refactor: helm admission controller config (#6501)

* refactor: helm admission controller config

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* more

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

charts/kyverno/README.md

@@ -151,6 +151,15 @@ In `v3` chart values changed significantly, please read the instructions below t
 - `service` has been replaced with `admissionController.service`
 - `metricsService` has been replaced with `admissionController.metricsService`
 
+- `initContainer.extraArgs` has been replaced with `admissionController.initContainer.extraArgs`
+- `envVarsInit` has been replaced with `admissionController.initContainer.extraEnvVars`
+- `envVars` has been replaced with `admissionController.container.extraEnvVars`
+- `extraArgs` has been replaced with `admissionController.container.extraArgs`
+- `extraInitContainers` has been replaced with `admissionController.extraInitContainers`
+- `extraContainers` has been replaced with `admissionController.extraContainers`
+- `podLabels` has been replaced with `admissionController.podLabels`
+- `podAnnotations` has been replaced with `admissionController.podAnnotations`
+
 - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
 
 - Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value.
@@ -206,15 +215,7 @@ The command removes all the Kubernetes components associated with the chart and
 | rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount |
 | rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
 | rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
-| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. |
-| podLabels | object | `{}` | Additional labels to add to each pod |
-| podAnnotations | object | `{}` | Additional annotations to add to each pod |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
-| envVarsInit | object | `{}` | Env variables for initContainers. |
-| envVars | object | `{}` | Env variables for containers. |
-| extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the binary. |
-| extraInitContainers | list | `[]` | Array of extra init containers |
-| extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
 | generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
 | excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
 | resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
@@ -228,6 +229,8 @@ The command removes all the Kubernetes components associated with the chart and
 | grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
 | admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
 | admissionController.replicas | int | `nil` | Desired number of pods |
+| admissionController.podLabels | object | `{}` | Additional labels to add to each pod |
+| admissionController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
 | admissionController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
 | admissionController.priorityClassName | string | `""` | Optional priority class |
 | admissionController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
@@ -261,12 +264,18 @@ The command removes all the Kubernetes components associated with the chart and
 | admissionController.initContainer.image.pullPolicy | string | `nil` | Image pull policy If missing, defaults to image.pullPolicy |
 | admissionController.initContainer.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
 | admissionController.initContainer.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
+| admissionController.initContainer.extraArgs | list | `["--loggingFormat=text"]` | Additional container args. |
+| admissionController.initContainer.extraEnvVars | list | `[]` | Additional container environment variables. |
 | admissionController.container.image.registry | string | `"ghcr.io"` | Image registry |
 | admissionController.container.image.repository | string | `"kyverno/kyverno"` | Image repository |
 | admissionController.container.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
 | admissionController.container.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | admissionController.container.resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
 | admissionController.container.resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
+| admissionController.container.extraArgs | list | `["--loggingFormat=text"]` | Additional container args. |
+| admissionController.container.extraEnvVars | list | `[]` | Additional container environment variables. |
+| admissionController.extraInitContainers | list | `[]` | Array of extra init containers |
+| admissionController.extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
 | admissionController.service.port | int | `443` | Service port. |
 | admissionController.service.type | string | `"ClusterIP"` | Service type. |
 | admissionController.service.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |

charts/kyverno/README.md.gotmpl

@@ -151,6 +151,15 @@ In `v3` chart values changed significantly, please read the instructions below t
 - `service` has been replaced with `admissionController.service`
 - `metricsService` has been replaced with `admissionController.metricsService`
 
+- `initContainer.extraArgs` has been replaced with `admissionController.initContainer.extraArgs`
+- `envVarsInit` has been replaced with `admissionController.initContainer.extraEnvVars`
+- `envVars` has been replaced with `admissionController.container.extraEnvVars`
+- `extraArgs` has been replaced with `admissionController.container.extraArgs`
+- `extraInitContainers` has been replaced with `admissionController.extraInitContainers`
+- `extraContainers` has been replaced with `admissionController.extraContainers`
+- `podLabels` has been replaced with `admissionController.podLabels`
+- `podAnnotations` has been replaced with `admissionController.podAnnotations`
+
 - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
 
 - Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value. 

charts/kyverno/ci/extraContainers-values.yaml

@@ -1,9 +1,10 @@
-extraContainers:
-  - name: myapp-container
-    image: busybox
-    command: ['sh', '-c', 'echo Hello && sleep 3600']
+admissionController:
+  extraContainers:
+    - name: myapp-container
+      image: busybox
+      command: ['sh', '-c', 'echo Hello && sleep 3600']
 
-extraInitContainers:
-  - name: init-container
-    image: busybox
-    command: ['sh', '-c', 'echo Hello']
+  extraInitContainers:
+    - name: init-container
+      image: busybox
+      command: ['sh', '-c', 'echo Hello']

charts/kyverno/templates/admission-controller/deployment.yaml

@@ -19,10 +19,10 @@ spec:
     metadata:
       labels:
         {{- include "kyverno.admission-controller.labels" . | nindent 8 }}
-        {{- range $key, $value := .Values.podLabels }}
+        {{- range $key, $value := .Values.admissionController.podLabels }}
         {{ $key }}: {{ $value }}
         {{- end }}
-      {{- with .Values.podAnnotations }}
+      {{- with .Values.admissionController.podAnnotations }}
       annotations: {{ tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
     spec:
@@ -74,15 +74,15 @@ spec:
       {{- end }}
       serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }}
       initContainers:
-      {{- if .Values.extraInitContainers }}
-        {{- toYaml .Values.extraInitContainers | nindent 8 }}
-      {{- end }}
+        {{- with .Values.admissionController.extraInitContainers }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
         - name: kyverno-pre
           image: {{ include "kyverno.image" (dict "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag)) | quote }}
           imagePullPolicy: {{ default .Values.admissionController.container.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }}
-          {{- if .Values.initContainer.extraArgs }}
+          {{- with .Values.admissionController.initContainer.extraArgs }}
           args:
-              {{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }}
+            {{- tpl (toYaml .) $ | nindent 12 }}
           {{- end }}
           {{- with .Values.admissionController.initContainer.resources }}
           resources:
@@ -105,21 +105,21 @@ spec:
                 fieldPath: metadata.name
           - name: KYVERNO_DEPLOYMENT
             value: {{ template "kyverno.fullname" . }}
-          {{- with .Values.envVarsInit }}
+          {{- with .Values.admissionController.initContainer.extraEnvVars }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
       containers:
-      {{- if .Values.extraContainers }}
-        {{- toYaml .Values.extraContainers | nindent 8 }}
-      {{- end }}
+        {{- with .Values.admissionController.extraContainers }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
         - name: kyverno
           image: {{ include "kyverno.image" (dict "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }}
           imagePullPolicy: {{ .Values.admissionController.container.image.pullPolicy }}
-          {{- if or .Values.extraArgs .Values.imagePullSecrets }}
+          {{- if or .Values.admissionController.container.extraArgs .Values.imagePullSecrets }}
           args:
             - --servicePort={{ .Values.admissionController.service.port }}
-            {{- if .Values.extraArgs -}}
-              {{ tpl (toYaml .Values.extraArgs) . | nindent 12 }}
+            {{- if .Values.admissionController.container.extraArgs -}}
+              {{ tpl (toYaml .Values.admissionController.container.extraArgs) . | nindent 12 }}
             {{- end }}
             {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
             - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
@@ -158,7 +158,7 @@ spec:
             value: {{ template "kyverno.admission-controller.serviceName" . }}
           - name: TUF_ROOT
             value: {{ .Values.admissionController.tufRootMountPath }}
-          {{- with .Values.envVars }}
+          {{- with .Values.admissionController.container.extraEnvVars }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
           - name: KYVERNO_DEPLOYMENT

charts/kyverno/values.yaml

@@ -203,19 +203,6 @@ rbac:
     annotations: {}
       # example.com/annotation: value
 
-initContainer:
-  # -- Extra arguments to give to the kyvernopre binary.
-  extraArgs:
-    - --loggingFormat=text
-
-# -- Additional labels to add to each pod
-podLabels: {}
-  # example.com/label: foo
-
-# -- Additional annotations to add to each pod
-podAnnotations: {}
-  # example.com/annotation: foo
-
 # -- Security context for the containers
 securityContext:
   runAsNonRoot: true
@@ -228,30 +215,6 @@ securityContext:
   seccompProfile:
     type: RuntimeDefault
 
-# -- Env variables for initContainers.
-envVarsInit: {}
-
-# -- Env variables for containers.
-envVars: {}
-
-# -- Extra arguments to give to the binary.
-extraArgs:
-  - --loggingFormat=text
-
-# -- Array of extra init containers
-extraInitContainers: []
-# Example:
-# - name: init-container
-#   image: busybox
-#   command: ['sh', '-c', 'echo Hello']
-
-# -- Array of extra containers to run alongside kyverno
-extraContainers: []
-# Example:
-# - name: myapp-container
-#   image: busybox
-#   command: ['sh', '-c', 'echo Hello && sleep 3600']
-
 # -- Additional resources to be added to controller RBAC permissions.
 generatecontrollerExtraResources: []
 # - ResourceA
@@ -302,6 +265,14 @@ admissionController:
   # -- (int) Desired number of pods
   replicas: ~
 
+  # -- Additional labels to add to each pod
+  podLabels: {}
+    # example.com/label: foo
+
+  # -- Additional annotations to add to each pod
+  podAnnotations: {}
+    # example.com/annotation: foo
+
   # -- Deployment update strategy.
   # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
   # @default -- See [values.yaml](values.yaml)
@@ -463,6 +434,13 @@ admissionController:
         cpu: 10m
         memory: 64Mi
 
+    # -- Additional container args.
+    extraArgs:
+      - --loggingFormat=text
+
+    # -- Additional container environment variables.
+    extraEnvVars: []
+
   container:
 
     image:
@@ -485,6 +463,25 @@ admissionController:
         cpu: 100m
         memory: 128Mi
 
+    # -- Additional container args.
+    extraArgs:
+      - --loggingFormat=text
+
+    # -- Additional container environment variables.
+    extraEnvVars: []
+
+  # -- Array of extra init containers
+  extraInitContainers: []
+    # - name: init-container
+    #   image: busybox
+    #   command: ['sh', '-c', 'echo Hello']
+
+  # -- Array of extra containers to run alongside kyverno
+  extraContainers: []
+    # - name: myapp-container
+    #   image: busybox
+    #   command: ['sh', '-c', 'echo Hello && sleep 3600']
+
   service:
     # -- Service port.
     port: 443

scripts/config/dev/kyverno.yaml

@@ -1,14 +1,3 @@
-initContainer:
-  extraArgs:
-    - --loggingFormat=json
-
-extraArgs:
-  - --loggingFormat=json
-  - --enableTracing
-  - --tracingAddress=tempo.monitoring
-  - --tracingPort=4317
-  - --enablePolicyException
-
 grafana:
   enabled: true
 
@@ -16,6 +5,18 @@ admissionController:
   serviceMonitor:
     enabled: true
 
+  initContainer:
+    extraArgs:
+      - --loggingFormat=json
+
+  container:
+    extraArgs:
+      - --loggingFormat=json
+      - --enableTracing
+      - --tracingAddress=tempo.monitoring
+      - --tracingPort=4317
+      - --enablePolicyException
+
 cleanupController:
   rbac:
     clusterRole:

scripts/config/standard/kyverno.yaml

@@ -1,10 +1,13 @@
-initContainer:
-  extraArgs:
-    - --loggingFormat=json
+admissionController:
 
-extraArgs:
-  - --loggingFormat=json
-  - --enablePolicyException
+  initContainer:
+    extraArgs:
+      - --loggingFormat=json
+
+  container:
+    extraArgs:
+      - --loggingFormat=json
+      - --enablePolicyException
 
 cleanupController:
   rbac: