mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-16 04:28:42 +00:00
Code Activity

refactor: helm admission controller config (#6473)

Browse source 
* refactor: helm admission controller config

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* tuf stuff

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: helm admission controller config

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-03-03 15:38:33 +01:00 committed by GitHub
parent c8a3b19d2c
commit 3b9af3b085
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 51 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
Makefile
View file

@ -522,7 +522,7 @@ codegen-manifest-install: $(HELM) ## Create install manifest
--set templating.enabled=true \ --set templating.enabled=true \
--set templating.version=latest \ --set templating.version=latest \
--set image.tag=latest \ --set image.tag=latest \
--set initImage.tag=latest \ --set admissionController.initContainer.image.tag=latest \
--set cleanupController.image.tag=latest \ --set cleanupController.image.tag=latest \
--set reportsController.image.tag=latest \ --set reportsController.image.tag=latest \
--set backgroundController.image.tag=latest \ --set backgroundController.image.tag=latest \
@ -538,7 +538,7 @@ codegen-manifest-debug: $(HELM) ## Create debug manifest
--set templating.version=latest \ --set templating.version=latest \
--set templating.debug=true \ --set templating.debug=true \
--set image.tag=latest \ --set image.tag=latest \
--set initImage.tag=latest \ --set admissionController.initContainer.image.tag=latest \
--set cleanupController.image.tag=latest \ --set cleanupController.image.tag=latest \
--set reportsController.image.tag=latest \ --set reportsController.image.tag=latest \
| $(SED) -e '/^#.*/d' \ | $(SED) -e '/^#.*/d' \
@ -553,7 +553,7 @@ codegen-manifest-release: $(HELM) ## Create release manifest
--set templating.enabled=true \ --set templating.enabled=true \
--set templating.version=$(GIT_VERSION) \ --set templating.version=$(GIT_VERSION) \
--set image.tag=$(GIT_VERSION) \ --set image.tag=$(GIT_VERSION) \
--set initImage.tag=$(GIT_VERSION) \ --set admissionController.initContainer.image.tag=$(GIT_VERSION) \
--set cleanupController.image.tag=$(GIT_VERSION) \ --set cleanupController.image.tag=$(GIT_VERSION) \
--set reportsController.image.tag=$(GIT_VERSION) \ --set reportsController.image.tag=$(GIT_VERSION) \
| $(SED) -e '/^#.*/d' \ | $(SED) -e '/^#.*/d' \
@ -819,9 +819,9 @@ kind-install-kyverno: $(HELM) ## Install kyverno helm chart
--set image.registry=$(LOCAL_REGISTRY) \ --set image.registry=$(LOCAL_REGISTRY) \
--set image.repository=$(LOCAL_KYVERNO_REPO) \ --set image.repository=$(LOCAL_KYVERNO_REPO) \
--set image.tag=$(IMAGE_TAG_DEV) \ --set image.tag=$(IMAGE_TAG_DEV) \
--set initImage.registry=$(LOCAL_REGISTRY) \ --set admissionController.initContainer.image.registry=$(LOCAL_REGISTRY) \
--set initImage.repository=$(LOCAL_KYVERNOPRE_REPO) \ --set admissionController.initContainer.image.repository=$(LOCAL_KYVERNOPRE_REPO) \
--set initImage.tag=$(IMAGE_TAG_DEV) \ --set admissionController.initContainer.image.tag=$(IMAGE_TAG_DEV) \
--set cleanupController.image.registry=$(LOCAL_REGISTRY) \ --set cleanupController.image.registry=$(LOCAL_REGISTRY) \
--set cleanupController.image.repository=$(LOCAL_CLEANUP_REPO) \ --set cleanupController.image.repository=$(LOCAL_CLEANUP_REPO) \
--set cleanupController.image.tag=$(IMAGE_TAG_DEV) \ --set cleanupController.image.tag=$(IMAGE_TAG_DEV) \

14
charts/kyverno/README.md
View file

@ -143,6 +143,8 @@ In `v3` chart values changed significantly, please read the instructions below t
- `podSecurityContext` has been replaced with `admissionController.podSecurityContext` - `podSecurityContext` has been replaced with `admissionController.podSecurityContext`
- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath` - `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath`
- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume` - `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume`
- `initImage` has been replaced with `admissionController.initContainer.image`
- `initResources` has been replaced with `admissionController.initContainer.resources`
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
@ -204,10 +206,6 @@ The command removes all the Kubernetes components associated with the chart and
| image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.pullSecrets | list | `[]` | Image pull secrets | | image.pullSecrets | list | `[]` | Image pull secrets |
| initImage.registry | string | `"ghcr.io"` | Image registry |
| initImage.repository | string | `"kyverno/kyvernopre"` | Image repository |
| initImage.tag | string | `nil` | Image tag If initImage.tag is missing, defaults to image.tag |
| initImage.pullPolicy | string | `nil` | Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy |
| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. | | initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. |
| podLabels | object | `{}` | Additional labels to add to each pod | | podLabels | object | `{}` | Additional labels to add to each pod |
| podAnnotations | object | `{}` | Additional annotations to add to each pod | | podAnnotations | object | `{}` | Additional annotations to add to each pod |
@ -219,8 +217,6 @@ The command removes all the Kubernetes components associated with the chart and
| extraContainers | list | `[]` | Array of extra containers to run alongside kyverno | | extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
| resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits | | resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests | | resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
| initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
| initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
| generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. | | generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters | | excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters | | resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
@ -269,6 +265,12 @@ The command removes all the Kubernetes components associated with the chart and
| admissionController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint | | admissionController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
| admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. | | admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
| admissionController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. | | admissionController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
| admissionController.initContainer.image.registry | string | `"ghcr.io"` | Image registry |
| admissionController.initContainer.image.repository | string | `"kyverno/kyvernopre"` | Image repository |
| admissionController.initContainer.image.tag | string | `nil` | Image tag If missing, defaults to image.tag |
| admissionController.initContainer.image.pullPolicy | string | `nil` | Image pull policy If missing, defaults to image.pullPolicy |
| admissionController.initContainer.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
| admissionController.initContainer.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
| cleanupController.enabled | bool | `true` | Enable cleanup controller. | | cleanupController.enabled | bool | `true` | Enable cleanup controller. |
| cleanupController.rbac.create | bool | `true` | Create RBAC resources | | cleanupController.rbac.create | bool | `true` | Create RBAC resources |
| cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name | | cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |

2
charts/kyverno/README.md.gotmpl
View file

@ -143,6 +143,8 @@ In `v3` chart values changed significantly, please read the instructions below t
- `podSecurityContext` has been replaced with `admissionController.podSecurityContext` - `podSecurityContext` has been replaced with `admissionController.podSecurityContext`
- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath` - `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath`
- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume` - `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume`
- `initImage` has been replaced with `admissionController.initContainer.image`
- `initResources` has been replaced with `admissionController.initContainer.resources`
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.

8
charts/kyverno/ci/imageRegistry-values.yaml
View file

@ -7,6 +7,8 @@ image:
registry: ko.local registry: ko.local
repository: github.com/kyverno/kyverno/cmd/kyverno repository: github.com/kyverno/kyverno/cmd/kyverno
initImage: admissionController:
registry: ko.local initContainer:
repository: github.com/kyverno/kyverno/cmd/initcontainer image:
registry: ko.local
repository: github.com/kyverno/kyverno/cmd/initcontainer

2
charts/kyverno/templates/NOTES.txt
View file

@ -1,5 +1,5 @@
Chart version: {{ .Chart.Version }} Chart version: {{ .Chart.Version }}
Kyverno version: {{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }} Kyverno version: {{ default .Chart.AppVersion (default .Values.image.tag .Values.admissionController.initContainer.image.tag) }}
Thank you for installing {{ .Chart.Name }}! Your release is named {{ .Release.Name }}. Thank you for installing {{ .Chart.Name }}! Your release is named {{ .Release.Name }}.

9
charts/kyverno/templates/admission-controller/deployment.yaml
View file

@ -78,14 +78,15 @@ spec:
{{- toYaml .Values.extraInitContainers | nindent 8 }} {{- toYaml .Values.extraInitContainers | nindent 8 }}
{{- end }} {{- end }}
- name: kyverno-pre - name: kyverno-pre
image: {{ include "kyverno.image" (dict "image" .Values.initImage "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }} image: {{ include "kyverno.image" (dict "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }} imagePullPolicy: {{ default .Values.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }}
{{- if .Values.initContainer.extraArgs }} {{- if .Values.initContainer.extraArgs }}
args: args:
{{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }} {{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }}
{{- end }} {{- end }}
{{- with .Values.initResources }} {{- with .Values.admissionController.initContainer.resources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }} resources:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }} {{- end }}
{{- with .Values.securityContext }} {{- with .Values.securityContext }}
securityContext: securityContext:

46
charts/kyverno/values.yaml
View file

@ -217,18 +217,6 @@ image:
pullSecrets: [] pullSecrets: []
# - secretName # - secretName
initImage:
# -- Image registry
registry: ghcr.io
# -- Image repository
repository: kyverno/kyvernopre
# -- (string) Image tag
# If initImage.tag is missing, defaults to image.tag
tag: ~
# -- (string) Image pull policy
# If initImage.pullPolicy is missing, defaults to image.pullPolicy
pullPolicy: ~
initContainer: initContainer:
# -- Extra arguments to give to the kyvernopre binary. # -- Extra arguments to give to the kyvernopre binary.
extraArgs: extraArgs:
@ -287,16 +275,6 @@ resources:
cpu: 100m cpu: 100m
memory: 128Mi memory: 128Mi
initResources:
# -- Pod resource limits
limits:
cpu: 100m
memory: 256Mi
# -- Pod resource requests
requests:
cpu: 10m
memory: 64Mi
# -- Additional resources to be added to controller RBAC permissions. # -- Additional resources to be added to controller RBAC permissions.
generatecontrollerExtraResources: [] generatecontrollerExtraResources: []
# - ResourceA # - ResourceA
@ -505,6 +483,30 @@ admissionController:
sigstoreVolume: sigstoreVolume:
emptyDir: {} emptyDir: {}
initContainer:
image:
# -- Image registry
registry: ghcr.io
# -- Image repository
repository: kyverno/kyvernopre
# -- (string) Image tag
# If missing, defaults to image.tag
tag: ~
# -- (string) Image pull policy
# If missing, defaults to image.pullPolicy
pullPolicy: ~
resources:
# -- Pod resource limits
limits:
cpu: 100m
memory: 256Mi
# -- Pod resource requests
requests:
cpu: 10m
memory: 64Mi
# Cleanup controller configuration # Cleanup controller configuration
cleanupController: cleanupController: