feat: migrate existing cleanup policies to the new storage version in helm hook (#9420)

* feat: migrate existing cleanup policies to the new storage version in helm hook Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix codegen Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix: use kyverno CLI migrate command Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-03-13 19:28:55 +00:00 · 2024-01-22 13:53:36 +02:00 · 2024-01-22 13:53:36 +02:00 · 5fc7e96890
commit 5fc7e96890
parent a0afda4f0a
6 changed files with 110 additions and 5 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -767,7 +767,8 @@ The chart values are organised per component.
 | policyReportsCleanup.podLabels | object | `{}` | Pod labels. |
 | policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. |
 | policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
-| crdsMigration.exceptions | object | `{"enabled":true}` | Create a helm post-upgrade hook to migrate the existing CRDs to the stored version |
+| crdsMigration.exceptions | object | `{"enabled":true}` | Create a helm post-upgrade hook to migrate the existing policy exceptions to the stored version |
+| crdsMigration.cleanuppolicies | object | `{"enabled":true}` | Create a helm post-upgrade hook to migrate the existing cleanup policies to the stored version |
 | crdsMigration.image.registry | string | `"ghcr.io"` | Image registry |
 | crdsMigration.image.repository | string | `"kyverno/kyverno-cli"` | Image repository |
 | crdsMigration.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
--- a/charts/kyverno/templates/admission-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml
@ -106,12 +106,12 @@ rules:
    verbs:
      - update
  - apiGroups:
-    - apiextensions.k8s.io
+      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions/status
    verbs:
      - update
-{{- end }}
+  {{- end }}
  - apiGroups:
      - '*'
    resources:
--- a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
@ -45,6 +45,9 @@ rules:
    verbs:
      - list
      - watch
+      {{- if .Values.crdsMigration.cleanuppolicies.enabled }}
+      - update
+      {{- end }}
  - apiGroups:
      - kyverno.io
    resources:
@ -52,6 +55,20 @@ rules:
      - cleanuppolicies/status
    verbs:
      - update
+  {{- if .Values.crdsMigration.cleanuppolicies.enabled }}
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions/status
+    verbs:
+      - update
+  {{- end }}
  - apiGroups:
      - ''
    resources:
--- a/charts/kyverno/templates/hooks/crds-migration/cleanup-post-upgrade.yaml
+++ b/charts/kyverno/templates/hooks/crds-migration/cleanup-post-upgrade.yaml
@ -0,0 +1,70 @@
+{{- if .Values.cleanupController.enabled -}}
+{{- if and .Values.crdsMigration.cleanuppolicies.enabled (not .Values.templating.enabled) -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "kyverno.fullname" . }}-hook-post-upgrade-cleanuppolicies-migration
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+spec:
+  backoffLimit: 2
+  template:
+    metadata:
+      {{- with .Values.crdsMigration.podLabels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccount: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
+      {{- with .Values.crdsMigration.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      containers:
+        - name: kubectl
+          image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.crdsMigration.image "defaultTag" (default .Chart.AppVersion .Values.crdsMigration.image.tag))) | quote }}
+          imagePullPolicy: {{ .Values.crdsMigration.image.pullPolicy }}
+          args:
+            - migrate
+            - --resource
+            - cleanuppolicies.kyverno.io
+            - --resource
+            - clustercleanuppolicies.kyverno.io
+          {{- with .Values.crdsMigration.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.crdsMigration.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.crdsMigration.tolerations }}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.crdsMigration.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.crdsMigration.podAntiAffinity .Values.crdsMigration.podAffinity .Values.crdsMigration.nodeAffinity }}
+      affinity:
+        {{- with .Values.crdsMigration.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.crdsMigration.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.crdsMigration.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+{{- end -}}
+{{- end -}}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -468,10 +468,14 @@ policyReportsCleanup:
      type: RuntimeDefault

 crdsMigration:
-  # -- Create a helm post-upgrade hook to migrate the existing CRDs to the stored version
+  # -- Create a helm post-upgrade hook to migrate the existing policy exceptions to the stored version
  exceptions:
    enabled: true

+  # -- Create a helm post-upgrade hook to migrate the existing cleanup policies to the stored version
+  cleanuppolicies:
+    enabled: true
+
  image:
    # -- (string) Image registry
    registry: ghcr.io
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -49224,7 +49224,7 @@ rules:
    verbs:
      - update
  - apiGroups:
-    - apiextensions.k8s.io
+      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions/status
    verbs:
@ -49397,6 +49397,7 @@ rules:
    verbs:
      - list
      - watch
+      - update
  - apiGroups:
      - kyverno.io
    resources:
@ -49404,6 +49405,18 @@ rules:
      - cleanuppolicies/status
    verbs:
      - update
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions/status
+    verbs:
+      - update
  - apiGroups:
      - ''
    resources: