diff --git a/cmd/build/helmify/kustomization.yaml b/cmd/build/helmify/kustomization.yaml index 19d21e2418d..e6507f7114d 100644 --- a/cmd/build/helmify/kustomization.yaml +++ b/cmd/build/helmify/kustomization.yaml @@ -137,3 +137,17 @@ patchesJson6902: patch: |- - op: remove path: /spec/ports + - target: + kind: ValidatingWebhookConfiguration + name: gatekeeper-validating-webhook-configuration + patch: |- + - op: replace + path: /metadata/name + value: "{{ .Values.validatingWebhookName }}" + - target: + kind: MutatingWebhookConfiguration + name: gatekeeper-mutating-webhook-configuration + patch: |- + - op: replace + path: /metadata/name + value: "{{ .Values.mutatingWebhookName }}" diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 25ae92cf597..0a28ff2a03b 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -152,6 +152,8 @@ spec: - --audit-interval={{ .Values.auditInterval }} - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }} - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} + - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} + - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --audit-from-cache={{ .Values.auditFromCache }} - --audit-chunk-size={{ .Values.auditChunkSize }} - --audit-match-kind-only={{ .Values.auditMatchKindOnly }} diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go index 0a65cb53b8a..34f0d087026 100644 --- a/cmd/build/helmify/main.go +++ b/cmd/build/helmify/main.go @@ -101,18 +101,21 @@ func (ks *kindSet) Write() error { if err != nil { return err } + fileName := fmt.Sprintf("%s-%s.yaml", strings.ToLower(name), strings.ToLower(kind)) - destFile := path.Join(*outputDir, subPath, fileName) - fmt.Printf("Writing %s\n", destFile) - if name == "gatekeeper-validating-webhook-configuration" { + if name == "validation.gatekeeper.sh" { obj = "{{- if not .Values.disableValidatingWebhook }}\n" + obj + "{{- end }}\n" + fileName = fmt.Sprintf("gatekeeper-validating-webhook-configuration-%s.yaml", strings.ToLower(kind)) } - if name == "gatekeeper-mutating-webhook-configuration" { + if name == "mutation.gatekeeper.sh" { obj = "{{- if not .Values.disableMutation }}\n" + obj + "{{- end }}\n" + fileName = fmt.Sprintf("gatekeeper-mutating-webhook-configuration-%s.yaml", strings.ToLower(kind)) } + destFile := path.Join(*outputDir, subPath, fileName) + if name == "gatekeeper-webhook-server-cert" && kind == "Secret" { obj = "{{- if not .Values.externalCertInjection.enabled }}\n" + obj + "{{- end }}\n" } @@ -151,8 +154,12 @@ func (ks *kindSet) Write() error { if name == "gatekeeper-manager-role" && kind == "ClusterRole" { obj = strings.Replace(obj, "- apiGroups:\n - policy\n resourceNames:\n - gatekeeper-admin\n resources:\n - podsecuritypolicies\n verbs:\n - use\n", "{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has \"policy/v1beta1/PodSecurityPolicy\") }}\n- apiGroups:\n - policy\n resourceNames:\n - gatekeeper-admin\n resources:\n - podsecuritypolicies\n verbs:\n - use\n{{- end }}\n", 1) + obj = strings.Replace(obj, "- gatekeeper-validating-webhook-configuration\n", "- {{ .Values.validatingWebhookName }}\n", 1) + obj = strings.Replace(obj, "- gatekeeper-mutating-webhook-configuration\n", "- {{ .Values.mutatingWebhookName }}\n", 1) } + fmt.Printf("Writing %s\n", destFile) + if err := os.WriteFile(destFile, []byte(obj), 0o600); err != nil { return err } diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 6e13a55b341..c768a9ce262 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -64,6 +64,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | Parameter | Description | Default | | :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | +| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs | `openpolicyagent/gatekeeper-crds` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | @@ -123,6 +125,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | | disableValidatingWebhook | Disable the validating webhook | `false` | | disableMutation | Disable mutation | `false` | +| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | | validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | | validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | | validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | @@ -136,6 +139,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | | maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | | metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | +| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | | mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | | mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | | mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | diff --git a/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml b/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml index cd57573f37a..8513b744df4 100644 --- a/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml +++ b/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml @@ -93,10 +93,10 @@ spec: {{- end }} containers: - name: crds-upgrade - {{- if not .Values.image.release }} - image: '{{ .Values.image.crdRepository }}' + {{- if not .Values.preInstall.crdRepository.image.tag }} + image: '{{ .Values.preInstall.crdRepository.image.repository }}' {{- else }} - image: '{{ .Values.image.crdRepository }}:{{ .Values.image.release }}' + image: '{{ .Values.preInstall.crdRepository.image.repository }}:{{ .Values.preInstall.crdRepository.image.tag }}' {{- end }} imagePullPolicy: '{{ .Values.image.pullPolicy }}' args: diff --git a/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml b/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml index d610394de36..c2c6e51dca9 100644 --- a/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml +++ b/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml @@ -39,10 +39,10 @@ spec: args: - delete {{- if not .Values.disableValidatingWebhook }} - - validatingwebhookconfiguration/gatekeeper-validating-webhook-configuration + - validatingwebhookconfiguration/{{ .Values.validatingWebhookName }} {{- end }} {{- if not .Values.disableMutation }} - - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration + - mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }} {{- end }} resources: {{- toYaml .Values.preUninstall.resources | nindent 10 }} @@ -92,7 +92,7 @@ rules: resources: - validatingwebhookconfigurations resourceNames: - - gatekeeper-validating-webhook-configuration + - {{ .Values.validatingWebhookName }} verbs: - delete {{- end }} @@ -102,7 +102,7 @@ rules: resources: - mutatingwebhookconfigurations resourceNames: - - gatekeeper-mutating-webhook-configuration + - {{ .Values.mutatingWebhookName }} verbs: - delete {{- end }} diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 364f5ed4794..4eecba9a234 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -6,6 +6,7 @@ constraintViolationsLimit: 20 auditFromCache: false disableMutation: false disableValidatingWebhook: false +validatingWebhookName: gatekeeper-validating-webhook-configuration validatingWebhookTimeoutSeconds: 3 validatingWebhookFailurePolicy: Ignore validatingWebhookAnnotations: {} @@ -18,6 +19,7 @@ enableExternalData: true enableGeneratorResourceExpansion: false enableTLSHealthcheck: false maxServingThreads: -1 +mutatingWebhookName: gatekeeper-mutating-webhook-configuration mutatingWebhookFailurePolicy: Ignore mutatingWebhookReinvocationPolicy: Never mutatingWebhookAnnotations: {} @@ -33,6 +35,11 @@ logMutations: false emitAdmissionEvents: false emitAuditEvents: false resourceQuota: true +preInstall: + crdRepository: + image: + repository: openpolicyagent/gatekeeper-crds + tag: v3.12.0-beta.0 postUpgrade: labelNamespace: enabled: false diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 6e13a55b341..c768a9ce262 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -64,6 +64,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | Parameter | Description | Default | | :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | +| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs | `openpolicyagent/gatekeeper-crds` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | @@ -123,6 +125,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | | disableValidatingWebhook | Disable the validating webhook | `false` | | disableMutation | Disable mutation | `false` | +| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | | validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | | validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | | validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | @@ -136,6 +139,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | | maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | | metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | +| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | | mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | | mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | | mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 6088a432a3a..f3809df231f 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -51,6 +51,8 @@ spec: - --audit-interval={{ .Values.auditInterval }} - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }} - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} + - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} + - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --audit-from-cache={{ .Values.auditFromCache }} - --audit-chunk-size={{ .Values.auditChunkSize }} - --audit-match-kind-only={{ .Values.auditMatchKindOnly }} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml index 8b32f96014b..40376142aa3 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml @@ -22,7 +22,7 @@ rules: - apiGroups: - admissionregistration.k8s.io resourceNames: - - gatekeeper-mutating-webhook-configuration + - {{ .Values.mutatingWebhookName }} resources: - mutatingwebhookconfigurations verbs: @@ -153,7 +153,7 @@ rules: - apiGroups: - admissionregistration.k8s.io resourceNames: - - gatekeeper-validating-webhook-configuration + - {{ .Values.validatingWebhookName }} resources: - validatingwebhookconfigurations verbs: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 30a23b4fb9d..0bc3bc43eb4 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -9,7 +9,7 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-mutating-webhook-configuration + name: '{{ .Values.mutatingWebhookName }}' webhooks: - admissionReviewVersions: - v1 diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index a51dcef6bd6..f0dd85d5e5c 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -9,7 +9,7 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-validating-webhook-configuration + name: '{{ .Values.validatingWebhookName }}' webhooks: - admissionReviewVersions: - v1 diff --git a/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml b/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml index cd57573f37a..8513b744df4 100644 --- a/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml +++ b/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml @@ -93,10 +93,10 @@ spec: {{- end }} containers: - name: crds-upgrade - {{- if not .Values.image.release }} - image: '{{ .Values.image.crdRepository }}' + {{- if not .Values.preInstall.crdRepository.image.tag }} + image: '{{ .Values.preInstall.crdRepository.image.repository }}' {{- else }} - image: '{{ .Values.image.crdRepository }}:{{ .Values.image.release }}' + image: '{{ .Values.preInstall.crdRepository.image.repository }}:{{ .Values.preInstall.crdRepository.image.tag }}' {{- end }} imagePullPolicy: '{{ .Values.image.pullPolicy }}' args: diff --git a/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml b/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml index d610394de36..c2c6e51dca9 100644 --- a/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml +++ b/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml @@ -39,10 +39,10 @@ spec: args: - delete {{- if not .Values.disableValidatingWebhook }} - - validatingwebhookconfiguration/gatekeeper-validating-webhook-configuration + - validatingwebhookconfiguration/{{ .Values.validatingWebhookName }} {{- end }} {{- if not .Values.disableMutation }} - - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration + - mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }} {{- end }} resources: {{- toYaml .Values.preUninstall.resources | nindent 10 }} @@ -92,7 +92,7 @@ rules: resources: - validatingwebhookconfigurations resourceNames: - - gatekeeper-validating-webhook-configuration + - {{ .Values.validatingWebhookName }} verbs: - delete {{- end }} @@ -102,7 +102,7 @@ rules: resources: - mutatingwebhookconfigurations resourceNames: - - gatekeeper-mutating-webhook-configuration + - {{ .Values.mutatingWebhookName }} verbs: - delete {{- end }} diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 364f5ed4794..4eecba9a234 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -6,6 +6,7 @@ constraintViolationsLimit: 20 auditFromCache: false disableMutation: false disableValidatingWebhook: false +validatingWebhookName: gatekeeper-validating-webhook-configuration validatingWebhookTimeoutSeconds: 3 validatingWebhookFailurePolicy: Ignore validatingWebhookAnnotations: {} @@ -18,6 +19,7 @@ enableExternalData: true enableGeneratorResourceExpansion: false enableTLSHealthcheck: false maxServingThreads: -1 +mutatingWebhookName: gatekeeper-mutating-webhook-configuration mutatingWebhookFailurePolicy: Ignore mutatingWebhookReinvocationPolicy: Never mutatingWebhookAnnotations: {} @@ -33,6 +35,11 @@ logMutations: false emitAdmissionEvents: false emitAuditEvents: false resourceQuota: true +preInstall: + crdRepository: + image: + repository: openpolicyagent/gatekeeper-crds + tag: v3.12.0-beta.0 postUpgrade: labelNamespace: enabled: false diff --git a/pkg/webhook/common.go b/pkg/webhook/common.go index 63f255b1519..951829e148d 100644 --- a/pkg/webhook/common.go +++ b/pkg/webhook/common.go @@ -38,13 +38,6 @@ const ( var log = logf.Log.WithName("webhook") -var ( - // VwhName is the metadata.name of the Gatekeeper ValidatingWebhookConfiguration. - VwhName = "gatekeeper-validating-webhook-configuration" - // MwhName is the metadata.name of the Gatekeeper MutatingWebhookConfiguration. - MwhName = "gatekeeper-mutating-webhook-configuration" -) - const ( serviceAccountName = "gatekeeper-admin" mutationsGroup = "mutations.gatekeeper.sh" @@ -63,7 +56,8 @@ var ( serviceaccount = fmt.Sprintf("system:serviceaccount:%s:%s", util.GetNamespace(), serviceAccountName) clientCAName = flag.String("client-ca-name", "", "name of the certificate authority bundle to authenticate the Kubernetes API server requests against") certCNName = flag.String("client-cn-name", "kube-apiserver", "expected CN name on the client certificate attached by apiserver in requests to the webhook") - // webhookName is deprecated, set this on the manifest YAML if needed". + VwhName = flag.String("validating-webhook-configuration-name", "gatekeeper-validating-webhook-configuration", "name of the ValidatingWebhookConfiguration") + MwhName = flag.String("mutating-webhook-configuration-name", "gatekeeper-mutating-webhook-configuration", "name of the MutatingWebhookConfiguration") ) func init() { diff --git a/pkg/webhook/mutation.go b/pkg/webhook/mutation.go index f1ead452a6d..25f77d9c084 100644 --- a/pkg/webhook/mutation.go +++ b/pkg/webhook/mutation.go @@ -219,7 +219,7 @@ func (h *mutationHandler) mutateRequest(ctx context.Context, req *admission.Requ func AppendMutationWebhookIfEnabled(webhooks []rotator.WebhookInfo) []rotator.WebhookInfo { if operations.IsAssigned(operations.MutationWebhook) { return append(webhooks, rotator.WebhookInfo{ - Name: MwhName, + Name: *MwhName, Type: rotator.Mutating, }) } diff --git a/pkg/webhook/policy.go b/pkg/webhook/policy.go index 6e9177d97e1..218122a0ea0 100644 --- a/pkg/webhook/policy.go +++ b/pkg/webhook/policy.go @@ -636,7 +636,7 @@ func getViolationRef(gkNamespace, rkind, rname, rnamespace, ckind, cname, cnames func AppendValidationWebhookIfEnabled(webhooks []rotator.WebhookInfo) []rotator.WebhookInfo { if operations.IsAssigned(operations.Webhook) { return append(webhooks, rotator.WebhookInfo{ - Name: VwhName, + Name: *VwhName, Type: rotator.Validating, }) }