ tag: v1.20.2
|
||||
pullPolicy: IfNotPresent
|
||||
pullSecrets: []
|
||||
-createNamespace: true
|
||||
disableValidatingWebhook: false
|
||||
validatingWebhookTimeoutSeconds: 3
|
||||
enableDeleteOperations: false
|
||||
@@ -11,8 +10,8 @@
|
||||
emitAdmissionEvents: false
|
||||
emitAuditEvents: false
|
||||
image:
|
||||
- repository: openpolicyagent/gatekeeper
|
||||
- release: v3.5.1
|
||||
- release: v3.3.0
|
||||
+ repository: rancher/mirrored-openpolicyagent-gatekeeper
|
||||
+ tag: v3.5.1
|
||||
+ tag: v3.3.0
|
||||
pullPolicy: IfNotPresent
|
||||
pullSecrets: []
|
||||
podAnnotations:
|
||||
@@ -70,5 +70,11 @@
|
||||
pdb:
|
||||
controllerManager:
|
||||
minAvailable: 1
|
||||
@@ -53,5 +52,9 @@
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
-customResourceDefinitions:
|
||||
- create: true
|
||||
+global:
|
||||
+ cattle:
|
||||
+ systemDefaultRegistry: ""
|
||||
+ kubectl:
|
||||
+ repository: rancher/kubectl
|
||||
+ tag: v1.20.2
|
||||
service: {}
|
||||
disabledBuiltins:
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.5.1.tgz
|
||||
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.3.0.tgz
|
||||
version: 100.0.0
|
||||
additionalCharts:
|
||||
- workingDir: charts-crd
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
apiVersion: v1
|
||||
version: 3.5.1
|
||||
version: 3.3.0
|
||||
description: Installs the CRDs for rancher-gatekeeper.
|
||||
name: rancher-gatekeeper-crd
|
||||
type: application
|
||||
|
|
|
|||
Loading…
Reference in New Issue