refactor: helm chart crds management (#6067)

* refactor: helm chart crds management Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-05 07:26:55 +00:00 · 2023-01-20 22:01:33 +01:00 · 2023-01-20 22:01:33 +01:00 · e191a21b4d
commit e191a21b4d
parent 8b818b903d
8 changed files with 49 additions and 67 deletions
--- a/6
+++ b/6
@ -440,15 +440,15 @@ codegen-helm-docs: ## Generate helm docs
 codegen-helm-crds: codegen-crds-all ## Generate helm CRDs
 	@echo Generate helm crds... >&2
 	@cat $(CRDS_PATH)/* \
-		| $(SED) -e '1i{{- if .Values.installCRDs }}' \
+		| $(SED) -e '1i{{- if .Values.crds.install }}' \
 		| $(SED) -e '$$a{{- end }}' \
 		| $(SED) -e '/^  creationTimestamp: null/i \ \ \ \ {{- with .Values.crds.annotations }}' \
 		| $(SED) -e '/^  creationTimestamp: null/i \ \ \ \ {{- toYaml . | nindent 4 }}' \
 		| $(SED) -e '/^  creationTimestamp: null/i \ \ \ \ {{- end }}' \
- 		| $(SED) -e '/^  creationTimestamp: null/a \ \ \ \ {{- include "kyverno.crdLabels" . | nindent 4 }}' \
+ 		| $(SED) -e '/^  creationTimestamp: null/a \ \ \ \ {{- include "kyverno.crd.labels" . | nindent 4 }}' \
 		| $(SED) -e '/^  creationTimestamp: null/a \ \ labels:' \
 		| $(SED) -e '/^  creationTimestamp: null/d' \
- 		> ./charts/kyverno/templates/crds.yaml
+ 		> ./charts/kyverno/templates/crds/crds.yaml

 .PHONY: codegen-helm-all
 codegen-helm-all: codegen-helm-crds codegen-helm-docs ## Generate helm docs and CRDs
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -117,6 +117,7 @@ In `v3` chart values changed significantly, please read the instructions below t
 - `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
 - `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
 - `namespace` has been renamed `namespaceOverride`
+- `installCRDs` has been replaced with `crds.install`

 ## Uninstalling the Chart

@ -135,6 +136,8 @@ The command removes all the Kubernetes components associated with the chart and
 | nameOverride | string | `nil` | Override the name of the chart |
 | fullnameOverride | string | `nil` | Override the expanded name of the chart |
 | namespaceOverride | string | `nil` | Override the namespace the chart deploys to |
+| crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
+| crds.annotations | object | `{}` | Additional CRDs annotations |
 | config.create | bool | `true` | Create the configmap. |
 | config.name | string | `nil` | The configmap name (required if `create` is `false`). |
 | config.annotations | object | `{}` | Additional annotations to add to the configmap. |
@ -225,8 +228,6 @@ The command removes all the Kubernetes components associated with the chart and
 | serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
 | serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
 | createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert.    In this case, you will need to create a certificate with a specific name and data structure.    As long as you follow the naming scheme, it will be automatically picked up.    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt)    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false |
-| installCRDs | bool | `true` | Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created. |
-| crds.annotations | object | `{}` | Additional CRDs annotations. |
 | networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
 | networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
 | webhooksCleanup.enabled | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
--- a/charts/kyverno/README.md.gotmpl
+++ b/charts/kyverno/README.md.gotmpl
@ -117,6 +117,7 @@ In `v3` chart values changed significantly, please read the instructions below t
 - `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
 - `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
 - `namespace` has been renamed `namespaceOverride`
+- `installCRDs` has been replaced with `crds.install`

 ## Uninstalling the Chart

--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@ -42,21 +42,6 @@ app.kubernetes.io/version: {{ .Chart.Version | replace "+" "_" }}
 {{- end -}}
 {{- end -}}

-{{/* CRD labels */}}
-{{- define "kyverno.crdLabels" -}}
-app.kubernetes.io/component: kyverno
-{{- with (include "kyverno.helmLabels" .) }}
-{{ . }}
-{{- end }}
-{{- with (include "kyverno.matchLabels" .) }}
-{{ . }}
-{{- end }}
-app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-{{- with (include "kyverno.versionLabels" .) }}
-{{ . }}
-{{- end }}
-{{- end -}}
-
 {{/* Helm required labels */}}
 {{- define "kyverno.labels" -}}
 app.kubernetes.io/component: kyverno
--- a/charts/kyverno/templates/crds/_helpers.tpl
+++ b/charts/kyverno/templates/crds/_helpers.tpl
@ -0,0 +1,8 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.crd.labels" -}}
+app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
+{{- with (include "kyverno.helmLabels" .)     -}}{{- . | trim | nindent 0 -}}{{- end -}}
+{{- with (include "kyverno.matchLabels" .)    -}}{{- . | trim | nindent 0 -}}{{- end -}}
+{{- with (include "kyverno.versionLabels" .)  -}}{{- . | trim | nindent 0 -}}{{- end -}}
+{{- end -}}
--- a/charts/kyverno/templates/crds/crds.yaml
+++ b/charts/kyverno/templates/crds/crds.yaml
@ -1,4 +1,4 @@
-{{- if .Values.installCRDs }}
+{{- if .Values.crds.install }}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@ -9,7 +9,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crd.labels" . | nindent 4 }}
  name: admissionreports.kyverno.io
 spec:
  group: kyverno.io
@ -354,7 +354,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crd.labels" . | nindent 4 }}
  name: backgroundscanreports.kyverno.io
 spec:
  group: kyverno.io
@ -659,7 +659,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crd.labels" . | nindent 4 }}
  name: cleanuppolicies.kyverno.io
 spec:
  group: kyverno.io
@ -1707,7 +1707,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crd.labels" . | nindent 4 }}
  name: clusteradmissionreports.kyverno.io
 spec:
  group: kyverno.io
@ -2053,7 +2053,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crd.labels" . | nindent 4 }}
  name: clusterbackgroundscanreports.kyverno.io
 spec:
  group: kyverno.io
@ -2358,7 +2358,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crd.labels" . | nindent 4 }}
  name: clustercleanuppolicies.kyverno.io
 spec:
  group: kyverno.io
@ -3406,7 +3406,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crd.labels" . | nindent 4 }}
  name: clusterpolicies.kyverno.io
 spec:
  group: kyverno.io
@ -16516,7 +16516,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crd.labels" . | nindent 4 }}
  name: policies.kyverno.io
 spec:
  group: kyverno.io
@ -29629,7 +29629,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crd.labels" . | nindent 4 }}
  name: policyexceptions.kyverno.io
 spec:
  group: kyverno.io
@ -30116,7 +30116,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crd.labels" . | nindent 4 }}
  name: updaterequests.kyverno.io
 spec:
  group: kyverno.io
@ -30507,7 +30507,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crd.labels" . | nindent 4 }}
  name: clusterpolicyreports.wgpolicyk8s.io
 spec:
  group: wgpolicyk8s.io
@ -30874,7 +30874,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
+    {{- include "kyverno.crd.labels" . | nindent 4 }}
  name: policyreports.wgpolicyk8s.io
 spec:
  group: wgpolicyk8s.io
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -14,6 +14,15 @@ fullnameOverride: ~
 # -- (string) Override the namespace the chart deploys to
 namespaceOverride: ~

+crds:
+  # -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
+  install: true
+
+  # -- Additional CRDs annotations
+  annotations: {}
+    # argocd.argoproj.io/sync-options: Replace=true
+    # strategy.spinnaker.io/replace: 'true'
+
 config:

  # -- Create the configmap.
@ -468,16 +477,6 @@ serviceMonitor:
 # If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
 createSelfSignedCert: false

-# -- Whether to have Helm install the Kyverno CRDs.
-# If the CRDs are not installed by Helm, they must be added before policies can be created.
-installCRDs: true
-
-crds:
-  # -- Additional CRDs annotations.
-  annotations: {}
-    # argocd.argoproj.io/sync-options: Replace=true
-    # strategy.spinnaker.io/replace: 'true'
-
 networkPolicy:
  # -- When true, use a NetworkPolicy to allow ingress to the webhook
  # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
--- a/config/install.yaml
+++ b/config/install.yaml
@ -82,10 +82,9 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  labels:
-    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/part-of: kyverno
    app: kyverno
    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: admissionreports.kyverno.io
 spec:
@ -428,10 +427,9 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  labels:
-    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/part-of: kyverno
    app: kyverno
    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: backgroundscanreports.kyverno.io
 spec:
@ -734,10 +732,9 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  labels:
-    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/part-of: kyverno
    app: kyverno
    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: cleanuppolicies.kyverno.io
 spec:
@ -1783,10 +1780,9 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  labels:
-    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/part-of: kyverno
    app: kyverno
    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: clusteradmissionreports.kyverno.io
 spec:
@ -2130,10 +2126,9 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  labels:
-    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/part-of: kyverno
    app: kyverno
    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: clusterbackgroundscanreports.kyverno.io
 spec:
@ -2436,10 +2431,9 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  labels:
-    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/part-of: kyverno
    app: kyverno
    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: clustercleanuppolicies.kyverno.io
 spec:
@ -3485,10 +3479,9 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  labels:
-    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/part-of: kyverno
    app: kyverno
    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: clusterpolicies.kyverno.io
 spec:
@ -16596,10 +16589,9 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  labels:
-    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/part-of: kyverno
    app: kyverno
    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: policies.kyverno.io
 spec:
@ -29710,10 +29702,9 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  labels:
-    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/part-of: kyverno
    app: kyverno
    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: policyexceptions.kyverno.io
 spec:
@ -30198,10 +30189,9 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  labels:
-    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/part-of: kyverno
    app: kyverno
    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: updaterequests.kyverno.io
 spec:
@ -30590,10 +30580,9 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  labels:
-    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/part-of: kyverno
    app: kyverno
    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: clusterpolicyreports.wgpolicyk8s.io
 spec:
@ -30958,10 +30947,9 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.11.1
  labels:
-    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/part-of: kyverno
    app: kyverno
    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
  name: policyreports.wgpolicyk8s.io
 spec: