From 0e1d2cae055bc3a204b94fceb27feee28906a692 Mon Sep 17 00:00:00 2001 From: Edwin Mackenzie-Owen Date: Wed, 2 Nov 2022 10:35:33 +0100 Subject: [PATCH] Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default (#4964) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: add extraCRDAnnotations option to helm chart set ArgoCD replace sync option by default Signed-off-by: Edwin Mackenzie-Owen * fix: add extraCRDAnnotations via codegen * use template Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Edwin Mackenzie-Owen Signed-off-by: Charles-Edouard Brétéché Co-authored-by: Charles-Edouard Brétéché Co-authored-by: Charles-Edouard Brétéché --- Makefile | 2 +- charts/kyverno/Chart.yaml | 2 ++ charts/kyverno/README.md | 1 + charts/kyverno/templates/_helpers.tpl | 6 ++++++ charts/kyverno/templates/crds.yaml | 10 ++++++++++ charts/kyverno/values.yaml | 6 ++++++ 6 files changed, 26 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 7dc1c0305f..b718f52449 100644 --- a/Makefile +++ b/Makefile @@ -447,7 +447,7 @@ codegen-helm-crds: $(KUSTOMIZE) codegen-crds-all ## Generate helm CRDs @VERSION='"{{.Chart.AppVersion}}"' TOP_PATH=".." envsubst < config/templates/labels.yaml.envsubst > config/.helm/labels.yaml @VERSION=dummy TOP_PATH=".." envsubst < config/templates/kustomization.yaml.envsubst > config/.helm/kustomization.yaml @echo Generate helm crds... >&2 - @$(KUSTOMIZE) build ./config/.helm | $(KUSTOMIZE) cfg grep kind=CustomResourceDefinition | $(SED) -e "1i{{- if .Values.installCRDs }}" -e '$$a{{- end }}' > ./charts/kyverno/templates/crds.yaml + @$(KUSTOMIZE) build ./config/.helm | $(KUSTOMIZE) cfg grep kind=CustomResourceDefinition | $(SED) -e "1i{{- if .Values.installCRDs }}" -e '$$a{{- end }}' -e '/^ creationTimestamp: null/i \ \ \ \ {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}' > ./charts/kyverno/templates/crds.yaml .PHONY: codegen-helm-all codegen-helm-all: codegen-helm-crds codegen-helm-docs ## Generate helm docs and CRDs diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 7258fc7b99..86e3944b39 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -48,3 +48,5 @@ annotations: description: Enable adding optional annotations to configmaps - kind: added description: Add startup probes support + - kind: added + description: Support extra CRD annotations diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 231a7dac95..0d19727afc 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -205,6 +205,7 @@ The command removes all the Kubernetes components associated with the chart and | serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint | | createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert. In this case, you will need to create a certificate with a specific name and data structure. As long as you follow the naming scheme, it will be automatically picked up. kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt) kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false | | installCRDs | bool | `true` | Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created. | +| crds.annotations | object | `{}` | Additional CRDs annotations. | | networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. | | networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. | | webhooksCleanup.enable | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. | diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl index 17dbcd5dbf..5d577b3e7c 100644 --- a/charts/kyverno/templates/_helpers.tpl +++ b/charts/kyverno/templates/_helpers.tpl @@ -159,3 +159,9 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} {{- end }} {{- $newWebhook | toJson }} {{- end }} + +{{- define "kyverno.crdAnnotations" -}} +{{- range $key, $value := .Values.crds.annotations }} +{{ $key }}: {{ $value | quote }} +{{- end }} +{{- end }} diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 33348c5d9e..22bf56c129 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -6,6 +6,7 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 config.kubernetes.io/index: '1' internal.config.kubernetes.io/index: '1' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -267,6 +268,7 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 config.kubernetes.io/index: '2' internal.config.kubernetes.io/index: '2' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -498,6 +500,7 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 config.kubernetes.io/index: '3' internal.config.kubernetes.io/index: '3' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -759,6 +762,7 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 config.kubernetes.io/index: '4' internal.config.kubernetes.io/index: '4' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -990,6 +994,7 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 config.kubernetes.io/index: '5' internal.config.kubernetes.io/index: '5' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -8211,6 +8216,7 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 config.kubernetes.io/index: '6' internal.config.kubernetes.io/index: '6' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -8483,6 +8489,7 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 config.kubernetes.io/index: '7' internal.config.kubernetes.io/index: '7' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -8658,6 +8665,7 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 config.kubernetes.io/index: '8' internal.config.kubernetes.io/index: '8' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -15879,6 +15887,7 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 config.kubernetes.io/index: '9' internal.config.kubernetes.io/index: '9' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -16151,6 +16160,7 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 config.kubernetes.io/index: '10' internal.config.kubernetes.io/index: '10' + {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }} creationTimestamp: null labels: app.kubernetes.io/component: kyverno diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 9687aa9104..54145767d5 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -445,6 +445,12 @@ createSelfSignedCert: false # If the CRDs are not installed by Helm, they must be added before policies can be created. installCRDs: true +crds: + # -- Additional CRDs annotations. + annotations: {} + # argocd.argoproj.io/sync-options: Replace=true + # strategy.spinnaker.io/replace: 'true' + networkPolicy: # -- When true, use a NetworkPolicy to allow ingress to the webhook # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.