Skip to content

Commit

Permalink
chore: Prepare v3.9.0-beta.1 release (#2057)
Browse files Browse the repository at this point in the history 
Signed-off-by: Max Smythe <smythe@google.com>

Co-authored-by: maxsmythe <maxsmythe@users.noreply.github.com>
  • Loading branch information
@github-actions @maxsmythe
github-actions[bot] and maxsmythe committed May 19, 2022
1 parent 08f2899 commit 206bbe9
Show file tree
Hide file tree
Showing 19 changed files with 77 additions and 32 deletions.
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ DEV_TAG ?= dev
USE_LOCAL_IMG ?= false
ENABLE_EXTERNAL_DATA ?= false

VERSION := v3.9.0-beta.0
VERSION := v3.9.0-beta.1

KIND_VERSION ?= 0.13.0
# note: k8s version pinned since KIND image availability lags k8s releases
Expand Down
4 changes: 2 additions & 2 deletions charts/gatekeeper/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper
name: gatekeeper
keywords:
- open policy agent
version: 3.9.0-beta.0
version: 3.9.0-beta.1
home: https://github.com/open-policy-agent/gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
appVersion: v3.9.0-beta.0
appVersion: v3.9.0-beta.1
8 changes: 5 additions & 3 deletions charts/gatekeeper/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,13 +66,13 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ |
| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` |
| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` |
| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.9.0-beta.0` |
| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.9.0-beta.1` |
| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` |
| preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` |
| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.9.0-beta.0` |
| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.9.0-beta.1` |
| preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` |
| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
Expand All @@ -88,6 +88,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| disableMutation | Disable mutation | `false` |
| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` |
| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` |
| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` |
| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
Expand All @@ -97,6 +98,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` |
| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` |
| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` |
Expand All @@ -105,7 +107,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| logLevel | Minimum log level | `INFO` |
| image.pullPolicy | The image pull policy | `IfNotPresent` |
| image.repository | Image repository | `openpolicyagent/gatekeeper` |
| image.release | The image release tag to use | Current release version: `v3.9.0-beta.0` |
| image.release | The image release tag to use | Current release version: `v3.9.0-beta.1` |
| image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
Expand Down
7 changes: 7 additions & 0 deletions charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,13 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTAINER_NAME
value: manager
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
livenessProbe:
httpGet:
Expand Down
7 changes: 7 additions & 0 deletions charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,13 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTAINER_NAME
value: manager
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
livenessProbe:
httpGet:
Expand Down
1 change: 1 addition & 0 deletions ...per/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ webhooks:
operator: NotIn
value: {{ $value }}
{{- end }}
objectSelector: {{ toYaml .Values.mutatingWebhookObjectSelector }}
reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }}
rules:
{{- if .Values.mutatingWebhookCustomRules }}
Expand Down
1 change: 1 addition & 0 deletions ...templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ webhooks:
operator: NotIn
value: {{ $value }}
{{- end }}
objectSelector: {{ toYaml .Values.validatingWebhookObjectSelector }}
rules:
{{- if .Values.validatingWebhookCustomRules }}
{{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }}
Expand Down
6 changes: 6 additions & 0 deletions charts/gatekeeper/templates/namespace-post-install.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ spec:
- label
- ns
- {{ .Release.Namespace }}
{{- range .Values.postInstall.labelNamespace.extraNamespaces }}
- {{ . }}
{{- end }}
- admission.gatekeeper.sh/ignore=no-self-managing
- --overwrite
securityContext:
Expand Down Expand Up @@ -76,6 +79,9 @@ rules:
- patch
resourceNames:
- {{ .Release.Namespace }}
{{- range .Values.postInstall.labelNamespace.extraNamespaces }}
- {{ . }}
{{- end }}
{{- end }}
---
{{- if .Values.rbac.create }}
Expand Down
5 changes: 4 additions & 1 deletion charts/gatekeeper/templates/upgrade-crds-hook.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,10 @@ spec:
{{- toYaml .Values.crds.resources | nindent 10 }}
securityContext:
{{- toYaml .Values.crds.securityContext | nindent 10 }}
affinity:
{{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }}
nodeSelector:
kubernetes.io/os: linux

tolerations:
{{- toYaml .Values.upgradeCRDs.tolerations | nindent 8 }}
{{- end }}
10 changes: 7 additions & 3 deletions charts/gatekeeper/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ disableValidatingWebhook: false
validatingWebhookTimeoutSeconds: 3
validatingWebhookFailurePolicy: Ignore
validatingWebhookExemptNamespacesLabels: {}
validatingWebhookObjectSelector: {}
validatingWebhookCheckIgnoreFailurePolicy: Fail
validatingWebhookCustomRules: {}
enableDeleteOperations: false
Expand All @@ -16,6 +17,7 @@ enableTLSHealthcheck: false
mutatingWebhookFailurePolicy: Ignore
mutatingWebhookReinvocationPolicy: Never
mutatingWebhookExemptNamespacesLabels: {}
mutatingWebhookObjectSelector: {}
mutatingWebhookTimeoutSeconds: 1
mutatingWebhookCustomRules: {}
mutationAnnotations: false
Expand All @@ -31,9 +33,10 @@ postInstall:
enabled: true
image:
repository: openpolicyagent/gatekeeper-crds
tag: v3.9.0-beta.0
tag: v3.9.0-beta.1
pullPolicy: IfNotPresent
pullSecrets: []
extraNamespaces: []
securityContext:
allowPrivilegeEscalation: false
capabilities:
Expand All @@ -48,7 +51,7 @@ preUninstall:
enabled: false
image:
repository: openpolicyagent/gatekeeper-crds
tag: v3.9.0-beta.0
tag: v3.9.0-beta.1
pullPolicy: IfNotPresent
pullSecrets: []
securityContext:
Expand All @@ -63,7 +66,7 @@ preUninstall:
image:
repository: openpolicyagent/gatekeeper
crdRepository: openpolicyagent/gatekeeper-crds
release: v3.9.0-beta.0
release: v3.9.0-beta.1
pullPolicy: IfNotPresent
pullSecrets: []
podAnnotations:
Expand Down Expand Up @@ -156,5 +159,6 @@ psp:
enabled: true
upgradeCRDs:
enabled: true
tolerations: []
rbac:
create: true
4 changes: 2 additions & 2 deletions cmd/build/helmify/static/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper
name: gatekeeper
keywords:
- open policy agent
version: 3.9.0-beta.0
version: 3.9.0-beta.1
home: https://github.com/open-policy-agent/gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
appVersion: v3.9.0-beta.0
appVersion: v3.9.0-beta.1

0 comments on commit 206bbe9

Please sign in to comment.