refactor: helm chart config (#6596)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2023-03-17 02:38:45 +01:00 · 2023-03-17 02:38:45 +01:00 · 7fd79f5513
commit 7fd79f5513
parent a60e4c038c
5 changed files with 18 additions and 14 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -114,6 +114,8 @@ spec:
 In `v3` chart values changed significantly, please read the instructions below to migrate your values:

 - `config.metricsConfig` is now `metricsConfig`
+- `resourceFiltersExcludeNamespaces` has been replaced with `config.resourceFiltersExcludeNamespaces`
+- `excludeKyvernoNamespace` has been replaced with `config.excludeKyvernoNamespace`
 - `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
 - `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
 - `namespace` has been renamed `namespaceOverride`
@ -200,6 +202,8 @@ The command removes all the Kubernetes components associated with the chart and
 | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
 | config.webhooks | list | `[]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
 | config.webhookAnnotations | object | `{}` | Defines annotations to set on webhook configurations. |
+| config.excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
+| config.resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
 | metricsConfig.create | bool | `true` | Create the configmap. |
 | metricsConfig.name | string | `nil` | The configmap name (required if `create` is `false`). |
 | metricsConfig.annotations | object | `{}` | Additional annotations to add to the configmap. |
@ -216,8 +220,6 @@ The command removes all the Kubernetes components associated with the chart and
 | test.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
 | test.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers |
 | customLabels | object | `{}` | Additional labels |
-| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
-| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
 | webhooksCleanup.enabled | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
 | webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
 | grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
--- a/charts/kyverno/README.md.gotmpl
+++ b/charts/kyverno/README.md.gotmpl
@ -114,6 +114,8 @@ spec:
 In `v3` chart values changed significantly, please read the instructions below to migrate your values:

 - `config.metricsConfig` is now `metricsConfig`
+- `resourceFiltersExcludeNamespaces` has been replaced with `config.resourceFiltersExcludeNamespaces`
+- `excludeKyvernoNamespace` has been replaced with `config.excludeKyvernoNamespace`
 - `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
 - `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
 - `namespace` has been renamed `namespaceOverride`
--- a/charts/kyverno/templates/config/_helpers.tpl
+++ b/charts/kyverno/templates/config/_helpers.tpl
@ -32,10 +32,10 @@

 {{- define "kyverno.config.resourceFilters" -}}
 {{- $resourceFilters := .Values.config.resourceFilters }}
-{{- if .Values.excludeKyvernoNamespace }}
+{{- if .Values.config.excludeKyvernoNamespace }}
  {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
 {{- end }}
-{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }}
+{{- range $exclude := .Values.config.resourceFiltersExcludeNamespaces }}
  {{- range $filter := $resourceFilters }}
    {{- if (contains (printf ",%s," $exclude) $filter) }}
      {{- $resourceFilters = without $resourceFilters $filter }}
--- a/charts/kyverno/templates/config/configmap.yaml
+++ b/charts/kyverno/templates/config/configmap.yaml
@ -32,11 +32,11 @@ data:
  {{- if .Values.config.resourceFilters }}
  resourceFilters: {{ include "kyverno.config.resourceFilters" . | quote }}
  {{- end -}}
-  {{- if and .Values.config.webhooks .Values.excludeKyvernoNamespace }}
+  {{- if and .Values.config.webhooks .Values.config.excludeKyvernoNamespace }}
  webhooks: {{ include "kyverno.config.webhooks" . | quote }}
  {{- else if .Values.config.webhooks }}
  webhooks: {{ .Values.config.webhooks | toJson | quote }}
-  {{- else if .Values.excludeKyvernoNamespace }}
+  {{- else if .Values.config.excludeKyvernoNamespace }}
  webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]'
  {{- end -}}
  {{- with .Values.config.webhookAnnotations }}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -117,6 +117,14 @@ config:
    # Example to disable admission enforcer on AKS:
    # 'admissions.enforcer/disabled': 'true'

+  # -- Exclude Kyverno namespace
+  # Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
+  excludeKyvernoNamespace: true
+
+  # -- resourceFilter namespace exclude
+  # Namespaces to exclude from the default resourceFilters
+  resourceFiltersExcludeNamespaces: []
+
 # Metrics configuration
 metricsConfig:

@ -199,14 +207,6 @@ test:
 # -- Additional labels
 customLabels: {}

-# -- Exclude Kyverno namespace
-# Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
-excludeKyvernoNamespace: true
-
-# -- resourceFilter namespace exclude
-# Namespaces to exclude from the default resourceFilters
-resourceFiltersExcludeNamespaces: []
-
 webhooksCleanup:
  # -- Create a helm pre-delete hook to cleanup webhooks.
  enabled: false