Helm namespace value (#1210)

* enable users to specify namespace in helm chart values file

* update chart readme

* remove .DS_Store files

Co-authored-by: Qijun Liu <qliu@gracenote.com>

charts/kyverno/README.md

@@ -70,6 +70,7 @@ Parameter | Description | Default
 `initImage.tag` | Init image tag | `nil`
 `livenessProbe` | liveness probe configuration | `{}`
 `nameOverride` | override the name of the chart | `nil`
+`namespace` | namespace the chart deploy to | `nil`
 `nodeSelector` | node labels for pod assignment | `{}`
 `podAnnotations` | annotations to add to each pod | `{}`
 `podLabels` | additional labels to add to each pod | `{}`

charts/kyverno/templates/_helpers.tpl

@@ -47,6 +47,16 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- printf "%s" (default (include "kyverno.fullname" .) .Values.config.existingConfig) -}}
 {{- end -}}
 
+
+{{/* Get the namespace name. */}}
+{{- define "kyverno.namespace" -}}
+{{- if .Values.namespace -}}
+    {{- .Values.namespace -}}
+{{- else -}}
+    {{- .Release.Namespace -}}
+{{- end -}}
+{{- end -}}
+
 {{/* Create the name of the service to use */}}
 {{- define "kyverno.serviceName" -}}
 {{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
@@ -59,4 +69,4 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- else -}}
     {{ default "default" .Values.rbac.serviceAccount.name }}
 {{- end -}}
-{{- end -}}
+{{- end -}}

charts/kyverno/templates/clusterrolebinding.yaml

@@ -10,7 +10,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ template "kyverno.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ template "kyverno.namespace" . }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -23,7 +23,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ template "kyverno.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ template "kyverno.namespace" . }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -36,7 +36,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ template "kyverno.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ template "kyverno.namespace" . }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -49,8 +49,8 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ template "kyverno.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
----  
+  namespace: {{ template "kyverno.namespace" . }}
+---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -62,5 +62,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ template "kyverno.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ template "kyverno.namespace" . }}
 {{- end }}

charts/kyverno/templates/configmap.yaml

@@ -4,7 +4,7 @@ kind: ConfigMap
 metadata:
   labels: {{ include "kyverno.labels" . | nindent 4 }}
   name: {{ template "kyverno.configMapName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ template "kyverno.namespace" . }}
 data:
   # resource types to be skipped by kyverno policy engine
   {{- if .Values.config.resourceFilters }}
@@ -16,4 +16,4 @@ data:
   {{- if .Values.config.excludeUsername }}
   excludeUsername: {{ join "" .Values.config.excludeUsername | quote }}
   {{- end -}}
-{{- end -}}
+{{- end -}}

charts/kyverno/templates/deployment.yaml

@@ -3,7 +3,7 @@ kind: Deployment
 metadata:
   name: {{ template "kyverno.fullname" . }}
   labels: {{ include "kyverno.labels" . | nindent 4 }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ template "kyverno.namespace" . }}
 spec:
   selector:
     matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}

charts/kyverno/templates/secret.yaml

@@ -1,10 +1,10 @@
 {{- if .Values.createSelfSignedCert }}
-{{- $ca := .ca | default (genCA (printf "*.%s.svc" .Release.Namespace) 1024) -}}
-{{- $cert := genSignedCert (printf "%s.%s.svc" (include "kyverno.serviceName" .) .Release.Namespace) nil nil 1024 $ca -}}
+{{- $ca := .ca | default (genCA (printf "*.%s.svc" "kyverno.namespace") 1024) -}}
+{{- $cert := genSignedCert (printf "%s.%s.svc" (include "kyverno.serviceName" .) "kyverno.namespace") nil nil 1024 $ca -}}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ template "kyverno.serviceName" . }}.{{ .Release.Namespace }}.svc.kyverno-tls-ca
+  name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
   labels: {{ include "kyverno.labels" . | nindent 4 }}
 data:
   rootCA.crt: {{ $ca.Cert | b64enc }}
@@ -12,7 +12,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ template "kyverno.serviceName" . }}.{{ .Release.Namespace }}.svc.kyverno-tls-pair
+  name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
   labels: {{ include "kyverno.labels" . | nindent 4 }}
   annotations:
     self-signed-cert: "true"

charts/kyverno/templates/service.yaml

@@ -3,7 +3,7 @@ kind: Service
 metadata:
   name: {{ template "kyverno.serviceName" . }}
   labels: {{ include "kyverno.labels" . | nindent 4 }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ template "kyverno.namespace" . }}
   {{- with .Values.service.annotations }}
   annotations: {{ tpl (toYaml .) $ | nindent 4 }}
   {{- end }}

charts/kyverno/templates/serviceaccount.yaml

@@ -7,5 +7,5 @@ metadata:
   {{- if .Values.rbac.serviceAccount.annotations }}
   annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
   {{- end }}
-  namespace: {{ .Release.Namespace }}
-{{- end }}
+  namespace: {{ template "kyverno.namespace" . }}
+{{- end }}

charts/kyverno/values.yaml

@@ -1,5 +1,6 @@
 nameOverride:
 fullnameOverride:
+namespace:
 
 rbac:
   create: true
@@ -126,4 +127,4 @@ service:
 #    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt)
 # 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
 # If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
-createSelfSignedCert: false
+createSelfSignedCert: false