chore: Prepare v3.10.0-beta.1 release (#2242)

Signed-off-by: Rita Zhang <[email protected]>

Signed-off-by: Rita Zhang <[email protected]>
Co-authored-by: ritazh <[email protected]>

Makefile

@@ -10,7 +10,7 @@ DEV_TAG ?= dev
 USE_LOCAL_IMG ?= false
 ENABLE_EXTERNAL_DATA ?= false
 
-VERSION := v3.10.0-beta.0
+VERSION := v3.10.0-beta.1
 
 KIND_VERSION ?= 0.13.0
 # note: k8s version pinned since KIND image availability lags k8s releases

charts/gatekeeper/Chart.yaml

@@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper
 name: gatekeeper
 keywords:
   - open policy agent
-version: 3.10.0-beta.0
+version: 3.10.0-beta.1
 home: https://github.com/open-policy-agent/gatekeeper
 sources:
   - https://github.com/open-policy-agent/gatekeeper.git
-appVersion: v3.10.0-beta.0
+appVersion: v3.10.0-beta.1

charts/gatekeeper/templates/_helpers.tpl

@@ -48,6 +48,7 @@ Output post install webhook probe container entry
   image: "{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}"
   imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }}
   args:
+    - "curl"
     - "--retry"
     - "99999"
     - "--retry-max-time"
@@ -64,6 +65,8 @@ Output post install webhook probe container entry
     {{- end }}
     - "-v"
     - "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s"
+  resources:
+  {{- toYaml .Values.postInstall.resources | nindent 4 }}
   securityContext:
   {{- toYaml .Values.postInstall.securityContext | nindent 4 }}
   volumeMounts:

charts/gatekeeper/templates/gatekeeper-admin-podsecuritypolicy.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.psp.enabled }}
+{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml

@@ -91,6 +91,7 @@ spec:
           httpGet:
             path: /healthz
             port: {{ .Values.audit.healthPort }}
+          timeoutSeconds: {{ .Values.audit.livenessTimeout }}
         name: manager
         ports:
         - containerPort: {{ .Values.audit.metricsPort }}
@@ -103,6 +104,7 @@ spec:
           httpGet:
             path: /readyz
             port: {{ .Values.audit.healthPort }}
+          timeoutSeconds: {{ .Values.audit.readinessTimeout }}
         resources:
           {{- toYaml .Values.audit.resources | nindent 10 }}
         securityContext:

charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml

@@ -61,6 +61,7 @@ spec:
         - --log-mutations={{ .Values.logMutations }}
         - --mutation-annotations={{ .Values.mutationAnnotations }}
         - --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }}
+        - --max-serving-threads={{ .Values.maxServingThreads }}
 
         {{- range .Values.metricsBackends}}
         - --metrics-backend={{ . }}
@@ -103,6 +104,7 @@ spec:
           httpGet:
             path: /healthz
             port: {{ .Values.controllerManager.healthPort }}
+          timeoutSeconds: {{ .Values.controllerManager.livenessTimeout }}
         name: manager
         ports:
         - containerPort: {{ .Values.controllerManager.port }}
@@ -118,6 +120,7 @@ spec:
           httpGet:
             path: /readyz
             port: {{ .Values.controllerManager.healthPort }}
+          timeoutSeconds: {{ .Values.controllerManager.readinessTimeout }}
         resources:
           {{- toYaml .Values.controllerManager.resources | nindent 10 }}
         securityContext:
@@ -145,6 +148,8 @@ spec:
       terminationGracePeriodSeconds: 60
       tolerations:
         {{- toYaml .Values.controllerManager.tolerations | nindent 8 }}
+      topologySpreadConstraints:
+        {{- toYaml .Values.controllerManager.topologySpreadConstraints | nindent 8 }}
       volumes:
       - name: cert
         secret:

charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml

@@ -1,8 +1,6 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
-apiVersion: policy/v1
-{{ else }}
-apiVersion: policy/v1beta1
-{{ end -}}
+{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
+{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}}
+apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}
 kind: PodDisruptionBudget
 metadata:
   labels:

charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml

@@ -99,6 +99,7 @@ rules:
   - patch
   - update
   - watch
+{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
 - apiGroups:
   - policy
   resourceNames:
@@ -107,6 +108,7 @@ rules:
   - podsecuritypolicies
   verbs:
   - use
+{{- end }}
 - apiGroups:
   - status.gatekeeper.sh
   resources:

charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml

@@ -2,6 +2,7 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
+  annotations: {{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }}
   labels:
     app: '{{ template "gatekeeper.name" . }}'
     chart: '{{ template "gatekeeper.name" . }}'

charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml

@@ -2,6 +2,7 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
+  annotations: {{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }}
   labels:
     app: '{{ template "gatekeeper.name" . }}'
     chart: '{{ template "gatekeeper.name" . }}'

charts/gatekeeper/templates/namespace-post-install.yaml

@@ -19,7 +19,11 @@ spec:
       annotations:
         {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
       labels:
+        {{- include "gatekeeper.podLabels" . }}
         app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
         release: '{{ .Release.Name }}'
     spec:
       restartPolicy: OnFailure
@@ -28,8 +32,6 @@ spec:
       {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
       serviceAccount: gatekeeper-update-namespace-label
-      nodeSelector:
-        kubernetes.io/os: linux
       {{- if .Values.postInstall.probeWebhook.enabled }}
       volumes:
       {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
@@ -48,9 +50,26 @@ spec:
             - {{ . }}
             {{- end }}
             - admission.gatekeeper.sh/ignore=no-self-managing
+            {{- range .Values.postInstall.labelNamespace.podSecurity }}
+            - {{ . }}
+            {{- end }}
             - --overwrite
+          resources:
+            {{- toYaml .Values.postInstall.resources | nindent 12 }}
           securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
             {{- toYaml .Values.postInstall.securityContext | nindent 12 }}
+      {{- with .Values.postInstall }}
+      nodeSelector:
+        {{- toYaml .nodeSelector | nindent 8 }}
+      affinity:
+        {{- toYaml .affinity | nindent 8 }}
+      tolerations:
+        {{- toYaml .tolerations | nindent 8 }}
+      {{- end }}
 ---
 apiVersion: v1
 kind: ServiceAccount

charts/gatekeeper/templates/namespace-post-upgrade.yaml

@@ -17,7 +17,11 @@ spec:
   template:
     metadata:
       labels:
+        {{- include "gatekeeper.podLabels" . }}
         app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
         release: '{{ .Release.Name }}'
     spec:
       restartPolicy: OnFailure
@@ -26,8 +30,6 @@ spec:
       {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
       serviceAccount: gatekeeper-update-namespace-label-post-upgrade
-      nodeSelector:
-        kubernetes.io/os: linux
       containers:
         - name: kubectl-label
           image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}"
@@ -40,9 +42,22 @@ spec:
             - {{ . }}
             {{- end }}
             - admission.gatekeeper.sh/ignore=no-self-managing
+            {{- range .Values.postInstall.labelNamespace.podSecurity }}
+            - {{ . }}
+            {{- end }}
             - --overwrite
+          resources:
+            {{- toYaml .Values.postUpgrade.resources | nindent 12 }}
           securityContext:
             {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
+      {{- with .Values.postUpgrade }}
+      affinity:
+        {{- toYaml .affinity | nindent 8 }}
+      tolerations:
+        {{- toYaml .tolerations | nindent 8 }}
+      nodeSelector:
+        {{- toYaml .nodeSelector | nindent 8 }}
+      {{- end }}
 ---
 apiVersion: v1
 kind: ServiceAccount

charts/gatekeeper/templates/probe-webhook-post-install.yaml

@@ -20,19 +20,29 @@ spec:
       annotations:
         {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
       labels:
+        {{- include "gatekeeper.podLabels" . }}
         app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
         release: '{{ .Release.Name }}'
     spec:
       restartPolicy: Never
       {{- if .Values.postInstall.probeWebhook.image.pullSecrets }}
       imagePullSecrets:
       {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
-      nodeSelector:
-        kubernetes.io/os: linux
       volumes:
       {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
       containers:
       {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }}
+      {{- with .Values.postInstall }}
+      affinity:
+        {{- toYaml .affinity | nindent 8 }}
+      tolerations:
+        {{- toYaml .tolerations | nindent 8 }}
+      nodeSelector:
+        {{- toYaml .nodeSelector | nindent 8 }}
+      {{- end }}
 {{- end }}
 {{- end }}

charts/gatekeeper/templates/upgrade-crds-hook.yaml

@@ -77,6 +77,13 @@ spec:
       name: gatekeeper-update-crds-hook
       annotations:
         {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+      labels:
+        {{- include "gatekeeper.podLabels" . }}
+        app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
+        release: '{{ .Release.Name }}'
     spec:
       serviceAccountName: gatekeeper-admin-upgrade-crds
       restartPolicy: Never
@@ -99,11 +106,17 @@ spec:
         resources:
           {{- toYaml .Values.crds.resources | nindent 10 }}
         securityContext:
+          {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+          seccompProfile:
+            type: RuntimeDefault
+          {{- end }}
           {{- toYaml .Values.crds.securityContext | nindent 10 }}
+      {{- with .Values.crds }}
       affinity:
-        {{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }}
-      nodeSelector:
-        kubernetes.io/os: linux
+        {{- toYaml .affinity | nindent 8 }}
       tolerations:
-        {{- toYaml .Values.upgradeCRDs.tolerations | nindent 8 }}
+        {{- toYaml .tolerations | nindent 8 }}
+      nodeSelector:
+        {{- toYaml .nodeSelector | nindent 8 }}
+      {{- end }}
 {{- end }}

charts/gatekeeper/templates/webhook-configs-pre-delete.yaml

@@ -19,7 +19,11 @@ spec:
       annotations:
         {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
       labels:
+        {{- include "gatekeeper.podLabels" . }}
         app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
         release: '{{ .Release.Name }}'
     spec:
       restartPolicy: OnFailure
@@ -28,8 +32,6 @@ spec:
       {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
       serviceAccount: gatekeeper-delete-webhook-configs
-      nodeSelector:
-        kubernetes.io/os: linux
       containers:
         - name: kubectl-delete
           image: "{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}"
@@ -42,8 +44,22 @@ spec:
             {{- if not .Values.disableMutation }}
             - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration
             {{- end }}
+          resources:
+            {{- toYaml .Values.preUninstall.resources | nindent 10 }}
           securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
             {{- toYaml .Values.preUninstall.securityContext | nindent 10 }}
+      {{- with .Values.preUninstall }}
+      nodeSelector:
+        {{- toYaml .nodeSelector | nindent 8 }}
+      affinity:
+        {{- toYaml .affinity | nindent 8 }}
+      tolerations:
+        {{- toYaml .tolerations | nindent 8 }}
+      {{- end }}
 ---
 apiVersion: v1
 kind: ServiceAccount