Adding pod disruption budget (#1105)

Co-authored-by: Sertac Ozercan <sozercan@gmail.com>

cmd/build/helmify/kustomize-for-helm.yaml

@@ -152,3 +152,16 @@ webhooks:
       path: /v1/admitlabel
   name: check-ignore-label.gatekeeper.sh
   timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: gatekeeper-controller-manager
+  namespace: gatekeeper-system
+spec:
+  minAvailable: HELMSUBST_PDB_CONTROLLER_MANAGER_MINAVAILABLE
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      gatekeeper.sh/operation: webhook
+      gatekeeper.sh/system: "yes"

cmd/build/helmify/replacements.go

@@ -39,4 +39,6 @@ var replacements = map[string]string{
     {{- if .Values.enableDeleteOperations }}
     - DELETE
     {{- end}}`,
+
+	"HELMSUBST_PDB_CONTROLLER_MANAGER_MINAVAILABLE": `{{ .Values.pdb.controllerManager.minAvailable }}`,
 }

cmd/build/helmify/static/README.md

@@ -31,6 +31,7 @@
 | podLabels                           | The labels to add to the Gatekeeper pods                                                                                                                                                                 | `{}` |
 | secretAnnotations                   | The annotations to add to the Gatekeeper secrets                                                                                                                                                       | `{}`                                                                      |
 | customResourceDefinitions.create    | Whether the release should install CRDs. Regardless of this value, Helm v3+ will install the CRDs if those are not present already. Use --skip-crds with helm install if you want to skip CRD creation | `true`                                                                    |
+| pdb.controllerManager.minAvailable  | The number of controller manager pods that must still be available after an eviction                                                                                                                   | 1                                                                         |
 
 ## Contributing Changes
 

cmd/build/helmify/static/values.yaml

@@ -58,3 +58,6 @@ audit:
       memory: 256Mi
 customResourceDefinitions:
   create: true
+pdb:
+  controllerManager:
+    minAvailable: 1

config/default/kustomization.yaml

@@ -16,6 +16,7 @@ bases:
 - ../crd
 - ../rbac
 - ../manager
+- ../pdb
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
 - ../webhook
 - ../secret

config/pdb/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- pdb.yaml

config/pdb/pdb.yaml

@@ -0,0 +1,10 @@
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: controller-manager
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      gatekeeper.sh/operation: webhook

manifest_staging/charts/gatekeeper/README.md

@@ -31,6 +31,7 @@
 | podLabels                           | The labels to add to the Gatekeeper pods                                                                                                                                                                 | `{}` |
 | secretAnnotations                   | The annotations to add to the Gatekeeper secrets                                                                                                                                                       | `{}`                                                                      |
 | customResourceDefinitions.create    | Whether the release should install CRDs. Regardless of this value, Helm v3+ will install the CRDs if those are not present already. Use --skip-crds with helm install if you want to skip CRD creation | `true`                                                                    |
+| pdb.controllerManager.minAvailable  | The number of controller manager pods that must still be available after an eviction                                                                                                                   | 1                                                                         |
 
 ## Contributing Changes
 

manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml

@@ -0,0 +1,22 @@
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-controller-manager
+  namespace: gatekeeper-system
+spec:
+  minAvailable: {{ .Values.pdb.controllerManager.minAvailable }}
+  selector:
+    matchLabels:
+      app: '{{ template "gatekeeper.name" . }}'
+      chart: '{{ template "gatekeeper.name" . }}'
+      control-plane: controller-manager
+      gatekeeper.sh/operation: webhook
+      gatekeeper.sh/system: "yes"
+      heritage: '{{ .Release.Service }}'
+      release: '{{ .Release.Name }}'

manifest_staging/charts/gatekeeper/values.yaml

@@ -58,3 +58,6 @@ audit:
       memory: 256Mi
 customResourceDefinitions:
   create: true
+pdb:
+  controllerManager:
+    minAvailable: 1

manifest_staging/deploy/gatekeeper.yaml

@@ -821,6 +821,21 @@ spec:
           defaultMode: 420
           secretName: gatekeeper-webhook-server-cert
 ---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: gatekeeper-controller-manager
+  namespace: gatekeeper-system
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      gatekeeper.sh/operation: webhook
+      gatekeeper.sh/system: "yes"
+---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata: