From v3.18.x CRD created by gatekeeper-audit with parameter --operation=generate (not by gatekeeper-controller-manager)

[sultetveny]

Hi!

Earlier we used gatekeeper v3.17.1 on our cluster. We used only the gatekeeper-controller-manager deployment, meanwhile the gatekeeper-audit was scaled down to 0. Using ConstraintTemplate the CRDs are generated successfully.

Once upgraded to v3.18.x we noticed the same CRDs not generated anymore. As we figured out, now, by default the gatekeeper-audit responsible for generating the CRDs because the new parameter --operation=generate implemented only there, it's missing from the gatekeeper-controller-manager.
For testing purpose added this new parameter to the controller-manager deployment and we also scaled down the audit to 0. With these settings using ConstraintTemplate the CRDs are generated successfully same as in earlier version.

So, our questions:

• Could you please give more information why this implementation changed in the version? ( we found only related pull requests: feat: add generate operation and wait for VAPB generation #3573 (review) )
• In the future versions is it possible to add this parameter into the gatekeeper-controller-manager too? (or the support of this parameter will be completely removed from gatekeeper-controller-manager in future releases)

[JaydipGabani]

@sultetveny Thanks for raising this issue.

• This change was made to make sure only singleton pod was responsible for generation and prevent any contentions among multiple pods trying to update the same resource.
• Adding this operation in gatekeeper-controller-manager is not in the road map as the intention was to have singleton pods generate resources. However, support of this will not be removed from gatekeeper-controller-manager, you should be able to enable these pods to generate CRDs by adding --opration=generate in future as well.