diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 4ebc8ccfe2..67927ab36e 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -79,6 +79,8 @@ annotations: description: added TUF flags for custom sigstore deployments - kind: added description: allow setting admission controller replica count to 2 + - kind: added + description: Allow overriding the ca-certificate bundle for deployments - kind: added description: allow excluding resourceFilters via config.resourceFiltersExclude dependencies: diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index a671677c54..4e5720a86b 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -360,6 +360,8 @@ The chart values are organised per component. | admissionController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | | admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. | | admissionController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. | +| admissionController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates | +| admissionController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.admissionController.caCertificates.data` is defined | | admissionController.imagePullSecrets | list | `[]` | Image pull secrets | | admissionController.initContainer.image.registry | string | `"ghcr.io"` | Image registry | | admissionController.initContainer.image.repository | string | `"kyverno/kyvernopre"` | Image repository | @@ -451,6 +453,8 @@ The chart values are organised per component. | backgroundController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | | backgroundController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | | backgroundController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | +| backgroundController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates | +| backgroundController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.backgroundController.caCertificates.data` is defined | | backgroundController.metricsService.create | bool | `true` | Create service. | | backgroundController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | | backgroundController.metricsService.type | string | `"ClusterIP"` | Service type. | @@ -595,6 +599,8 @@ The chart values are organised per component. | reportsController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | | reportsController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. | | reportsController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. | +| reportsController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates | +| reportsController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.reportsController.caCertificates.data` is defined | | reportsController.metricsService.create | bool | `true` | Create service. | | reportsController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | | reportsController.metricsService.type | string | `"ClusterIP"` | Service type. | @@ -716,6 +722,8 @@ The chart values are organised per component. | Key | Type | Default | Description | |-----|------|---------|-------------| | global.image.registry | string | `nil` | Global value that allows to set a single image registry across all deployments. When set, it will override any values set under `.image.registry` across the chart. | +| global.caCertificates.data | string | `nil` | Global CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates Individual controller values will override this global value | +| global.caCertificates.volume | object | `{}` | Global value to set single volume to be mounted for CA certificates for all deployments. Not used when `.Values.global.caCertificates.data` is defined Individual controller values will override this global value | | nameOverride | string | `nil` | Override the name of the chart | | fullnameOverride | string | `nil` | Override the expanded name of the chart | | namespaceOverride | string | `nil` | Override the namespace the chart deploys to | diff --git a/charts/kyverno/templates/admission-controller/_helpers.tpl b/charts/kyverno/templates/admission-controller/_helpers.tpl index 2c9ece0a28..0be041a2eb 100644 --- a/charts/kyverno/templates/admission-controller/_helpers.tpl +++ b/charts/kyverno/templates/admission-controller/_helpers.tpl @@ -33,3 +33,7 @@ {{- define "kyverno.admission-controller.serviceName" -}} {{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{- define "kyverno.admission-controller.caCertificatesConfigMapName" -}} +{{ printf "%s-ca-certificates" (include "kyverno.admission-controller.name" .) }} +{{- end -}} \ No newline at end of file diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml index e2885d574f..cc5ebad71b 100644 --- a/charts/kyverno/templates/admission-controller/deployment.yaml +++ b/charts/kyverno/templates/admission-controller/deployment.yaml @@ -229,7 +229,27 @@ spec: volumeMounts: - mountPath: {{ .Values.admissionController.tufRootMountPath }} name: sigstore + {{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data .Values.admissionController.caCertificates.volume .Values.global.caCertificates.volume }} + - name: ca-certificates + mountPath: /etc/ssl/certs/ca-certificates.crt + {{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data }} + subPath: ca-certificates.crt + {{- end }} + {{- end }} volumes: - name: sigstore {{- toYaml (required "A valid .Values.admissionController.sigstoreVolume entry is required" .Values.admissionController.sigstoreVolume) | nindent 8 }} + {{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data }} + - name: ca-certificates + configMap: + name: {{ include "kyverno.admission-controller.caCertificatesConfigMapName" . }} + items: + - key: ca-certificates + path: ca-certificates.crt + {{- else if or .Values.admissionController.caCertificates.volume .Values.global.caCertificates.volume }} + {{- with (.Values.admissionController.caCertificates.volume | default .Values.global.caCertificates.volume) }} + - name: ca-certificates + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} {{- end -}} diff --git a/charts/kyverno/templates/background-controller/_helpers.tpl b/charts/kyverno/templates/background-controller/_helpers.tpl index 20d0fd788e..6b75cb329e 100644 --- a/charts/kyverno/templates/background-controller/_helpers.tpl +++ b/charts/kyverno/templates/background-controller/_helpers.tpl @@ -38,3 +38,7 @@ {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.backgroundController.rbac.serviceAccount.name }} {{- end -}} {{- end -}} + +{{- define "kyverno.background-controller.caCertificatesConfigMapName" -}} +{{ printf "%s-ca-certificates" (include "kyverno.background-controller.name" .) }} +{{- end -}} diff --git a/charts/kyverno/templates/background-controller/deployment.yaml b/charts/kyverno/templates/background-controller/deployment.yaml index c3453fce93..06de9e5308 100644 --- a/charts/kyverno/templates/background-controller/deployment.yaml +++ b/charts/kyverno/templates/background-controller/deployment.yaml @@ -149,5 +149,29 @@ spec: securityContext: {{- toYaml . | nindent 12 }} {{- end }} + {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data .Values.backgroundController.caCertificates.volume .Values.global.caCertificates.volume }} + volumeMounts: + - name: ca-certificates + mountPath: /etc/ssl/certs/ca-certificates.crt + {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data }} + subPath: ca-certificates.crt + {{- end }} + {{- end }} + {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data .Values.backgroundController.caCertificates.volume .Values.global.caCertificates.volume }} + volumes: + {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data }} + - name: ca-certificates + configMap: + name: {{ include "kyverno.background-controller.caCertificatesConfigMapName" . }} + items: + - key: ca-certificates + path: ca-certificates.crt + {{- else if or .Values.backgroundController.caCertificates.volume .Values.global.caCertificates.volume }} + {{- with (.Values.backgroundController.caCertificates.volume | default .Values.global.caCertificates.volume) }} + - name: ca-certificates + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- end }} {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/reports-controller/_helpers.tpl b/charts/kyverno/templates/reports-controller/_helpers.tpl index d5fd852be1..2cf441df6d 100644 --- a/charts/kyverno/templates/reports-controller/_helpers.tpl +++ b/charts/kyverno/templates/reports-controller/_helpers.tpl @@ -38,3 +38,7 @@ {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.reportsController.rbac.serviceAccount.name }} {{- end -}} {{- end -}} + +{{- define "kyverno.reports-controller.caCertificatesConfigMapName" -}} +{{ printf "%s-ca-certificates" (include "kyverno.reports-controller.name" .) }} +{{- end -}} diff --git a/charts/kyverno/templates/reports-controller/deployment.yaml b/charts/kyverno/templates/reports-controller/deployment.yaml index cf4f5d9f47..d730e6a615 100644 --- a/charts/kyverno/templates/reports-controller/deployment.yaml +++ b/charts/kyverno/templates/reports-controller/deployment.yaml @@ -162,8 +162,28 @@ spec: volumeMounts: - mountPath: {{ .Values.reportsController.tufRootMountPath }} name: sigstore + {{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data .Values.reportsController.caCertificates.volume .Values.global.caCertificates.volume }} + - name: ca-certificates + mountPath: /etc/ssl/certs/ca-certificates.crt + {{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data }} + subPath: ca-certificates.crt + {{- end }} + {{- end }} volumes: - name: sigstore {{- toYaml (required "A valid .Values.reportsController.sigstoreVolume entry is required" .Values.reportsController.sigstoreVolume) | nindent 8 }} + {{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data }} + - name: ca-certificates + configMap: + name: {{ include "kyverno.reports-controller.caCertificatesConfigMapName" . }} + items: + - key: ca-certificates + path: ca-certificates.crt + {{- else if or .Values.reportsController.caCertificates.volume .Values.global.caCertificates.volume }} + {{- with (.Values.reportsController.caCertificates.volume | default .Values.global.caCertificates.volume) }} + - name: ca-certificates + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} {{- end -}} {{- end -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 9678978c69..5903d02f23 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -10,6 +10,19 @@ global: # -- (string) Global value that allows to set a single image registry across all deployments. # When set, it will override any values set under `.image.registry` across the chart. registry: ~ + caCertificates: + # -- Global CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + # Individual controller values will override this global value + data: ~ + # -- Global value to set single volume to be mounted for CA certificates for all deployments. + # Not used when `.Values.global.caCertificates.data` is defined + # Individual controller values will override this global value + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File # -- (string) Override the name of the chart nameOverride: ~ @@ -825,6 +838,18 @@ admissionController: sigstoreVolume: emptyDir: {} + caCertificates: + # -- CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + data: ~ + # -- Volume to be mounted for CA certificates + # Not used when `.Values.admissionController.caCertificates.data` is defined + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File + # -- Image pull secrets imagePullSecrets: [] # - secretName @@ -870,6 +895,10 @@ admissionController: # -- Additional container environment variables. extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' container: @@ -910,6 +939,10 @@ admissionController: # -- Additional container environment variables. extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' # -- Array of extra init containers extraInitContainers: [] @@ -1134,6 +1167,10 @@ backgroundController: # -- Additional container environment variables. extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' resources: # -- Pod resource limits @@ -1204,6 +1241,18 @@ backgroundController: # Cannot be used if `minAvailable` is set. maxUnavailable: + caCertificates: + # -- CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + data: ~ + # -- Volume to be mounted for CA certificates + # Not used when `.Values.backgroundController.caCertificates.data` is defined + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File + metricsService: # -- Create service. create: true @@ -1371,6 +1420,10 @@ cleanupController: # -- Additional container environment variables. extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' resources: # -- Pod resource limits @@ -1663,6 +1716,10 @@ reportsController: # -- Additional container environment variables. extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' resources: # -- Pod resource limits @@ -1740,6 +1797,19 @@ reportsController: sigstoreVolume: emptyDir: {} + caCertificates: + # -- CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + data: ~ + # -- Volume to be mounted for CA certificates + # Not used when `.Values.reportsController.caCertificates.data` is defined + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File + + metricsService: # -- Create service. create: true