diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 707912ce1dc..dbfaebc0483 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -62,6 +62,8 @@ metadata: namespace: gatekeeper-system spec: replicas: HELMSUBST_DEPLOYMENT_REPLICAS + strategy: + type: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_STRATEGY_TYPE template: metadata: annotations: diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index 66a3f03e334..5b543c4fe74 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -55,6 +55,8 @@ var replacements = map[string]string{ `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_AFFINITY: ""`: `{{- toYaml .Values.controllerManager.affinity | nindent 8 }}`, + "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_STRATEGY_TYPE": `{{ .Values.controllerManager.strategyType }}`, + `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_SECURITY_CONTEXT: ""`: `{{- if .Values.enableRuntimeDefaultSeccompProfile }} seccompProfile: type: RuntimeDefault diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index efc44605717..51e501b61db 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -27,7 +27,8 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen ## Upgrade Chart **Upgrading from < v3.4.0** -Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. +Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within +the chart. This follows Helm 3 Best Practices. Option 1: A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. @@ -39,7 +40,9 @@ $ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --creat ``` Option 2: -Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. +Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the +original release, while keeping all of the resources. It then updates the annotations of the resources so that the new +chart can import and manage them. ```console $ helm_migrate.sh @@ -56,9 +59,12 @@ _See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migr ## Exempting Namespace -The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook. +The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt +the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during +a post-install hook. -_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._ +_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more +information._ ## Parameters @@ -186,6 +192,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | | controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | | controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | +| controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` | | audit.affinity | The node affinity to use for audit pod scheduling | `{}` | | audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | | audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | @@ -214,4 +221,6 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi ## Contributing Changes -Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart. +Please refer +to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) +for modifying the Helm chart. diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index c85c425b911..6bb536cfcab 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -164,6 +164,7 @@ controllerManager: disableCertRotation: false tlsMinVersion: 1.3 clientCertName: "" + strategyType: RollingUpdate affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index efc44605717..51e501b61db 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -27,7 +27,8 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen ## Upgrade Chart **Upgrading from < v3.4.0** -Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. +Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within +the chart. This follows Helm 3 Best Practices. Option 1: A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. @@ -39,7 +40,9 @@ $ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --creat ``` Option 2: -Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. +Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the +original release, while keeping all of the resources. It then updates the annotations of the resources so that the new +chart can import and manage them. ```console $ helm_migrate.sh @@ -56,9 +59,12 @@ _See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migr ## Exempting Namespace -The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook. +The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt +the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during +a post-install hook. -_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._ +_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more +information._ ## Parameters @@ -186,6 +192,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | | controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | | controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | +| controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` | | audit.affinity | The node affinity to use for audit pod scheduling | `{}` | | audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | | audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | @@ -214,4 +221,6 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi ## Contributing Changes -Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart. +Please refer +to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) +for modifying the Helm chart. diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 95ddefa3aec..a1f11edc794 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -22,6 +22,8 @@ spec: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' + strategy: + type: {{ .Values.controllerManager.strategyType }} template: metadata: annotations: diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index c85c425b911..6bb536cfcab 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -164,6 +164,7 @@ controllerManager: disableCertRotation: false tlsMinVersion: 1.3 clientCertName: "" + strategyType: RollingUpdate affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: