chore: Prepare v3.10.0-beta.2 release (#2297)

Co-authored-by: sozercan <[email protected]>
Co-authored-by: Sertaç Özercan <[email protected]>

Makefile

@@ -11,7 +11,7 @@ USE_LOCAL_IMG ?= false
 ENABLE_EXTERNAL_DATA ?= false
 ENABLE_GENERATOR_EXPANSION ?= false
 
-VERSION := v3.10.0-beta.1
+VERSION := v3.10.0-beta.2
 
 KIND_VERSION ?= 0.15.0
 # note: k8s version pinned since KIND image availability lags k8s releases

charts/gatekeeper/Chart.yaml

@@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper
 name: gatekeeper
 keywords:
   - open policy agent
-version: 3.10.0-beta.1
+version: 3.10.0-beta.2
 home: https://github.com/open-policy-agent/gatekeeper
 sources:
   - https://github.com/open-policy-agent/gatekeeper.git
-appVersion: v3.10.0-beta.1
+appVersion: v3.10.0-beta.2

charts/gatekeeper/crds/assign-customresourcedefinition.yaml

@@ -157,6 +157,13 @@ spec:
                   scope:
                     description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
                     type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
                 type: object
               parameters:
                 description: Parameters define the behavior of the mutator.
@@ -395,6 +402,13 @@ spec:
                   scope:
                     description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
                     type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
                 type: object
               parameters:
                 description: Parameters define the behavior of the mutator.

charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml

@@ -137,6 +137,13 @@ spec:
                   scope:
                     description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
                     type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
                 type: object
               parameters:
                 properties:
@@ -341,6 +348,13 @@ spec:
                   scope:
                     description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
                     type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
                 type: object
               parameters:
                 properties:

charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml

@@ -0,0 +1,76 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: expansiontemplate.expansion.gatekeeper.sh
+spec:
+  group: expansion.gatekeeper.sh
+  names:
+    kind: ExpansionTemplate
+    listKind: ExpansionTemplateList
+    plural: expansiontemplate
+    singular: expansiontemplate
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ExpansionTemplate is the Schema for the ExpansionTemplate API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              generatedGVK:
+                description: GeneratedGVK specifies the GVK of the resources which the generator resource creates.
+                properties:
+                  group:
+                    type: string
+                  kind:
+                    type: string
+                  version:
+                    type: string
+                type: object
+              templateSource:
+                description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml

@@ -157,6 +157,13 @@ spec:
                   scope:
                     description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
                     type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
                 type: object
               parameters:
                 description: Parameters define the behavior of the mutator.
@@ -368,6 +375,13 @@ spec:
                   scope:
                     description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
                     type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
                 type: object
               parameters:
                 description: Parameters define the behavior of the mutator.

charts/gatekeeper/templates/_helpers.tpl

@@ -81,5 +81,5 @@ Output post install webhook probe volume entry
 {{- define "gatekeeper.postInstallWebhookProbeVolume" -}}
 - name: cert
   secret:
-    secretName: gatekeeper-webhook-server-cert
+    secretName: {{ .Values.externalCertInjection.secretName }}
 {{- end -}}

charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml

@@ -62,11 +62,12 @@ spec:
         - --health-addr=:{{ .Values.audit.healthPort }}
         - --prometheus-port={{ .Values.audit.metricsPort }}
         - --enable-external-data={{ .Values.enableExternalData }}
+        - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }}
 
         {{- range .Values.metricsBackends}}
         - --metrics-backend={{ . }}
         {{- end }}
-        - --disable-cert-rotation={{ .Values.audit.disableCertRotation }}
+        - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }}
         command:
         - /manager
         env:

charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml

@@ -58,10 +58,12 @@ spec:
         - --exempt-namespace={{ .Release.Namespace }}
         - --operation=webhook
         - --enable-external-data={{ .Values.enableExternalData }}
+        - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }}
         - --log-mutations={{ .Values.logMutations }}
         - --mutation-annotations={{ .Values.mutationAnnotations }}
         - --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }}
         - --max-serving-threads={{ .Values.maxServingThreads }}
+        - --tls-min-version={{ .Values.controllerManager.tlsMinVersion }}
 
         {{- range .Values.metricsBackends}}
         - --metrics-backend={{ . }}

charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.externalCertInjection.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,3 +11,4 @@ metadata:
     release: '{{ .Release.Name }}'
   name: gatekeeper-webhook-server-cert
   namespace: '{{ .Release.Namespace }}'
+{{- end }}

charts/gatekeeper/templates/namespace-post-install.yaml

@@ -85,7 +85,7 @@ metadata:
 ---
 {{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
   name: gatekeeper-update-namespace-label
   labels:
@@ -116,7 +116,7 @@ rules:
 ---
 {{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   name: gatekeeper-update-namespace-label
   labels:
@@ -128,7 +128,7 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
+  kind: ClusterRole
   name: gatekeeper-update-namespace-label
 subjects:
   - kind: ServiceAccount

charts/gatekeeper/values.yaml

@@ -15,6 +15,7 @@ validatingWebhookCheckIgnoreFailurePolicy: Fail
 validatingWebhookCustomRules: {}
 enableDeleteOperations: false
 enableExternalData: false
+enableGeneratorResourceExpansion: false
 enableTLSHealthcheck: false
 maxServingThreads: -1
 mutatingWebhookFailurePolicy: Ignore
@@ -37,7 +38,7 @@ postUpgrade:
     enabled: false
     image:
       repository: openpolicyagent/gatekeeper-crds
-      tag: v3.10.0-beta.1
+      tag: v3.10.0-beta.2
       pullPolicy: IfNotPresent
       pullSecrets: []
     extraNamespaces: []
@@ -55,7 +56,7 @@ postUpgrade:
     allowPrivilegeEscalation: false
     capabilities:
       drop:
-      - all
+      - ALL
     readOnlyRootFilesystem: true
     runAsGroup: 999
     runAsNonRoot: true
@@ -66,7 +67,7 @@ postInstall:
     extraRules: []
     image:
       repository: openpolicyagent/gatekeeper-crds
-      tag: v3.10.0-beta.1
+      tag: v3.10.0-beta.2
       pullPolicy: IfNotPresent
       pullSecrets: []
     extraNamespaces: []
@@ -93,7 +94,7 @@ postInstall:
     allowPrivilegeEscalation: false
     capabilities:
       drop:
-      - all
+      - ALL
     readOnlyRootFilesystem: true
     runAsGroup: 999
     runAsNonRoot: true
@@ -104,7 +105,7 @@ preUninstall:
     enabled: false
     image:
       repository: openpolicyagent/gatekeeper-crds
-      tag: v3.10.0-beta.1
+      tag: v3.10.0-beta.2
       pullPolicy: IfNotPresent
       pullSecrets: []
   affinity: {}
@@ -115,15 +116,15 @@ preUninstall:
     allowPrivilegeEscalation: false
     capabilities:
       drop:
-      - all
+      - ALL
     readOnlyRootFilesystem: true
     runAsGroup: 999
     runAsNonRoot: true
     runAsUser: 1000
 image:
   repository: openpolicyagent/gatekeeper
   crdRepository: openpolicyagent/gatekeeper-crds
-  release: v3.10.0-beta.1
+  release: v3.10.0-beta.2
   pullPolicy: IfNotPresent
   pullSecrets: []
 podAnnotations: {}
@@ -143,6 +144,7 @@ controllerManager:
   livenessTimeout: 1
   priorityClassName: system-cluster-critical
   disableCertRotation: false
+  tlsMinVersion: 1.3
   affinity:
     podAntiAffinity:
       preferredDuringSchedulingIgnoredDuringExecution:
@@ -169,7 +171,7 @@ controllerManager:
     allowPrivilegeEscalation: false
     capabilities:
       drop:
-      - all
+      - ALL
     readOnlyRootFilesystem: true
     runAsGroup: 999
     runAsNonRoot: true
@@ -202,7 +204,7 @@ audit:
     allowPrivilegeEscalation: false
     capabilities:
       drop:
-      - all
+      - ALL
     readOnlyRootFilesystem: true
     runAsGroup: 999
     runAsNonRoot: true
@@ -222,7 +224,7 @@ crds:
     allowPrivilegeEscalation: false
     capabilities:
       drop:
-      - all
+      - ALL
     readOnlyRootFilesystem: true
     runAsGroup: 65532
     runAsNonRoot: true
@@ -239,3 +241,6 @@ upgradeCRDs:
   extraRules: []
 rbac:
   create: true
+externalCertInjection:
+  enabled: false
+  secretName: gatekeeper-webhook-server-cert

cmd/build/helmify/static/Chart.yaml

@@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper
 name: gatekeeper
 keywords:
   - open policy agent
-version: 3.10.0-beta.1
+version: 3.10.0-beta.2
 home: https://github.com/open-policy-agent/gatekeeper
 sources:
   - https://github.com/open-policy-agent/gatekeeper.git
-appVersion: v3.10.0-beta.1
+appVersion: v3.10.0-beta.2