mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
refactor: helm admission controller config (#6473)
* refactor: helm admission controller config Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * tuf stuff Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: helm admission controller config Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
c8a3b19d2c
commit
3b9af3b085
7 changed files with 51 additions and 42 deletions
12
Makefile
12
Makefile
|
@ -522,7 +522,7 @@ codegen-manifest-install: $(HELM) ## Create install manifest
|
||||||
--set templating.enabled=true \
|
--set templating.enabled=true \
|
||||||
--set templating.version=latest \
|
--set templating.version=latest \
|
||||||
--set image.tag=latest \
|
--set image.tag=latest \
|
||||||
--set initImage.tag=latest \
|
--set admissionController.initContainer.image.tag=latest \
|
||||||
--set cleanupController.image.tag=latest \
|
--set cleanupController.image.tag=latest \
|
||||||
--set reportsController.image.tag=latest \
|
--set reportsController.image.tag=latest \
|
||||||
--set backgroundController.image.tag=latest \
|
--set backgroundController.image.tag=latest \
|
||||||
|
@ -538,7 +538,7 @@ codegen-manifest-debug: $(HELM) ## Create debug manifest
|
||||||
--set templating.version=latest \
|
--set templating.version=latest \
|
||||||
--set templating.debug=true \
|
--set templating.debug=true \
|
||||||
--set image.tag=latest \
|
--set image.tag=latest \
|
||||||
--set initImage.tag=latest \
|
--set admissionController.initContainer.image.tag=latest \
|
||||||
--set cleanupController.image.tag=latest \
|
--set cleanupController.image.tag=latest \
|
||||||
--set reportsController.image.tag=latest \
|
--set reportsController.image.tag=latest \
|
||||||
| $(SED) -e '/^#.*/d' \
|
| $(SED) -e '/^#.*/d' \
|
||||||
|
@ -553,7 +553,7 @@ codegen-manifest-release: $(HELM) ## Create release manifest
|
||||||
--set templating.enabled=true \
|
--set templating.enabled=true \
|
||||||
--set templating.version=$(GIT_VERSION) \
|
--set templating.version=$(GIT_VERSION) \
|
||||||
--set image.tag=$(GIT_VERSION) \
|
--set image.tag=$(GIT_VERSION) \
|
||||||
--set initImage.tag=$(GIT_VERSION) \
|
--set admissionController.initContainer.image.tag=$(GIT_VERSION) \
|
||||||
--set cleanupController.image.tag=$(GIT_VERSION) \
|
--set cleanupController.image.tag=$(GIT_VERSION) \
|
||||||
--set reportsController.image.tag=$(GIT_VERSION) \
|
--set reportsController.image.tag=$(GIT_VERSION) \
|
||||||
| $(SED) -e '/^#.*/d' \
|
| $(SED) -e '/^#.*/d' \
|
||||||
|
@ -819,9 +819,9 @@ kind-install-kyverno: $(HELM) ## Install kyverno helm chart
|
||||||
--set image.registry=$(LOCAL_REGISTRY) \
|
--set image.registry=$(LOCAL_REGISTRY) \
|
||||||
--set image.repository=$(LOCAL_KYVERNO_REPO) \
|
--set image.repository=$(LOCAL_KYVERNO_REPO) \
|
||||||
--set image.tag=$(IMAGE_TAG_DEV) \
|
--set image.tag=$(IMAGE_TAG_DEV) \
|
||||||
--set initImage.registry=$(LOCAL_REGISTRY) \
|
--set admissionController.initContainer.image.registry=$(LOCAL_REGISTRY) \
|
||||||
--set initImage.repository=$(LOCAL_KYVERNOPRE_REPO) \
|
--set admissionController.initContainer.image.repository=$(LOCAL_KYVERNOPRE_REPO) \
|
||||||
--set initImage.tag=$(IMAGE_TAG_DEV) \
|
--set admissionController.initContainer.image.tag=$(IMAGE_TAG_DEV) \
|
||||||
--set cleanupController.image.registry=$(LOCAL_REGISTRY) \
|
--set cleanupController.image.registry=$(LOCAL_REGISTRY) \
|
||||||
--set cleanupController.image.repository=$(LOCAL_CLEANUP_REPO) \
|
--set cleanupController.image.repository=$(LOCAL_CLEANUP_REPO) \
|
||||||
--set cleanupController.image.tag=$(IMAGE_TAG_DEV) \
|
--set cleanupController.image.tag=$(IMAGE_TAG_DEV) \
|
||||||
|
|
|
@ -143,6 +143,8 @@ In `v3` chart values changed significantly, please read the instructions below t
|
||||||
- `podSecurityContext` has been replaced with `admissionController.podSecurityContext`
|
- `podSecurityContext` has been replaced with `admissionController.podSecurityContext`
|
||||||
- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath`
|
- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath`
|
||||||
- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume`
|
- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume`
|
||||||
|
- `initImage` has been replaced with `admissionController.initContainer.image`
|
||||||
|
- `initResources` has been replaced with `admissionController.initContainer.resources`
|
||||||
|
|
||||||
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
|
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
|
||||||
|
|
||||||
|
@ -204,10 +206,6 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
|
| image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
|
||||||
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
|
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
|
||||||
| image.pullSecrets | list | `[]` | Image pull secrets |
|
| image.pullSecrets | list | `[]` | Image pull secrets |
|
||||||
| initImage.registry | string | `"ghcr.io"` | Image registry |
|
|
||||||
| initImage.repository | string | `"kyverno/kyvernopre"` | Image repository |
|
|
||||||
| initImage.tag | string | `nil` | Image tag If initImage.tag is missing, defaults to image.tag |
|
|
||||||
| initImage.pullPolicy | string | `nil` | Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy |
|
|
||||||
| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. |
|
| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. |
|
||||||
| podLabels | object | `{}` | Additional labels to add to each pod |
|
| podLabels | object | `{}` | Additional labels to add to each pod |
|
||||||
| podAnnotations | object | `{}` | Additional annotations to add to each pod |
|
| podAnnotations | object | `{}` | Additional annotations to add to each pod |
|
||||||
|
@ -219,8 +217,6 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
|
| extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
|
||||||
| resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
|
| resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
|
||||||
| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
|
| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
|
||||||
| initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
|
|
||||||
| initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
|
|
||||||
| generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
|
| generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
|
||||||
| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
|
| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
|
||||||
| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
|
| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
|
||||||
|
@ -269,6 +265,12 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| admissionController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
|
| admissionController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
|
||||||
| admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
|
| admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
|
||||||
| admissionController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
|
| admissionController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
|
||||||
|
| admissionController.initContainer.image.registry | string | `"ghcr.io"` | Image registry |
|
||||||
|
| admissionController.initContainer.image.repository | string | `"kyverno/kyvernopre"` | Image repository |
|
||||||
|
| admissionController.initContainer.image.tag | string | `nil` | Image tag If missing, defaults to image.tag |
|
||||||
|
| admissionController.initContainer.image.pullPolicy | string | `nil` | Image pull policy If missing, defaults to image.pullPolicy |
|
||||||
|
| admissionController.initContainer.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
|
||||||
|
| admissionController.initContainer.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
|
||||||
| cleanupController.enabled | bool | `true` | Enable cleanup controller. |
|
| cleanupController.enabled | bool | `true` | Enable cleanup controller. |
|
||||||
| cleanupController.rbac.create | bool | `true` | Create RBAC resources |
|
| cleanupController.rbac.create | bool | `true` | Create RBAC resources |
|
||||||
| cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
|
| cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
|
||||||
|
|
|
@ -143,6 +143,8 @@ In `v3` chart values changed significantly, please read the instructions below t
|
||||||
- `podSecurityContext` has been replaced with `admissionController.podSecurityContext`
|
- `podSecurityContext` has been replaced with `admissionController.podSecurityContext`
|
||||||
- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath`
|
- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath`
|
||||||
- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume`
|
- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume`
|
||||||
|
- `initImage` has been replaced with `admissionController.initContainer.image`
|
||||||
|
- `initResources` has been replaced with `admissionController.initContainer.resources`
|
||||||
|
|
||||||
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
|
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
|
||||||
|
|
||||||
|
|
|
@ -7,6 +7,8 @@ image:
|
||||||
registry: ko.local
|
registry: ko.local
|
||||||
repository: github.com/kyverno/kyverno/cmd/kyverno
|
repository: github.com/kyverno/kyverno/cmd/kyverno
|
||||||
|
|
||||||
initImage:
|
admissionController:
|
||||||
registry: ko.local
|
initContainer:
|
||||||
repository: github.com/kyverno/kyverno/cmd/initcontainer
|
image:
|
||||||
|
registry: ko.local
|
||||||
|
repository: github.com/kyverno/kyverno/cmd/initcontainer
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
Chart version: {{ .Chart.Version }}
|
Chart version: {{ .Chart.Version }}
|
||||||
Kyverno version: {{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
|
Kyverno version: {{ default .Chart.AppVersion (default .Values.image.tag .Values.admissionController.initContainer.image.tag) }}
|
||||||
|
|
||||||
Thank you for installing {{ .Chart.Name }}! Your release is named {{ .Release.Name }}.
|
Thank you for installing {{ .Chart.Name }}! Your release is named {{ .Release.Name }}.
|
||||||
|
|
||||||
|
|
|
@ -78,14 +78,15 @@ spec:
|
||||||
{{- toYaml .Values.extraInitContainers | nindent 8 }}
|
{{- toYaml .Values.extraInitContainers | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: kyverno-pre
|
- name: kyverno-pre
|
||||||
image: {{ include "kyverno.image" (dict "image" .Values.initImage "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }}
|
image: {{ include "kyverno.image" (dict "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }}
|
||||||
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
|
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }}
|
||||||
{{- if .Values.initContainer.extraArgs }}
|
{{- if .Values.initContainer.extraArgs }}
|
||||||
args:
|
args:
|
||||||
{{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }}
|
{{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with .Values.initResources }}
|
{{- with .Values.admissionController.initContainer.resources }}
|
||||||
resources: {{ tpl (toYaml .) $ | nindent 12 }}
|
resources:
|
||||||
|
{{- tpl (toYaml .) $ | nindent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with .Values.securityContext }}
|
{{- with .Values.securityContext }}
|
||||||
securityContext:
|
securityContext:
|
||||||
|
|
|
@ -217,18 +217,6 @@ image:
|
||||||
pullSecrets: []
|
pullSecrets: []
|
||||||
# - secretName
|
# - secretName
|
||||||
|
|
||||||
initImage:
|
|
||||||
# -- Image registry
|
|
||||||
registry: ghcr.io
|
|
||||||
# -- Image repository
|
|
||||||
repository: kyverno/kyvernopre
|
|
||||||
# -- (string) Image tag
|
|
||||||
# If initImage.tag is missing, defaults to image.tag
|
|
||||||
tag: ~
|
|
||||||
# -- (string) Image pull policy
|
|
||||||
# If initImage.pullPolicy is missing, defaults to image.pullPolicy
|
|
||||||
pullPolicy: ~
|
|
||||||
|
|
||||||
initContainer:
|
initContainer:
|
||||||
# -- Extra arguments to give to the kyvernopre binary.
|
# -- Extra arguments to give to the kyvernopre binary.
|
||||||
extraArgs:
|
extraArgs:
|
||||||
|
@ -287,16 +275,6 @@ resources:
|
||||||
cpu: 100m
|
cpu: 100m
|
||||||
memory: 128Mi
|
memory: 128Mi
|
||||||
|
|
||||||
initResources:
|
|
||||||
# -- Pod resource limits
|
|
||||||
limits:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 256Mi
|
|
||||||
# -- Pod resource requests
|
|
||||||
requests:
|
|
||||||
cpu: 10m
|
|
||||||
memory: 64Mi
|
|
||||||
|
|
||||||
# -- Additional resources to be added to controller RBAC permissions.
|
# -- Additional resources to be added to controller RBAC permissions.
|
||||||
generatecontrollerExtraResources: []
|
generatecontrollerExtraResources: []
|
||||||
# - ResourceA
|
# - ResourceA
|
||||||
|
@ -505,6 +483,30 @@ admissionController:
|
||||||
sigstoreVolume:
|
sigstoreVolume:
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
|
||||||
|
initContainer:
|
||||||
|
|
||||||
|
image:
|
||||||
|
# -- Image registry
|
||||||
|
registry: ghcr.io
|
||||||
|
# -- Image repository
|
||||||
|
repository: kyverno/kyvernopre
|
||||||
|
# -- (string) Image tag
|
||||||
|
# If missing, defaults to image.tag
|
||||||
|
tag: ~
|
||||||
|
# -- (string) Image pull policy
|
||||||
|
# If missing, defaults to image.pullPolicy
|
||||||
|
pullPolicy: ~
|
||||||
|
|
||||||
|
resources:
|
||||||
|
# -- Pod resource limits
|
||||||
|
limits:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 256Mi
|
||||||
|
# -- Pod resource requests
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
|
|
||||||
# Cleanup controller configuration
|
# Cleanup controller configuration
|
||||||
cleanupController:
|
cleanupController:
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue