Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default (#4964)

* fix: add extraCRDAnnotations option to helm chart set ArgoCD replace sync option by default Signed-off-by: Edwin Mackenzie-Owen <edwin.mowen@gmail.com> * fix: add extraCRDAnnotations via codegen * use template Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Edwin Mackenzie-Owen <edwin.mowen@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-29 10:55:05 +00:00 · 2022-11-02 10:35:33 +01:00 · 2022-11-02 10:35:33 +01:00 · 0e1d2cae05
commit 0e1d2cae05
parent 9f6b0e8017
6 changed files with 26 additions and 1 deletions
--- a/2
+++ b/2
@ -447,7 +447,7 @@ codegen-helm-crds: $(KUSTOMIZE) codegen-crds-all ## Generate helm CRDs
 	@VERSION='"{{.Chart.AppVersion}}"' TOP_PATH=".." envsubst < config/templates/labels.yaml.envsubst > config/.helm/labels.yaml
 	@VERSION=dummy TOP_PATH=".." envsubst < config/templates/kustomization.yaml.envsubst > config/.helm/kustomization.yaml
 	@echo Generate helm crds... >&2
-	@$(KUSTOMIZE) build ./config/.helm | $(KUSTOMIZE) cfg grep kind=CustomResourceDefinition | $(SED) -e "1i{{- if .Values.installCRDs }}" -e '$$a{{- end }}' > ./charts/kyverno/templates/crds.yaml
+	@$(KUSTOMIZE) build ./config/.helm | $(KUSTOMIZE) cfg grep kind=CustomResourceDefinition | $(SED) -e "1i{{- if .Values.installCRDs }}" -e '$$a{{- end }}' -e '/^  creationTimestamp: null/i \ \ \ \ {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}' > ./charts/kyverno/templates/crds.yaml

 .PHONY: codegen-helm-all
 codegen-helm-all: codegen-helm-crds codegen-helm-docs ## Generate helm docs and CRDs
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@ -48,3 +48,5 @@ annotations:
      description: Enable adding optional annotations to configmaps
    - kind: added
      description: Add startup probes support
+    - kind: added
+      description: Support extra CRD annotations
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -205,6 +205,7 @@ The command removes all the Kubernetes components associated with the chart and
 | serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
 | createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert.    In this case, you will need to create a certificate with a specific name and data structure.    As long as you follow the naming scheme, it will be automatically picked up.    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt)    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false |
 | installCRDs | bool | `true` | Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created. |
+| crds.annotations | object | `{}` | Additional CRDs annotations. |
 | networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
 | networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
 | webhooksCleanup.enable | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@ -159,3 +159,9 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
 {{- end }}
 {{- $newWebhook | toJson }}
 {{- end }}
+
+{{- define "kyverno.crdAnnotations" -}}
+{{- range $key, $value := .Values.crds.annotations }}
+{{ $key }}: {{ $value | quote }}
+{{- end }}
+{{- end }}
--- a/charts/kyverno/templates/crds.yaml
+++ b/charts/kyverno/templates/crds.yaml
@ -6,6 +6,7 @@ metadata:
    controller-gen.kubebuilder.io/version: v0.10.0
    config.kubernetes.io/index: '1'
    internal.config.kubernetes.io/index: '1'
+    {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -267,6 +268,7 @@ metadata:
    controller-gen.kubebuilder.io/version: v0.10.0
    config.kubernetes.io/index: '2'
    internal.config.kubernetes.io/index: '2'
+    {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -498,6 +500,7 @@ metadata:
    controller-gen.kubebuilder.io/version: v0.10.0
    config.kubernetes.io/index: '3'
    internal.config.kubernetes.io/index: '3'
+    {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -759,6 +762,7 @@ metadata:
    controller-gen.kubebuilder.io/version: v0.10.0
    config.kubernetes.io/index: '4'
    internal.config.kubernetes.io/index: '4'
+    {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -990,6 +994,7 @@ metadata:
    controller-gen.kubebuilder.io/version: v0.10.0
    config.kubernetes.io/index: '5'
    internal.config.kubernetes.io/index: '5'
+    {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -8211,6 +8216,7 @@ metadata:
    controller-gen.kubebuilder.io/version: v0.10.0
    config.kubernetes.io/index: '6'
    internal.config.kubernetes.io/index: '6'
+    {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -8483,6 +8489,7 @@ metadata:
    controller-gen.kubebuilder.io/version: v0.10.0
    config.kubernetes.io/index: '7'
    internal.config.kubernetes.io/index: '7'
+    {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -8658,6 +8665,7 @@ metadata:
    controller-gen.kubebuilder.io/version: v0.10.0
    config.kubernetes.io/index: '8'
    internal.config.kubernetes.io/index: '8'
+    {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -15879,6 +15887,7 @@ metadata:
    controller-gen.kubebuilder.io/version: v0.10.0
    config.kubernetes.io/index: '9'
    internal.config.kubernetes.io/index: '9'
+    {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -16151,6 +16160,7 @@ metadata:
    controller-gen.kubebuilder.io/version: v0.10.0
    config.kubernetes.io/index: '10'
    internal.config.kubernetes.io/index: '10'
+    {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -445,6 +445,12 @@ createSelfSignedCert: false
 # If the CRDs are not installed by Helm, they must be added before policies can be created.
 installCRDs: true

+crds:
+  # -- Additional CRDs annotations.
+  annotations: {}
+    # argocd.argoproj.io/sync-options: Replace=true
+    # strategy.spinnaker.io/replace: 'true'
+
 networkPolicy:
  # -- When true, use a NetworkPolicy to allow ingress to the webhook
  # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.