fix: helm predelete hook (#6121)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2023-01-26 21:43:52 +01:00 · 2023-01-26 21:43:52 +01:00 · 80750dc4d0
commit 80750dc4d0
parent 72bad6403f
4 changed files with 34 additions and 10 deletions
--- a/charts/kyverno/templates/admission-controller/role.yaml
+++ b/charts/kyverno/templates/admission-controller/role.yaml
@ -1,4 +1,4 @@
-{{- if .Values.rbac.create }}
+{{- if .Values.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@ -50,8 +50,15 @@ rules:
      - apps
    resources:
      - deployments
+      {{- if .Values.webhooksCleanup.enabled }}
+      - deployments/scale
+      {{- end }}
    verbs:
      - get
      - list
      - watch
-{{- end }}
+      {{- if .Values.webhooksCleanup.enabled }}
+      - patch
+      - update
+      {{- end }}
+{{- end -}}
--- a/charts/kyverno/templates/admission-controller/rolebinding.yaml
+++ b/charts/kyverno/templates/admission-controller/rolebinding.yaml
@ -1,4 +1,4 @@
-{{- if .Values.rbac.create }}
+{{- if .Values.rbac.create -}}
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@ -14,4 +14,4 @@ subjects:
  - kind: ServiceAccount
    name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
    namespace: {{ template "kyverno.namespace" . }}
-{{- end }}
+{{- end -}}
--- a/charts/kyverno/templates/hooks/_helpers.tpl
+++ b/charts/kyverno/templates/hooks/_helpers.tpl
@ -0,0 +1,15 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.hooks.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.hooks.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.hooks.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "hooks")
+) -}}
+{{- end -}}
--- a/charts/kyverno/templates/helm-pre-delete-hook.yaml
+++ b/charts/kyverno/templates/helm-pre-delete-hook.yaml
@ -1,11 +1,11 @@
-{{- if .Values.webhooksCleanup.enabled }}
+{{- if .Values.webhooksCleanup.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: {{ template "kyverno.fullname" . }}-hook-pre-delete
  namespace: {{ template "kyverno.namespace" . }}
  labels:
-    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": pre-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
@ -19,9 +19,11 @@ spec:
          command:
            - sh
            - '-c'
-            - >-
-              kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno;
-              kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno;
+            - |-
+              kubectl scale -n {{ template "kyverno.namespace" . }} deployment --all --replicas=0
+              sleep 30
+              kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+              kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
      restartPolicy: Never
  backoffLimit: 2
-{{- end }}
+{{- end -}}