diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 27604a98a1..8134eaebb1 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -591,6 +591,7 @@ The chart values are organised per component. | nameOverride | string | `nil` | Override the name of the chart | | fullnameOverride | string | `nil` | Override the expanded name of the chart | | namespaceOverride | string | `nil` | Override the namespace the chart deploys to | +| upgrade.fromV2 | bool | `false` | Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed. | | imagePullSecrets | object | `{}` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | | existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | | customLabels | object | `{}` | Additional labels | diff --git a/charts/kyverno/templates/validate.yaml b/charts/kyverno/templates/validate.yaml index bdcb760f18..2f65403ae7 100644 --- a/charts/kyverno/templates/validate.yaml +++ b/charts/kyverno/templates/validate.yaml @@ -1,13 +1,30 @@ -{{- if hasKey .Values "mode" }} - {{ fail "mode is not supported anymore, please remove it from your release and use admissionController.replicas instead." }} -{{- end }} +{{- if hasKey .Values "mode" -}} + {{- fail "mode is not supported anymore, please remove it from your release and use admissionController.replicas instead." -}} +{{- end -}} -{{- if .Values.admissionController.replicas }} - {{- if eq (int .Values.admissionController.replicas) 2 }} - {{ fail "Kyverno does not support running with 2 replicas. For a highly-available deployment, select 3 replicas or for standalone select 1 replica." }} - {{- end }} -{{- end }} +{{- if .Values.admissionController.replicas -}} + {{- if eq (int .Values.admissionController.replicas) 2 -}} + {{- fail "Kyverno does not support running with 2 replicas. For a highly-available deployment, select 3 replicas or for standalone select 1 replica." -}} + {{- end -}} +{{- end -}} -{{- if eq (include "kyverno.namespace" .) "kube-system" }} - {{ fail "Kyverno cannot be installed in namespace kube-system." }} -{{- end }} +{{- if eq (include "kyverno.namespace" .) "kube-system" -}} + {{- fail "Kyverno cannot be installed in namespace kube-system." -}} +{{- end -}} + +{{- if not .Values.upgrade.fromV2 -}} + {{- $v2 := lookup "apps/v1" "Deployment" (include "kyverno.namespace" .) (include "kyverno.fullname" .) -}} + {{- if $v2 -}} + {{- fail (join "\n" (list + "" + "" + " +--------------------------------------------------------------------------------------------------------------------------------------+" + " | An earlier Helm installation of Kyverno was detected. |" + " | Given this chart version has significant breaking changes, the upgrade has been blocked. |" + " | Please review the release notes and caveats section above and then, once prepared, set `upgrade.fromV2: true` once ready to proceed. |" + " +--------------------------------------------------------------------------------------------------------------------------------------+" + "" + )) + -}} + {{- end -}} +{{- end -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index d1c7210db8..8421fe136b 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -14,6 +14,10 @@ fullnameOverride: ~ # -- (string) Override the namespace the chart deploys to namespaceOverride: ~ +upgrade: + # -- Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed. + fromV2: false + apiVersionOverride: # -- (string) Override api version used to create `PodDisruptionBudget`` resources. # When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to