diff --git a/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz b/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz deleted file mode 100644 index 5ed680d112..0000000000 Binary files a/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz and /dev/null differ diff --git a/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.1.0+up3.13.0.tgz b/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.1.0+up3.13.0.tgz new file mode 100644 index 0000000000..731b283d58 Binary files /dev/null and b/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.1.0+up3.13.0.tgz differ diff --git a/assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz b/assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz deleted file mode 100644 index 6df178060a..0000000000 Binary files a/assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz and /dev/null differ diff --git a/assets/rancher-gatekeeper/rancher-gatekeeper-103.1.0+up3.13.0.tgz b/assets/rancher-gatekeeper/rancher-gatekeeper-103.1.0+up3.13.0.tgz new file mode 100644 index 0000000000..7393978880 Binary files /dev/null and b/assets/rancher-gatekeeper/rancher-gatekeeper-103.1.0+up3.13.0.tgz differ diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml deleted file mode 100644 index 042249cf10..0000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - labels: - gatekeeper.sh/system: "yes" - name: expansiontemplate.expansion.gatekeeper.sh -spec: - group: expansion.gatekeeper.sh - names: - kind: ExpansionTemplate - listKind: ExpansionTemplateList - plural: expansiontemplate - singular: expansiontemplate - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExpansionTemplate is the Schema for the ExpansionTemplate API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. - properties: - applyTo: - description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. - items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. - properties: - groups: - items: - type: string - type: array - kinds: - items: - type: string - type: array - versions: - items: - type: string - type: array - type: object - type: array - enforcementAction: - description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. - type: string - generatedGVK: - description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. - properties: - group: - type: string - kind: - type: string - version: - type: string - type: object - templateSource: - description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template - type: string - type: object - type: object - served: true - storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/Chart.yaml similarity index 92% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/Chart.yaml index 531cd37e2d..2bca8f5834 100644 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/Chart.yaml @@ -7,4 +7,4 @@ apiVersion: v1 description: Installs the CRDs for rancher-gatekeeper. name: rancher-gatekeeper-crd type: application -version: 103.0.1+up3.12.0 +version: 103.1.0+up3.13.0 diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/README.md similarity index 100% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/README.md diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assign-customresourcedefinition.yaml similarity index 98% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assign-customresourcedefinition.yaml index ce98648baf..0221a19481 100644 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assign-customresourcedefinition.yaml @@ -65,7 +65,7 @@ spec: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -115,7 +115,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -151,7 +151,7 @@ spec: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -310,7 +310,7 @@ spec: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -360,7 +360,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -396,7 +396,7 @@ spec: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -555,7 +555,7 @@ spec: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -605,7 +605,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -641,7 +641,7 @@ spec: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignimage-customresourcedefinition.yaml similarity index 98% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignimage-customresourcedefinition.yaml index bab801672a..197f2f1793 100644 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignimage-customresourcedefinition.yaml @@ -65,7 +65,7 @@ spec: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -115,7 +115,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -151,7 +151,7 @@ spec: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignmetadata-customresourcedefinition.yaml similarity index 98% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignmetadata-customresourcedefinition.yaml index 468b01fccd..65c17ed3ae 100644 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignmetadata-customresourcedefinition.yaml @@ -45,7 +45,7 @@ spec: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -95,7 +95,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -131,7 +131,7 @@ spec: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -256,7 +256,7 @@ spec: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -306,7 +306,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -342,7 +342,7 @@ spec: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -467,7 +467,7 @@ spec: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -517,7 +517,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -553,7 +553,7 @@ spec: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/config-customresourcedefinition.yaml similarity index 98% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/config-customresourcedefinition.yaml index 57826ac09a..269ca95f9a 100644 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/config-customresourcedefinition.yaml @@ -39,7 +39,7 @@ spec: excludedNamespaces: items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array processes: diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml similarity index 100% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml similarity index 100% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml similarity index 100% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml new file mode 100644 index 0000000000..9d248f2ccd --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml @@ -0,0 +1,200 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: expansiontemplate.expansion.gatekeeper.sh +spec: + group: expansion.gatekeeper.sh + names: + kind: ExpansionTemplate + listKind: ExpansionTemplateList + plural: expansiontemplate + singular: expansiontemplate + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ExpansionTemplate is the Schema for the ExpansionTemplate API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + enforcementAction: + description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + type: string + generatedGVK: + description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + templateSource: + description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + type: string + type: object + status: + description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate. + properties: + byPod: + items: + description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ExpansionTemplate is the Schema for the ExpansionTemplate API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + enforcementAction: + description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + type: string + generatedGVK: + description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + templateSource: + description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + type: string + type: object + status: + description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate. + properties: + byPod: + items: + description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplatepodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplatepodstatus-customresourcedefinition.yaml new file mode 100644 index 0000000000..8f49b4c5f7 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplatepodstatus-customresourcedefinition.yaml @@ -0,0 +1,62 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: expansiontemplatepodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ExpansionTemplatePodStatus + listKind: ExpansionTemplatePodStatusList + plural: expansiontemplatepodstatuses + singular: expansiontemplatepodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ExpansionTemplatePodStatus is the Schema for the expansiontemplatepodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/modifyset-customresourcedefinition.yaml similarity index 98% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/modifyset-customresourcedefinition.yaml index 1bb1933366..46574fd369 100644 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/modifyset-customresourcedefinition.yaml @@ -65,7 +65,7 @@ spec: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -115,7 +115,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -151,7 +151,7 @@ spec: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -283,7 +283,7 @@ spec: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -333,7 +333,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -369,7 +369,7 @@ spec: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -501,7 +501,7 @@ spec: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -551,7 +551,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -587,7 +587,7 @@ spec: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml similarity index 100% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/provider-customresourcedefinition.yaml similarity index 100% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/provider-customresourcedefinition.yaml diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/_helpers.tpl similarity index 100% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/_helpers.tpl diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/jobs.yaml similarity index 100% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/jobs.yaml diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/manifest.yaml similarity index 100% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/manifest.yaml diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/rbac.yaml similarity index 100% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/rbac.yaml diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/validate-psp-install.yaml similarity index 100% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/validate-psp-install.yaml diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/values.yaml similarity index 100% rename from charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml rename to charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/values.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md deleted file mode 100644 index 155a813376..0000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md +++ /dev/null @@ -1,210 +0,0 @@ -# Gatekeeper Helm Chart - -## Get Repo Info - -```console -helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Install Chart - -```console -# Helm install with gatekeeper-system namespace already created -$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper - -# Helm install and create namespace -$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace - -``` - -_See [parameters](#parameters) below._ - -_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ - -## Upgrade Chart - -**Upgrading from < v3.4.0** -Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. - -Option 1: -A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. - -```console -$ helm uninstall gatekeeper -$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace - -``` - -Option 2: -Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. - -```console -$ helm_migrate.sh -$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper -``` - -**Upgrading from >= v3.4.0** -```console -$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper -``` - -_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._ - - -## Exempting Namespace - -The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook. - -_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._ - -## Parameters - -| Parameter | Description | Default | -| :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | -| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | -| postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | -| postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | -| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0` | -| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | -| postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | -| postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` | -| postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | `curlimages/curl` | -| postInstall.probeWebhook.image.tag | Image tag | `7.83.1` | -| postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | `[]` | -| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` | -| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` | -| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` | -| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` | -| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` | -| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` | -| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` | -| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` | -| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | -| postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | -| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0` | -| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` -| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | -| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` | -| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` | -| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | -| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0` | -| preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | -| preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0` | -| preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | -| preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | -| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` | -| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` | -| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | -| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | -| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| psp.enabled | Enabled PodSecurityPolicy | `true` | -| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | -| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | -| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` | -| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` | -| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | -| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | -| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | -| auditInterval | The frequency with which audit is run | `300` | -| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | -| auditFromCache | Take the roster of resources to audit from the audit cache | `false` | -| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | -| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | -| disableValidatingWebhook | Disable the validating webhook | `false` | -| disableMutation | Disable mutation | `false` | -| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | -| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | -| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | -| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | -| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` | -| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | -| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | -| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | -| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` | -| enableExternalData | Enable external data | `true` | -| enableGeneratorResourceExpansion | Enable generator resource expansion (alpha feature) | `false` | -| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | -| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | -| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | -| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | -| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | -| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | -| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | -| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | -| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | -| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | -| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | -| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | -| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | -| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | -| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | -| logDenies | Log detailed info on each deny | `false` | -| logLevel | Minimum log level | `INFO` | -| image.pullPolicy | The image pull policy | `IfNotPresent` | -| image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.12.0` | -| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | -| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` | -| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` | -| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` | -| controllerManager.healthPort | Health port for controller manager | `9090` | -| controllerManager.port | Webhook-server port for controller manager | `8443` | -| controllerManager.metricsPort | Metrics port for controller manager | `8888` | -| controllerManager.readinessTimeout | Timeout in seconds for the controller manager's readiness probe | `1` | -| controllerManager.livenessTimeout | Timeout in seconds for the controller manager's liveness probe | `1` | -| controllerManager.logLevel | The minimum log level for the controller manager, takes precedence over `logLevel` when specified | `null` -| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | -| controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} | -| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | -| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | -| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | -| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | -| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | -| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | -| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | -| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | -| audit.affinity | The node affinity to use for audit pod scheduling | `{}` | -| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | -| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | -| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | -| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | -| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | -| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` | -| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| audit.healthPort | Health port for audit | `9090` | -| audit.metricsPort | Metrics port for audit | `8888` | -| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` | -| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` | -| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` -| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | -| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | -| podLabels | The labels to add to the Gatekeeper pods | `{}` | -| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | -| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | -| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | -| service.type | Service type | `ClusterIP` | -| service.loadBalancerIP | The IP address of LoadBalancer service | `` | -| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` | -| rbac.create | Enable the creation of RBAC resources | `true` | -| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` | -| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` | - -## Contributing Changes - -Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart. diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore b/charts/rancher-gatekeeper/103.1.0+up3.13.0/.helmignore similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/.helmignore diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md b/charts/rancher-gatekeeper/103.1.0+up3.13.0/CHANGELOG.md similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/CHANGELOG.md diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/Chart.yaml similarity index 90% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/Chart.yaml index 581fbe168e..1eac2f4529 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/Chart.yaml @@ -2,7 +2,7 @@ annotations: catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: OPA Gatekeeper - catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0' + catalog.cattle.io/kube-version: '>= 1.20.0-0' catalog.cattle.io/namespace: cattle-gatekeeper-system catalog.cattle.io/os: linux catalog.cattle.io/permits-os: linux,windows @@ -12,7 +12,7 @@ annotations: catalog.cattle.io/type: cluster-tool catalog.cattle.io/ui-component: gatekeeper apiVersion: v2 -appVersion: v3.12.0 +appVersion: v3.13.0 description: Modifies Open Policy Agent's upstream gatekeeper chart that provides policy-based control for cloud native environments home: https://github.com/open-policy-agent/gatekeeper @@ -23,4 +23,4 @@ keywords: name: rancher-gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -version: 103.0.1+up3.12.0 +version: 103.1.0+up3.13.0 diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/README.md b/charts/rancher-gatekeeper/103.1.0+up3.13.0/README.md new file mode 100644 index 0000000000..3ec0a2b756 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/README.md @@ -0,0 +1,226 @@ +# Gatekeeper Helm Chart + +## Get Repo Info + +```console +helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +# Helm install with gatekeeper-system namespace already created +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper + +# Helm install and create namespace +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +_See [parameters](#parameters) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Upgrade Chart + +**Upgrading from < v3.4.0** +Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within +the chart. This follows Helm 3 Best Practices. + +Option 1: +A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. + +```console +$ helm uninstall gatekeeper +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +Option 2: +Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the +original release, while keeping all of the resources. It then updates the annotations of the resources so that the new +chart can import and manage them. + +```console +$ helm_migrate.sh +$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper +``` + +**Upgrading from >= v3.4.0** + +```console +$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper +``` + +_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._ + +## Exempting Namespace + +The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt +the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during +a post-install hook. + +_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more +information._ + +## Parameters + +| Parameter | Description | Default | +|:-----------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | +| postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | +| postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.13.0` | +| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | +| postInstall.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label Job | `` | +| postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` | +| postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | `curlimages/curl` | +| postInstall.probeWebhook.image.tag | Image tag | `7.83.1` | +| postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` | +| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` | +| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` | +| postInstall.probeWebhook.priorityClassName | Priority class name for gatekeeper-probe-webhook-post-install Job | `` | +| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` | +| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` | +| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` | +| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` | +| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` | +| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | +| postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | +| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.13.0` | +| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | +| postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` | +| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | +| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` | +| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` | +| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | +| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.13.0` | +| preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | +| preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | +| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.13.0` | +| preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` | +| preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | +| preUninstall.deleteWebhookConfigurations.priorityClassName | Priority class name for gatekeeper-delete-webhook-configs Job | `` | +| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` | +| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` | +| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | +| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | +| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| psp.enabled | Enabled PodSecurityPolicy | `true` | +| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | +| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | +| upgradeCRDs.priorityClassName | Priority class name for gatekeeper-update-crds-hook Job | `` | +| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` | +| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` | +| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | +| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | +| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | +| auditInterval | The frequency with which audit is run | `300` | +| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | +| auditFromCache | Take the roster of resources to audit from the audit cache | `false` | +| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| disableValidatingWebhook | Disable the validating webhook | `false` | +| disableMutation | Disable mutation | `false` | +| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | +| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | +| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | +| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | +| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | +| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| validatingWebhookURL | Custom URL for Kubernetes API server to use to reach the validating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | +| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` | +| enableExternalData | Enable external data | `true` | +| enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` | +| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | +| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | +| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | +| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | +| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | +| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | +| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | +| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | +| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | +| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | +| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| logDenies | Log detailed info on each deny | `false` | +| logLevel | Minimum log level | `INFO` | +| image.pullPolicy | The image pull policy | `IfNotPresent` | +| image.repository | Image repository | `openpolicyagent/gatekeeper` | +| image.release | The image release tag to use | Current release version: `v3.13.0` | +| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | +| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` | +| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` | +| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` | +| controllerManager.healthPort | Health port for controller manager | `9090` | +| controllerManager.port | Webhook-server port for controller manager | `8443` | +| controllerManager.metricsPort | Metrics port for controller manager | `8888` | +| controllerManager.readinessTimeout | Timeout in seconds for the controller manager's readiness probe | `1` | +| controllerManager.livenessTimeout | Timeout in seconds for the controller manager's liveness probe | `1` | +| controllerManager.logLevel | The minimum log level for the controller manager, takes precedence over `logLevel` when specified | `null` | +| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | +| controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} | +| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | +| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | +| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | +| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | +| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | +| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | +| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | +| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | +| controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` | +| audit.affinity | The node affinity to use for audit pod scheduling | `{}` | +| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | +| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | +| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | +| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | +| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | +| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` | +| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| audit.healthPort | Health port for audit | `9090` | +| audit.metricsPort | Metrics port for audit | `8888` | +| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` | +| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` | +| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` | +| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | +| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | +| podLabels | The labels to add to the Gatekeeper pods | `{}` | +| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | +| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | +| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | +| service.type | Service type | `ClusterIP` | +| service.loadBalancerIP | The IP address of LoadBalancer service | `` | +| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` | +| rbac.create | Enable the creation of RBAC resources | `true` | +| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` | +| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` | + +## Contributing Changes + +Please refer +to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) +for modifying the Helm chart. diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md b/charts/rancher-gatekeeper/103.1.0+up3.13.0/app-readme.md similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/app-readme.md diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/_helpers.tpl similarity index 99% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/_helpers.tpl index c71a8fb617..79581551cb 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/_helpers.tpl @@ -75,6 +75,7 @@ Output post install webhook probe container entry args: - "--retry" - "99999" + - "--retry-connrefused" - "--retry-max-time" - "{{ .Values.postInstall.probeWebhook.waitTimeout }}" - "--retry-delay" diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/allowedrepos.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/allowedrepos.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-podsecuritypolicy.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-podsecuritypolicy.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-serviceaccount.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-serviceaccount.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-audit-deployment.yaml similarity index 94% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-audit-deployment.yaml index a1adb6044b..d03c6d3b55 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-audit-deployment.yaml @@ -28,6 +28,9 @@ spec: {{- if .Values.podAnnotations }} {{- toYaml .Values.podAnnotations | trim | nindent 8 }} {{- end }} + {{- if .Values.auditPodAnnotations }} + {{- toYaml .Values.auditPodAnnotations | trim | nindent 8 }} + {{- end }} labels: {{- include "gatekeeper.podLabels" . }} app: '{{ template "gatekeeper.name" . }}' @@ -56,6 +59,11 @@ spec: - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }} - --operation=audit - --operation=status + {{ if .Values.audit.enablePubsub}} + - --enable-pub-sub={{ .Values.audit.enablePubsub }} + - --audit-connection={{ .Values.audit.connection }} + - --audit-channel={{ .Values.audit.channel }} + {{- end }} {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }} - --logtostderr - --health-addr=:{{ .Values.audit.healthPort }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-deployment.yaml similarity index 99% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-deployment.yaml index 5eb8c9b428..b2abb99e97 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-deployment.yaml @@ -22,6 +22,8 @@ spec: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' + strategy: + type: {{ .Values.controllerManager.strategyType }} template: metadata: annotations: diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-network-policy.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-network-policy.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-critical-pods-resourcequota.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-critical-pods-resourcequota.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-clusterrole.yaml similarity index 94% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-clusterrole.yaml index 37ac19cc1f..657460a5d6 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-clusterrole.yaml @@ -82,6 +82,18 @@ rules: - patch - update - watch +- apiGroups: + - expansion.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - externaldata.gatekeeper.sh resources: diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-role.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-role.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml similarity index 92% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 0bc3bc43eb..ae85f8d08d 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -15,10 +15,14 @@ webhooks: - v1 - v1beta1 clientConfig: + {{- if .Values.mutatingWebhookURL }} + url: https://{{ .Values.mutatingWebhookURL }}/v1/mutate + {{- else }} service: name: gatekeeper-webhook-service namespace: '{{ .Release.Namespace }}' path: /v1/mutate + {{- end }} failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }} matchPolicy: Exact name: mutation.gatekeeper.sh diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml similarity index 95% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index f0dd85d5e5..933fbbd3c3 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -15,10 +15,14 @@ webhooks: - v1 - v1beta1 clientConfig: + {{- if .Values.validatingWebhookURL }} + url: https://{{ .Values.validatingWebhookURL }}/v1/admit + {{- else }} service: name: gatekeeper-webhook-service namespace: '{{ .Release.Namespace }}' path: /v1/admit + {{- end }} failurePolicy: {{ .Values.validatingWebhookFailurePolicy }} matchPolicy: Exact name: validation.gatekeeper.sh diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-server-cert-secret.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-server-cert-secret.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-service-service.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-service-service.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-install.yaml similarity index 97% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-install.yaml index 4b4559df93..c69be34c2d 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-install.yaml @@ -31,6 +31,9 @@ spec: release: '{{ .Release.Name }}' spec: restartPolicy: OnFailure + {{- if .Values.postInstall.labelNamespace.priorityClassName }} + priorityClassName: {{ .Values.postInstall.labelNamespace.priorityClassName }} + {{- end }} {{- if .Values.postInstall.labelNamespace.image.pullSecrets }} imagePullSecrets: {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-upgrade.yaml similarity index 96% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-upgrade.yaml index 9e4a754548..dc8cc32b18 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-upgrade.yaml @@ -34,6 +34,9 @@ spec: {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} {{- end }} serviceAccount: gatekeeper-update-namespace-label-post-upgrade + {{- if .Values.postUpgrade.labelNamespace.priorityClassName }} + priorityClassName: {{ .Values.postUpgrade.labelNamespace.priorityClassName }} + {{- end }} containers: - name: kubectl-label image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/probe-webhook-post-install.yaml similarity index 90% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/probe-webhook-post-install.yaml index c9f7065271..19e5a7c654 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/probe-webhook-post-install.yaml @@ -28,6 +28,9 @@ spec: release: '{{ .Release.Name }}' spec: restartPolicy: Never + {{- if .Values.postInstall.probeWebhook.priorityClassName }} + priorityClassName: {{ .Values.postInstall.probeWebhook.priorityClassName }} + {{- end }} {{- if .Values.postInstall.probeWebhook.image.pullSecrets }} imagePullSecrets: {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }} @@ -42,5 +45,6 @@ spec: affinity: {{- toYaml .affinity | nindent 8 }} {{- end }} + backoffLimit: 3 {{- end }} {{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/requiredlabels.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/requiredlabels.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/upgrade-crds-hook.yaml similarity index 94% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/upgrade-crds-hook.yaml index 28c2d6bb00..e37dcafd4e 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/upgrade-crds-hook.yaml @@ -71,7 +71,7 @@ metadata: helm.sh/hook-weight: "1" helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" spec: - backoffLimit: 0 + backoffLimit: 3 template: metadata: name: gatekeeper-update-crds-hook @@ -89,7 +89,10 @@ spec: restartPolicy: Never {{- if .Values.images.pullSecrets }} imagePullSecrets: - {{- toYaml .Values.images.pullSecrets | nindent 8 }} + {{- toYaml .Values.image.pullSecrets | nindent 8 }} + {{- end }} + {{- if .Values.upgradeCRDs.priorityClassName }} + priorityClassName: {{ .Values.upgradeCRDs.priorityClassName }} {{- end }} containers: - name: crds-upgrade diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-install-crd.yaml similarity index 93% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-install-crd.yaml index 9c4f3a3c20..c0c3039387 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-install-crd.yaml @@ -8,6 +8,7 @@ # {{- set $found "templates.gatekeeper.sh/v1/ConstraintTemplate" false -}} # {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}} # {{- set $found "expansion.gatekeeper.sh/v1alpha1/ExpansionTemplate" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ExpansionTemplatePodStatus" false -}} # {{- set $found "mutations.gatekeeper.sh/v1/ModifySet" false -}} # {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}} # {{- set $found "externaldata.gatekeeper.sh/v1alpha1/Provider" false -}} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-psp-install.yaml similarity index 100% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-psp-install.yaml diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/webhook-configs-pre-delete.yaml similarity index 95% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/webhook-configs-pre-delete.yaml index b57bc69894..21c2411f0a 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/webhook-configs-pre-delete.yaml @@ -33,6 +33,9 @@ spec: {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }} {{- end }} serviceAccount: gatekeeper-delete-webhook-configs + {{- if .Values.preUninstall.deleteWebhookConfigurations.priorityClassName }} + priorityClassName: {{ .Values.preUninstall.deleteWebhookConfigurations.priorityClassName }} + {{- end }} containers: - name: kubectl-delete image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}' @@ -52,7 +55,7 @@ spec: seccompProfile: type: RuntimeDefault {{- end }} - {{- toYaml .Values.preUninstall.securityContext | nindent 10 }} + {{- toYaml .Values.preUninstall.securityContext | nindent 12 }} {{- with .Values.preUninstall }} nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} {{- if .nodeSelector }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/values.yaml similarity index 94% rename from charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml rename to charts/rancher-gatekeeper/103.1.0+up3.13.0/values.yaml index d1029e24ae..8de6db3bc6 100644 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/values.yaml @@ -14,9 +14,10 @@ validatingWebhookExemptNamespacesLabels: {} validatingWebhookObjectSelector: {} validatingWebhookCheckIgnoreFailurePolicy: Fail validatingWebhookCustomRules: {} +validatingWebhookURL: null enableDeleteOperations: false enableExternalData: true -enableGeneratorResourceExpansion: false +enableGeneratorResourceExpansion: true enableTLSHealthcheck: false maxServingThreads: -1 mutatingWebhookName: gatekeeper-mutating-webhook-configuration @@ -27,6 +28,7 @@ mutatingWebhookExemptNamespacesLabels: {} mutatingWebhookObjectSelector: {} mutatingWebhookTimeoutSeconds: 1 mutatingWebhookCustomRules: {} +mutatingWebhookURL: null mutationAnnotations: false auditChunkSize: 500 logLevel: INFO @@ -40,17 +42,17 @@ resourceQuota: true images: gatekeeper: repository: rancher/mirrored-openpolicyagent-gatekeeper - tag: v3.12.0 + tag: v3.13.0 gatekeepercrd: repository: rancher/mirrored-openpolicyagent-gatekeeper-crds - tag: v3.12.0 + tag: v3.13.0 pullPolicy: IfNotPresent pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.12.0 + tag: v3.13.0 postUpgrade: labelNamespace: enabled: false @@ -67,6 +69,7 @@ postUpgrade: "pod-security.kubernetes.io/enforce=restricted", "pod-security.kubernetes.io/enforce-version=v1.24"] extraAnnotations: {} + priorityClassName: "" affinity: {} tolerations: [] nodeSelector: {kubernetes.io/os: linux} @@ -86,7 +89,7 @@ postInstall: extraRules: [] image: repository: rancher/mirrored-openpolicyagent-gatekeeper-crds - tag: v3.12.0 + tag: v3.13.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -97,6 +100,7 @@ postInstall: "pod-security.kubernetes.io/enforce=restricted", "pod-security.kubernetes.io/enforce-version=v1.24"] extraAnnotations: {} + priorityClassName: "" probeWebhook: enabled: true image: @@ -107,6 +111,7 @@ postInstall: waitTimeout: 60 httpTimeout: 2 insecureHTTPS: false + priorityClassName: "" affinity: {} tolerations: [] nodeSelector: {kubernetes.io/os: linux} @@ -125,9 +130,10 @@ preUninstall: enabled: false image: repository: rancher/mirrored-openpolicyagent-gatekeeper-crds - tag: v3.12.0 + tag: v3.13.0 pullPolicy: IfNotPresent pullSecrets: [] + priorityClassName: "" affinity: {} tolerations: [] nodeSelector: {} @@ -142,6 +148,7 @@ preUninstall: runAsNonRoot: true runAsUser: 1000 podAnnotations: {} +auditPodAnnotations: {} podLabels: {} podCountLimit: "100" secretAnnotations: {} @@ -160,6 +167,7 @@ controllerManager: disableCertRotation: false tlsMinVersion: 1.3 clientCertName: "" + strategyType: RollingUpdate affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -202,6 +210,7 @@ controllerManager: # - ipBlock: # cidr: 0.0.0.0/0 audit: + enablePubsub: false hostNetwork: false dnsPolicy: ClusterFirst metricsPort: 8888 @@ -264,6 +273,7 @@ disabledBuiltins: ["{http.send}"] upgradeCRDs: enabled: true extraRules: [] + priorityClassName: "" rbac: create: true externalCertInjection: diff --git a/index.yaml b/index.yaml index 46974190ed..2dfaf0ce9f 100755 --- a/index.yaml +++ b/index.yaml @@ -7733,7 +7733,7 @@ entries: catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: OPA Gatekeeper - catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0' + catalog.cattle.io/kube-version: '>= 1.20.0-0' catalog.cattle.io/namespace: cattle-gatekeeper-system catalog.cattle.io/os: linux catalog.cattle.io/permits-os: linux,windows @@ -7743,11 +7743,11 @@ entries: catalog.cattle.io/type: cluster-tool catalog.cattle.io/ui-component: gatekeeper apiVersion: v2 - appVersion: v3.12.0 - created: "2023-08-23T17:22:58.94666364-03:00" + appVersion: v3.13.0 + created: "2023-08-28T23:10:42.721448901Z" description: Modifies Open Policy Agent's upstream gatekeeper chart that provides policy-based control for cloud native environments - digest: ee25ad45beb67bc91aa47dd7c576ba89cd00ade03db94341c463948901a3c0c6 + digest: 300e12017c4487cf4c98b437579076b7fc96ab116a81b6e3b188c2a671be1290 home: https://github.com/open-policy-agent/gatekeeper icon: https://charts.rancher.io/assets/logos/gatekeeper.svg keywords: @@ -7757,8 +7757,8 @@ entries: sources: - https://github.com/open-policy-agent/gatekeeper.git urls: - - assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz - version: 103.0.1+up3.12.0 + - assets/rancher-gatekeeper/rancher-gatekeeper-103.1.0+up3.13.0.tgz + version: 103.1.0+up3.13.0 - annotations: catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match catalog.cattle.io/certified: rancher @@ -8138,14 +8138,14 @@ entries: catalog.cattle.io/namespace: cattle-gatekeeper-system catalog.cattle.io/release-name: rancher-gatekeeper-crd apiVersion: v1 - created: "2023-08-23T17:22:58.953726661-03:00" + created: "2023-08-25T23:58:48.830847335Z" description: Installs the CRDs for rancher-gatekeeper. - digest: d47fba3bc692cd330ea61d70de4c1fd8e4316cd13cdf7bf6f13b17df132bd74d + digest: 433eb32cfc8233840c67cd97bc236a5199b6e311a9c4c26b681d08b89e317a3b name: rancher-gatekeeper-crd type: application urls: - - assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz - version: 103.0.1+up3.12.0 + - assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.1.0+up3.13.0.tgz + version: 103.1.0+up3.13.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch index 622b464d57..c9078fdfd2 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch @@ -5,7 +5,7 @@ + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper -+ catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0' ++ catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows @@ -15,7 +15,7 @@ + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper apiVersion: v2 - appVersion: v3.12.0 + appVersion: v3.13.0 -description: A Helm chart for Gatekeeper +description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments @@ -29,4 +29,4 @@ +name: rancher-gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git - version: 3.12.0 + version: 3.13.0 diff --git a/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch b/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch index 49df9ac6e1..5a9be32495 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch @@ -1,11 +1,11 @@ --- charts-original/README.md +++ charts/README.md -@@ -118,7 +118,7 @@ - | crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | - | crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | - | crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | --| auditInterval | The frequency with which audit is run | `60` | -+| auditInterval | The frequency with which audit is run | `300` | - | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | - | auditFromCache | Take the roster of resources to audit from the audit cache | `false` | - | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | +@@ -129,7 +129,7 @@ + | crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | + | crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | + | crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | +-| auditInterval | The frequency with which audit is run | `60` | ++| auditInterval | The frequency with which audit is run | `300` | + | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | + | auditFromCache | Take the roster of resources to audit from the audit cache | `false` | + | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch index dcd1cbdeef..ce45c3b678 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch @@ -37,7 +37,7 @@ imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }} command: - "curl" -@@ -69,10 +92,10 @@ +@@ -70,10 +93,10 @@ resources: {{- toYaml .Values.postInstall.resources | nindent 4 }} securityContext: diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch index 67a3e0e96f..b6aae9fa06 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/gatekeeper-audit-deployment.yaml +++ charts/templates/gatekeeper-audit-deployment.yaml -@@ -42,11 +42,7 @@ +@@ -45,11 +45,7 @@ {{- toYaml .Values.audit.affinity | nindent 8 }} automountServiceAccountToken: true containers: @@ -13,7 +13,7 @@ args: - --audit-interval={{ .Values.auditInterval }} - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }} -@@ -94,7 +90,7 @@ +@@ -102,7 +98,7 @@ fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager @@ -22,7 +22,7 @@ livenessProbe: httpGet: path: /healthz -@@ -130,9 +126,11 @@ +@@ -138,9 +134,11 @@ dnsPolicy: {{ .Values.audit.dnsPolicy }} hostNetwork: {{ .Values.audit.hostNetwork }} imagePullSecrets: @@ -37,7 +37,7 @@ {{- if .Values.audit.priorityClassName }} priorityClassName: {{ .Values.audit.priorityClassName }} {{- end }} -@@ -140,8 +138,10 @@ +@@ -148,8 +146,10 @@ {{- toYaml .Values.audit.podSecurityContext | nindent 8 }} serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch index 293ff80c88..46e7dfa3e6 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/gatekeeper-controller-manager-deployment.yaml +++ charts/templates/gatekeeper-controller-manager-deployment.yaml -@@ -42,11 +42,8 @@ +@@ -44,11 +44,8 @@ {{- toYaml .Values.controllerManager.affinity | nindent 8 }} automountServiceAccountToken: true containers: @@ -14,7 +14,7 @@ args: - --port={{ .Values.controllerManager.port }} - --health-addr=:{{ .Values.controllerManager.healthPort }} -@@ -111,7 +108,6 @@ +@@ -113,7 +110,6 @@ fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager @@ -22,7 +22,7 @@ livenessProbe: httpGet: path: /healthz -@@ -148,9 +144,11 @@ +@@ -150,9 +146,11 @@ dnsPolicy: {{ .Values.controllerManager.dnsPolicy }} hostNetwork: {{ .Values.controllerManager.hostNetwork }} imagePullSecrets: @@ -37,7 +37,7 @@ {{- if .Values.controllerManager.priorityClassName }} priorityClassName: {{ .Values.controllerManager.priorityClassName }} {{- end }} -@@ -158,8 +156,10 @@ +@@ -160,8 +158,10 @@ {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch index 0199eedb96..9cfd28a457 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/gatekeeper-manager-role-clusterrole.yaml +++ charts/templates/gatekeeper-manager-role-clusterrole.yaml -@@ -106,7 +106,7 @@ +@@ -118,7 +118,7 @@ - patch - update - watch diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch index 0cd078747c..c7e4a25918 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/namespace-post-install.yaml +++ charts/templates/namespace-post-install.yaml -@@ -44,7 +44,7 @@ +@@ -47,7 +47,7 @@ {{- end }} containers: - name: kubectl-label @@ -9,7 +9,7 @@ imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} args: - label -@@ -85,12 +85,10 @@ +@@ -88,12 +88,10 @@ {{- toYaml .Values.postInstall.securityContext | nindent 12 }} {{- end }} {{- with .Values.postInstall }} @@ -24,7 +24,7 @@ {{- end }} --- apiVersion: v1 -@@ -132,6 +130,12 @@ +@@ -135,6 +133,12 @@ {{- range .Values.postInstall.labelNamespace.extraNamespaces }} - {{ . }} {{- end }} diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch index cc9af604c1..b194955a63 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch @@ -1,7 +1,7 @@ --- charts-original/templates/namespace-post-upgrade.yaml +++ charts/templates/namespace-post-upgrade.yaml -@@ -36,7 +36,7 @@ - serviceAccount: gatekeeper-update-namespace-label-post-upgrade +@@ -39,7 +39,7 @@ + {{- end }} containers: - name: kubectl-label - image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}" @@ -9,7 +9,7 @@ imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} args: - label -@@ -77,12 +77,10 @@ +@@ -80,12 +80,10 @@ {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} {{- end }} {{- with .Values.postUpgrade }} @@ -24,7 +24,7 @@ {{- end }} --- apiVersion: v1 -@@ -123,6 +121,12 @@ +@@ -126,6 +124,12 @@ {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} - {{ . }} {{- end }} diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch index 61f57cb652..25cb918db4 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/probe-webhook-post-install.yaml +++ charts/templates/probe-webhook-post-install.yaml -@@ -37,12 +37,10 @@ +@@ -40,12 +40,10 @@ containers: {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} {{- with .Values.postInstall }} @@ -13,5 +13,5 @@ - nodeSelector: - {{- toYaml .nodeSelector | nindent 8 }} {{- end }} - {{- end }} + backoffLimit: 3 {{- end }} diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch index 5dd2ed1b7a..eb08bd6dc5 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch @@ -1,14 +1,15 @@ --- charts-original/templates/upgrade-crds-hook.yaml +++ charts/templates/upgrade-crds-hook.yaml -@@ -87,26 +87,14 @@ +@@ -87,7 +87,7 @@ spec: serviceAccountName: gatekeeper-admin-upgrade-crds restartPolicy: Never - {{- if .Values.image.pullSecrets }} + {{- if .Values.images.pullSecrets }} imagePullSecrets: -- {{- toYaml .Values.image.pullSecrets | nindent 8 }} -+ {{- toYaml .Values.images.pullSecrets | nindent 8 }} + {{- toYaml .Values.image.pullSecrets | nindent 8 }} + {{- end }} +@@ -96,20 +96,8 @@ {{- end }} containers: - name: crds-upgrade @@ -31,7 +32,7 @@ args: - apply - -f -@@ -120,11 +108,9 @@ +@@ -123,11 +111,9 @@ {{- end }} {{- toYaml .Values.crds.securityContext | nindent 10 }} {{- with .Values.crds }} diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch index 3761372aa1..9b47c1b166 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch @@ -1,7 +1,7 @@ --- charts-original/templates/webhook-configs-pre-delete.yaml +++ charts/templates/webhook-configs-pre-delete.yaml -@@ -35,7 +35,7 @@ - serviceAccount: gatekeeper-delete-webhook-configs +@@ -38,7 +38,7 @@ + {{- end }} containers: - name: kubectl-delete - image: "{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}" @@ -9,18 +9,9 @@ imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }} args: - delete -@@ -46,7 +46,7 @@ - - mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }} - {{- end }} - resources: -- {{- toYaml .Values.preUninstall.resources | nindent 10 }} -+ {{- toYaml .Values.preUninstall.resources | nindent 12 }} - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: -@@ -54,12 +54,16 @@ +@@ -57,12 +57,16 @@ {{- end }} - {{- toYaml .Values.preUninstall.securityContext | nindent 10 }} + {{- toYaml .Values.preUninstall.securityContext | nindent 12 }} {{- with .Values.preUninstall }} - nodeSelector: - {{- toYaml .nodeSelector | nindent 8 }} diff --git a/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch index a3528259cd..b2222ffa13 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch @@ -1,44 +1,44 @@ --- charts-original/values.yaml +++ charts/values.yaml -@@ -37,10 +37,13 @@ +@@ -39,10 +39,13 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true -image: - repository: openpolicyagent/gatekeeper - crdRepository: openpolicyagent/gatekeeper-crds -- release: v3.12.0 +- release: v3.13.0 +images: + gatekeeper: + repository: rancher/mirrored-openpolicyagent-gatekeeper -+ tag: v3.12.0 ++ tag: v3.13.0 + gatekeepercrd: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds -+ tag: v3.12.0 ++ tag: v3.13.0 pullPolicy: IfNotPresent pullSecrets: [] preInstall: -@@ -52,8 +55,8 @@ +@@ -54,8 +57,8 @@ labelNamespace: enabled: false image: - repository: openpolicyagent/gatekeeper-crds -- tag: v3.12.0 +- tag: v3.13.0 + repository: rancher/kubectl + tag: v1.20.2 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] -@@ -82,7 +85,7 @@ +@@ -85,7 +88,7 @@ enabled: true extraRules: [] image: - repository: openpolicyagent/gatekeeper-crds + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds - tag: v3.12.0 + tag: v3.13.0 pullPolicy: IfNotPresent pullSecrets: [] -@@ -97,7 +100,7 @@ +@@ -101,7 +104,7 @@ probeWebhook: enabled: true image: @@ -47,15 +47,16 @@ tag: 7.83.1 pullPolicy: IfNotPresent pullSecrets: [] -@@ -121,13 +124,13 @@ +@@ -126,14 +129,14 @@ extraRules: [] enabled: false image: - repository: openpolicyagent/gatekeeper-crds + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds - tag: v3.12.0 + tag: v3.13.0 pullPolicy: IfNotPresent pullSecrets: [] + priorityClassName: "" affinity: {} tolerations: [] - nodeSelector: {kubernetes.io/os: linux} @@ -63,7 +64,7 @@ resources: {} securityContext: allowPrivilegeEscalation: false -@@ -171,7 +174,7 @@ +@@ -179,7 +182,7 @@ weight: 100 topologySpreadConstraints: [] tolerations: [] @@ -72,7 +73,7 @@ resources: limits: memory: 512Mi -@@ -209,7 +212,7 @@ +@@ -218,7 +221,7 @@ disableCertRotation: true affinity: {} tolerations: [] @@ -81,7 +82,7 @@ resources: limits: memory: 512Mi -@@ -248,10 +251,16 @@ +@@ -257,10 +260,16 @@ pdb: controllerManager: minAvailable: 1 diff --git a/packages/rancher-gatekeeper/package.yaml b/packages/rancher-gatekeeper/package.yaml index c953f4990a..1f04bcb544 100644 --- a/packages/rancher-gatekeeper/package.yaml +++ b/packages/rancher-gatekeeper/package.yaml @@ -1,5 +1,5 @@ -url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.12.0.tgz -version: 103.0.1 +url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.13.0.tgz +version: 103.1.0 additionalCharts: - workingDir: charts-crd crdOptions: diff --git a/release.yaml b/release.yaml index 2cf6545e64..e164ed7cbe 100644 --- a/release.yaml +++ b/release.yaml @@ -23,9 +23,9 @@ rancher-eks-operator: rancher-eks-operator-crd: - 103.0.0+up1.3.0-rc1 rancher-gatekeeper: -- 103.0.1+up3.12.0 +- 103.1.0+up3.13.0 rancher-gatekeeper-crd: -- 103.0.1+up3.12.0 +- 103.1.0+up3.13.0 ui-plugin-operator: - 103.0.1+up0.2.1 ui-plugin-operator-crd: