feat(helm): allow configuring the webhooks to be removed before gatek…

…eeper itself is uninstalled (#1770) * feat(helm): allow configuring the webhooks to be removed before gatekeeper itself is uninstalled Signed-off-by: Mitch Hulscher <mitch.hulscher@lib.io> * fix(helm): rename `preUninstall.deleteWebhooks` to `preUninstall.deleteWebhookConfigurations` Signed-off-by: Mitch Hulscher <mitch.hulscher@lib.io>
open-policy-agent · Jan 11, 2022 · fbb5d2b · fbb5d2b
1 parent 5cad222
commit fbb5d2b
Show file tree

Hide file tree

Showing 6 changed files with 388 additions and 120 deletions.
diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md
diff --git a/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml b/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml
@@ -0,0 +1,121 @@
+{{- if and (or (not .Values.disableValidatingWebhook) (not .Values.disableMutation)) .Values.preUninstall.deleteWebhookConfigurations.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gatekeeper-delete-webhook-configs
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: '{{ template "gatekeeper.name" . }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      restartPolicy: OnFailure
+      {{- if .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets }}
+      imagePullSecrets:
+      {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }}
+      {{- end }}
+      serviceAccount: gatekeeper-delete-webhook-configs
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+        - name: kubectl-delete
+          image: "{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}"
+          imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }}
+          args:
+            - delete
+            {{- if not .Values.disableValidatingWebhook }}
+            - validatingwebhookconfiguration/gatekeeper-validating-webhook-configuration
+            {{- end }}
+            {{- if not .Values.disableMutation }}
+            - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration
+            {{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - all
+            readOnlyRootFilesystem: true
+            runAsGroup: 999
+            runAsNonRoot: true
+            runAsUser: 1000
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gatekeeper-delete-webhook-configs
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gatekeeper-delete-webhook-configs
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+rules:
+  {{- if not .Values.disableValidatingWebhook }}
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    resourceNames:
+      - gatekeeper-validating-webhook-configuration
+    verbs:
+      - delete
+  {{- end }}
+  {{- if not .Values.disableMutation }}
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+    resourceNames:
+      - gatekeeper-mutating-webhook-configuration
+    verbs:
+      - delete
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gatekeeper-delete-webhook-configs
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gatekeeper-delete-webhook-configs
+subjects:
+  - kind: ServiceAccount
+    name: gatekeeper-delete-webhook-configs
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}
+{{- end }}
diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml
@@ -29,6 +29,14 @@ postInstall:
       tag: v3.7.0
       pullPolicy: IfNotPresent
       pullSecrets: []
+preUninstall:
+  deleteWebhookConfigurations:
+    enabled: false
+    image:
+      repository: openpolicyagent/gatekeeper-crds
+      tag: v3.7.0
+      pullPolicy: IfNotPresent
+      pullSecrets: []
 image:
   repository: openpolicyagent/gatekeeper
   crdRepository: openpolicyagent/gatekeeper-crds