From 2264d21cd2ae8e8b13b615b1dae634693616dea7 Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Thu, 22 Jun 2023 17:14:41 +0800
Subject: [PATCH] enable webhook clean up (#7633)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 charts/kyverno/Chart.yaml                               | 2 ++
 charts/kyverno/README.md                                | 2 +-
 charts/kyverno/templates/admission-controller/role.yaml | 4 ++++
 charts/kyverno/templates/hooks/pre-delete.yaml          | 2 ++
 charts/kyverno/values.yaml                              | 2 +-
 5 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml
index e681ce2d5f..c027099d4f 100644
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@@ -44,3 +44,5 @@ annotations:
       description: support `excludeRoles` and `excludeClusterRoles` in config
     - kind: added
       description: define resources for cleanupJobs
+    - kind: changed
+      description: change to enable webhook cleanup hook by default
diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index 3ea57519fe..2e3aa0d551 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -601,7 +601,7 @@ The chart values are organised per component.
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| webhooksCleanup.enabled | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
+| webhooksCleanup.enabled | bool | `true` | Create a helm pre-delete hook to cleanup webhooks. |
 | webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
 | webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets |
 
diff --git a/charts/kyverno/templates/admission-controller/role.yaml b/charts/kyverno/templates/admission-controller/role.yaml
index b73643c45d..7f45e196ec 100644
--- a/charts/kyverno/templates/admission-controller/role.yaml
+++ b/charts/kyverno/templates/admission-controller/role.yaml
@@ -45,14 +45,18 @@ rules:
     resources:
       - deployments
       {{- if .Values.webhooksCleanup.enabled }}
+      {{- if not .Values.templating.enabled -}}
       - deployments/scale
       {{- end }}
+      {{- end }}
     verbs:
       - get
       - list
       - watch
       {{- if .Values.webhooksCleanup.enabled }}
+      {{- if not .Values.templating.enabled -}}
       - patch
       - update
       {{- end }}
+      {{- end }}
 {{- end -}}
diff --git a/charts/kyverno/templates/hooks/pre-delete.yaml b/charts/kyverno/templates/hooks/pre-delete.yaml
index d75ec99ae1..522c867b61 100644
--- a/charts/kyverno/templates/hooks/pre-delete.yaml
+++ b/charts/kyverno/templates/hooks/pre-delete.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.webhooksCleanup.enabled -}}
+  {{- if not .Values.templating.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -30,4 +31,5 @@ spec:
               sleep 30
               kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
               kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+  {{- end -}}
 {{- end -}}
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index bd365c7837..72327f2cd4 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -302,7 +302,7 @@ customLabels: {}
 
 webhooksCleanup:
   # -- Create a helm pre-delete hook to cleanup webhooks.
-  enabled: false
+  enabled: true
   # -- `kubectl` image to run commands for deleting webhooks.
   image: bitnami/kubectl:latest
   # -- Image pull secrets