feat: Allow Helm to manage namespace where objects are created.

.github/workflows/workflow.yaml

@@ -132,6 +132,7 @@ jobs:
     strategy:
       matrix:
         HELM_VERSION: ["2.17.0", "3.4.2"]
+        GATEKEEPER_NAMESPACE: ["gatekeeper-system", "custom-namespace"]
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@v2
@@ -145,13 +146,13 @@ jobs:
       - name: Run e2e
         run: |
           make e2e-build-load-image IMG=gatekeeper-e2e-helm:latest
-          make e2e-helm-deploy HELM_REPO=gatekeeper-e2e-helm HELM_RELEASE=latest HELM_VERSION=${{ matrix.HELM_VERSION }}
-          make test-e2e
+          make e2e-helm-deploy HELM_REPO=gatekeeper-e2e-helm HELM_RELEASE=latest HELM_VERSION=${{ matrix.HELM_VERSION }} GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
+          make test-e2e GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
 
       - name: Save logs
         run: |
-          kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-controller.json
-          kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-audit.json
+          kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=controller-manager --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-controller.json
+          kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=audit-controller --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-audit.json
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v2

Makefile

@@ -15,6 +15,8 @@ KUSTOMIZE_VERSION ?= 3.8.8
 BATS_VERSION ?= 1.2.1
 KUBECTL_KUSTOMIZE_VERSION ?= 1.20.1-${KUSTOMIZE_VERSION}
 HELM_VERSION ?= 2.17.0
+HELM_ARGS ?= 
+GATEKEEPER_NAMESPACE ?= gatekeeper-system
 
 BUILD_COMMIT := $(shell ./build/get-build-commit.sh)
 BUILD_TIMESTAMP := $(shell ./build/get-build-timestamp.sh)
@@ -40,7 +42,7 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
 \n        - --port=8443\
 \n        - --logtostderr\
 \n        - --emit-admission-events\
-\n        - --exempt-namespace=gatekeeper-system\
+\n        - --exempt-namespace=${GATEKEEPER_NAMESPACE}\
 \n        - --operation=webhook\
 \n---\
 \napiVersion: apps/v1\
@@ -110,7 +112,7 @@ e2e-build-load-image: docker-buildx
 	kind load docker-image --name kind ${IMG}
 
 e2e-verify-release: patch-image deploy test-e2e
-	echo -e '\n\n======= manager logs =======\n\n' && kubectl logs -n gatekeeper-system -l control-plane=controller-manager
+	echo -e '\n\n======= manager logs =======\n\n' && kubectl logs -n ${GATEKEEPER_NAMESPACE} -l control-plane=controller-manager
 
 e2e-helm-install:
 	rm -rf .staging/helm
@@ -120,13 +122,20 @@ e2e-helm-install:
 	./.staging/helm/linux-amd64/helm version --client
 
 e2e-helm-deploy: e2e-helm-install
+ifneq ($(GATEKEEPER_NAMESPACE),gatekeeper-system)
+	kubectl create namespace $(GATEKEEPER_NAMESPACE) --dry-run=client -o yaml | kubectl apply -f -
+	kubectl label ns $(GATEKEEPER_NAMESPACE) admission.gatekeeper.sh/ignore=no-self-managing
+	kubectl label ns $(GATEKEEPER_NAMESPACE) gatekeeper.sh/system="yes"
+	$(eval HELM_ARGS := --namespace $(GATEKEEPER_NAMESPACE) --set createNamespace=false)
+endif
+
 	@if [ $$(echo ${HELM_VERSION} | head -c 1) = "2" ]; then\
 		kubectl create clusterrolebinding tiller-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default;\
 		./.staging/helm/linux-amd64/helm init --wait --history-max=5;\
 		kubectl -n kube-system wait --for=condition=Ready pod -l name=tiller --timeout=300s;\
-		./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name=gatekeeper --debug  --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} --set emitAdmissionEvents=true --set emitAuditEvents=true;\
+		./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name=gatekeeper --debug ${HELM_ARGS} --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} --set emitAdmissionEvents=true --set emitAuditEvents=true;\
 	else\
-		./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper --debug --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} --set emitAdmissionEvents=true --set emitAuditEvents=true;\
+		./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper ${HELM_ARGS} --debug --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} --set emitAdmissionEvents=true --set emitAuditEvents=true;\
 	fi;
 
 e2e-helm-upgrade-init: e2e-helm-install

cmd/build/helmify/kustomization.yaml

@@ -1,3 +1,4 @@
+namespace: '{{ include "gatekeeper.namespace" . }}'
 commonLabels:
   app: '{{ template "gatekeeper.name" . }}'
   chart: '{{ template "gatekeeper.name" . }}'

cmd/build/helmify/kustomize-for-helm.yaml

@@ -64,7 +64,7 @@ spec:
             - --log-denies={{ .Values.logDenies }}
             - --emit-admission-events={{ .Values.emitAdmissionEvents }}
             - --log-level={{ .Values.logLevel }}
-            - --exempt-namespace=gatekeeper-system
+            - --exempt-namespace={{ include "gatekeeper.namespace" . }}
             - --operation=webhook
           imagePullPolicy: "{{ .Values.image.pullPolicy }}"
           image: "{{ .Values.image.repository }}:{{ .Values.image.release }}"

cmd/build/helmify/main.go

@@ -40,6 +40,13 @@ func extractName(s string) (string, error) {
 	return strings.Trim(matches[1], `"'`), nil
 }
 
+//extractNamespaceName returns the default "gatekeeper-system" namespace.
+//Because the namespace is '{{ include "gatekeeper.namespace" . }}' it fails to be found in extractName.
+//There should only ever be 1 Namespace so this should be safe
+func extractNamespaceName(s string) (string, error) {
+	return "gatekeeper-system", nil
+}
+
 func extractCRDKind(obj string) (string, error) {
 	crd := &apiextensionsv1beta1.CustomResourceDefinition{}
 	if err := yaml.Unmarshal([]byte(obj), crd); err != nil {
@@ -81,7 +88,10 @@ func (ks *kindSet) Write() error {
 					return err
 				}
 			}
+		} else if kind == "Namespace" {
+			nameExtractor = extractNamespaceName
 		}
+
 		for _, obj := range objs {
 			name, err := nameExtractor(obj)
 			if err != nil {

cmd/build/helmify/static/templates/_helpers.tpl

@@ -1,3 +1,15 @@
+{{/*
+If createNamespace is set to true, sets the namespace to "gatekeeper-system"
+If createNamespace is set to false, sets the namespace to the {{ .Release.Namespace }}
+*/}}
+{{- define "gatekeeper.namespace" -}}
+{{- if .Values.createNamespace }}
+{{- printf "gatekeeper-system" }}
+{{- else }}
+{{- .Release.Namespace }}
+{{- end }}
+{{- end -}}
+
 {{/*
 Expand the name of the chart.
 */}}

manifest_staging/charts/gatekeeper/templates/_helpers.tpl

@@ -1,3 +1,15 @@
+{{/*
+If createNamespace is set to true, sets the namespace to "gatekeeper-system"
+If createNamespace is set to false, sets the namespace to the {{ .Release.Namespace }}
+*/}}
+{{- define "gatekeeper.namespace" -}}
+{{- if .Values.createNamespace }}
+{{- printf "gatekeeper-system" }}
+{{- else }}
+{{- .Release.Namespace }}
+{{- end }}
+{{- end -}}
+
 {{/*
 Expand the name of the chart.
 */}}

manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-serviceaccount.yaml

@@ -8,4 +8,4 @@ metadata:
     heritage: '{{ .Release.Service }}'
     release: '{{ .Release.Name }}'
   name: gatekeeper-admin
-  namespace: gatekeeper-system
+  namespace: '{{ include "gatekeeper.namespace" . }}'

manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml

@@ -10,7 +10,7 @@ metadata:
     heritage: '{{ .Release.Service }}'
     release: '{{ .Release.Name }}'
   name: gatekeeper-audit
-  namespace: gatekeeper-system
+  namespace: '{{ include "gatekeeper.namespace" . }}'
 spec:
   replicas: 1
   selector:

manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml

@@ -10,7 +10,7 @@ metadata:
     heritage: '{{ .Release.Service }}'
     release: '{{ .Release.Name }}'
   name: gatekeeper-controller-manager
-  namespace: gatekeeper-system
+  namespace: '{{ include "gatekeeper.namespace" . }}'
 spec:
   replicas: {{ .Values.replicas }}
   selector:
@@ -46,7 +46,7 @@ spec:
         - --log-denies={{ .Values.logDenies }}
         - --emit-admission-events={{ .Values.emitAdmissionEvents }}
         - --log-level={{ .Values.logLevel }}
-        - --exempt-namespace=gatekeeper-system
+        - --exempt-namespace={{ include "gatekeeper.namespace" . }}
         - --operation=webhook
         command:
         - /manager

manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml

@@ -8,7 +8,7 @@ metadata:
     heritage: '{{ .Release.Service }}'
     release: '{{ .Release.Name }}'
   name: gatekeeper-controller-manager
-  namespace: gatekeeper-system
+  namespace: '{{ include "gatekeeper.namespace" . }}'
 spec:
   minAvailable: {{ .Values.pdb.controllerManager.minAvailable }}
   selector:

manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml

@@ -9,7 +9,7 @@ metadata:
     heritage: '{{ .Release.Service }}'
     release: '{{ .Release.Name }}'
   name: gatekeeper-manager-role
-  namespace: gatekeeper-system
+  namespace: '{{ include "gatekeeper.namespace" . }}'
 rules:
 - apiGroups:
   - ""

manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml

@@ -15,4 +15,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: gatekeeper-admin
-  namespace: gatekeeper-system
+  namespace: '{{ include "gatekeeper.namespace" . }}'

manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml

@@ -8,12 +8,12 @@ metadata:
     heritage: '{{ .Release.Service }}'
     release: '{{ .Release.Name }}'
   name: gatekeeper-manager-rolebinding
-  namespace: gatekeeper-system
+  namespace: '{{ include "gatekeeper.namespace" . }}'
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: gatekeeper-manager-role
 subjects:
 - kind: ServiceAccount
   name: gatekeeper-admin
-  namespace: gatekeeper-system
+  namespace: '{{ include "gatekeeper.namespace" . }}'

manifest_staging/charts/gatekeeper/templates/gatekeeper-system-namespace.yaml

@@ -10,5 +10,5 @@ metadata:
     gatekeeper.sh/system: "yes"
     heritage: '{{ .Release.Service }}'
     release: '{{ .Release.Name }}'
-  name: gatekeeper-system
+  name: '{{ include "gatekeeper.namespace" . }}'
 {{- end }}

manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml

@@ -14,7 +14,7 @@ webhooks:
     caBundle: Cg==
     service:
       name: gatekeeper-webhook-service
-      namespace: gatekeeper-system
+      namespace: '{{ include "gatekeeper.namespace" . }}'
       path: /v1/admit
   failurePolicy: Ignore
   name: validation.gatekeeper.sh
@@ -41,7 +41,7 @@ webhooks:
     caBundle: Cg==
     service:
       name: gatekeeper-webhook-service
-      namespace: gatekeeper-system
+      namespace: '{{ include "gatekeeper.namespace" . }}'
       path: /v1/admitlabel
   failurePolicy: Fail
   name: check-ignore-label.gatekeeper.sh

manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml

@@ -9,4 +9,4 @@ metadata:
     heritage: '{{ .Release.Service }}'
     release: '{{ .Release.Name }}'
   name: gatekeeper-webhook-server-cert
-  namespace: gatekeeper-system
+  namespace: '{{ include "gatekeeper.namespace" . }}'

manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml

@@ -8,7 +8,7 @@ metadata:
     heritage: '{{ .Release.Service }}'
     release: '{{ .Release.Name }}'
   name: gatekeeper-webhook-service
-  namespace: gatekeeper-system
+  namespace: '{{ include "gatekeeper.namespace" . }}'
 spec:
   ports:
   - port: 443

test/bats/helpers.bash

@@ -67,16 +67,16 @@ wait_for_process() {
 
 get_ca_cert() {
   destination="$1"
-  if [ $(kubectl get secret -n gatekeeper-system gatekeeper-webhook-server-cert -o jsonpath='{.data.ca\.crt}' | wc -w) -eq 0 ]; then
+  if [ $(kubectl get secret -n ${GATEKEEPER_NAMESPACE} gatekeeper-webhook-server-cert -o jsonpath='{.data.ca\.crt}' | wc -w) -eq 0 ]; then
     return 1
   fi
-  kubectl get secret -n gatekeeper-system gatekeeper-webhook-server-cert -o jsonpath='{.data.ca\.crt}' | base64 -d >$destination
+  kubectl get secret -n ${GATEKEEPER_NAMESPACE} gatekeeper-webhook-server-cert -o jsonpath='{.data.ca\.crt}' | base64 -d >$destination
 }
 
 constraint_enforced() {
   local kind="$1"
   local name="$2"
-  local pod_list="$(kubectl -n gatekeeper-system get pod -l gatekeeper.sh/operation=webhook -o json)"
+  local pod_list="$(kubectl -n ${GATEKEEPER_NAMESPACE} get pod -l gatekeeper.sh/operation=webhook -o json)"
   if [[ $? -ne 0 ]]; then
     echo "error gathering pods"
     return 1

test/bats/test.bats

@@ -6,6 +6,7 @@ BATS_TESTS_DIR=test/bats/tests
 WAIT_TIME=120
 SLEEP_TIME=1
 CLEAN_CMD="echo cleaning..."
+GATEKEEPER_NAMESPACE=${GATEKEEPER_NAMESPACE:-gatekeeper-system}
 
 teardown() {
   bash -c "${CLEAN_CMD}"
@@ -14,15 +15,15 @@ teardown() {
 teardown_file() {
   kubectl delete ns gatekeeper-test-playground gatekeeper-excluded-namespace || true
   kubectl delete constrainttemplates k8scontainerlimits k8srequiredlabels k8suniquelabel || true
-  kubectl delete configs.config.gatekeeper.sh config -n gatekeeper-system || true
+  kubectl delete configs.config.gatekeeper.sh config -n ${GATEKEEPER_NAMESPACE} || true
 }
 
 @test "gatekeeper-controller-manager is running" {
-  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n gatekeeper-system wait --for=condition=Ready --timeout=60s pod -l control-plane=controller-manager"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l control-plane=controller-manager"
 }
 
 @test "gatekeeper-audit is running" {
-  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n gatekeeper-system wait --for=condition=Ready --timeout=60s pod -l control-plane=audit-controller"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l control-plane=audit-controller"
 }
 
 @test "namespace label webhook is serving" {
@@ -34,7 +35,7 @@ teardown_file() {
   kubectl wait --for=condition=Ready --timeout=60s pod temp
   kubectl cp ${cert} temp:/cacert
 
-  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl exec -it temp -- curl -f --cacert /cacert --connect-timeout 1 --max-time 2  https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admitlabel"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl exec -it temp -- curl -f --cacert /cacert --connect-timeout 1 --max-time 2  https://gatekeeper-webhook-service.${GATEKEEPER_NAMESPACE}.svc:443/v1/admitlabel"
   kubectl delete pod temp
 }
 
@@ -75,7 +76,7 @@ teardown_file() {
 }
 
 @test "applying sync config" {
-  kubectl apply -f ${BATS_TESTS_DIR}/sync.yaml
+  kubectl apply -n ${GATEKEEPER_NAMESPACE} -f ${BATS_TESTS_DIR}/sync.yaml
 }
 
 # creating namespaces and audit constraints early so they will have time to reconcile
@@ -95,8 +96,8 @@ teardown_file() {
   assert_failure
 }
 
-@test "gatekeeper-system ignore label can be patched" {
-  kubectl patch ns gatekeeper-system --type=json -p='[{"op": "replace", "path": "/metadata/labels/admission.gatekeeper.sh~1ignore", "value": "ignore-label-test-passed"}]'
+@test "gatekeeper ns ignore label can be patched" {
+  kubectl patch ns ${GATEKEEPER_NAMESPACE} --type=json -p='[{"op": "replace", "path": "/metadata/labels/admission.gatekeeper.sh~1ignore", "value": "ignore-label-test-passed"}]'
 }
 
 @test "required labels dryrun test" {
@@ -140,8 +141,8 @@ teardown_file() {
   kubectl wait --for=condition=Ready --timeout=60s pod temp
 
   num_namespaces=$(kubectl get ns -o json | jq '.items | length')
-  local pod_ip="$(kubectl -n gatekeeper-system get pod -l gatekeeper.sh/operation=webhook -ojson | jq --raw-output '[.items[].status.podIP][0]' | sed 's#\.#-#g')"
-  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl exec -it temp -- curl http://${pod_ip}.gatekeeper-system.pod:8888/metrics | grep 'gatekeeper_sync{kind=\"Namespace\",status=\"active\"} ${num_namespaces}'"
+  local pod_ip="$(kubectl -n ${GATEKEEPER_NAMESPACE} get pod -l gatekeeper.sh/operation=webhook -ojson | jq --raw-output '[.items[].status.podIP][0]' | sed 's#\.#-#g')"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl exec -it temp -- curl http://${pod_ip}.${GATEKEEPER_NAMESPACE}.pod:8888/metrics | grep 'gatekeeper_sync{kind=\"Namespace\",status=\"active\"} ${num_namespaces}'"
   kubectl delete pod temp
 }
 
@@ -185,14 +186,14 @@ __required_labels_audit_test() {
 
 @test "emit events test" {
   # list events for easy debugging
-  kubectl get events -n gatekeeper-system
-  events=$(kubectl get events -n gatekeeper-system --field-selector reason=FailedAdmission -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length')
+  kubectl get events -n ${GATEKEEPER_NAMESPACE}
+  events=$(kubectl get events -n ${GATEKEEPER_NAMESPACE} --field-selector reason=FailedAdmission -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length')
   [[ "$events" -ge 1 ]]
 
-  events=$(kubectl get events -n gatekeeper-system --field-selector reason=DryrunViolation -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length')
+  events=$(kubectl get events -n ${GATEKEEPER_NAMESPACE} --field-selector reason=DryrunViolation -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length')
   [[ "$events" -ge 1 ]]
 
-  events=$(kubectl get events -n gatekeeper-system --field-selector reason=AuditViolation -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length')
+  events=$(kubectl get events -n ${GATEKEEPER_NAMESPACE} --field-selector reason=AuditViolation -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length')
   [[ "$events" -ge 1 ]]
 }
 
@@ -204,6 +205,6 @@ __required_labels_audit_test() {
   assert_match 'denied the request' "${output}"
   assert_failure
 
-  kubectl apply -f ${BATS_TESTS_DIR}/sync_with_exclusion.yaml
+  kubectl apply -n ${GATEKEEPER_NAMESPACE} -f ${BATS_TESTS_DIR}/sync_with_exclusion.yaml
   wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl create configmap should-succeed -n gatekeeper-excluded-namespace"
 }

test/bats/tests/sync.yaml

@@ -2,7 +2,6 @@ apiVersion: config.gatekeeper.sh/v1alpha1
 kind: Config
 metadata:
   name: config
-  namespace: "gatekeeper-system"
 spec:
   sync:
     syncOnly:

test/bats/tests/sync_with_exclusion.yaml

@@ -2,7 +2,6 @@ apiVersion: config.gatekeeper.sh/v1alpha1
 kind: Config
 metadata:
   name: config
-  namespace: "gatekeeper-system"
 spec:
   match:
     - excludedNamespaces: ["gatekeeper-excluded-namespace"]