{{- if .Values.postInstall.labelNamespace.enabled }} apiVersion: batch/v1 kind: Job metadata: name: gatekeeper-update-namespace-label labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' annotations: "helm.sh/hook": post-install "helm.sh/hook-weight": "-5" "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation spec: template: metadata: annotations: {{- toYaml .Values.podAnnotations | trim | nindent 8 }} labels: {{- include "gatekeeper.podLabels" . }} app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' spec: restartPolicy: OnFailure {{- if .Values.postInstall.labelNamespace.image.pullSecrets }} imagePullSecrets: {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} {{- end }} serviceAccount: gatekeeper-update-namespace-label {{- if .Values.postInstall.probeWebhook.enabled }} volumes: {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} initContainers: {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} {{- end }} containers: - name: kubectl-label image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}' imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} args: - label - ns - {{ .Release.Namespace }} {{- range .Values.postInstall.labelNamespace.extraNamespaces }} - {{ . }} {{- end }} - admission.gatekeeper.sh/ignore=no-self-managing {{- range .Values.postInstall.labelNamespace.podSecurity }} - {{ . }} {{- end }} - --overwrite resources: {{- toYaml .Values.postInstall.resources | nindent 12 }} securityContext: {{- if .Values.enableRuntimeDefaultSeccompProfile }} seccompProfile: type: RuntimeDefault {{- end }} {{- toYaml .Values.postInstall.securityContext | nindent 12 }} {{- with .Values.postInstall }} nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} affinity: {{- toYaml .affinity | nindent 8 }} {{- end }} --- apiVersion: v1 kind: ServiceAccount metadata: name: gatekeeper-update-namespace-label labels: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: "helm.sh/hook": post-install "helm.sh/hook-weight": "-5" "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation --- {{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: gatekeeper-update-namespace-label labels: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: "helm.sh/hook": post-install "helm.sh/hook-weight": "-5" "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation rules: - apiGroups: - "" resources: - namespaces verbs: - get - update - patch resourceNames: - {{ .Release.Namespace }} {{- range .Values.postInstall.labelNamespace.extraNamespaces }} - {{ . }} {{- end }} - apiGroups: - management.cattle.io resources: - projects verbs: - updatepsa {{- with .Values.postInstall.labelNamespace.extraRules }} {{- toYaml . | nindent 2 }} {{- end }} {{- end }} --- {{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gatekeeper-update-namespace-label labels: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: "helm.sh/hook": post-install "helm.sh/hook-weight": "-5" "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: gatekeeper-update-namespace-label subjects: - kind: ServiceAccount name: gatekeeper-update-namespace-label namespace: {{ .Release.Namespace | quote }} {{- end }} {{- end }}