From 902ed27eb94f580229c3d1aa0591b6dfd5402dbc Mon Sep 17 00:00:00 2001 From: Josh Anderson Date: Fri, 20 Sep 2024 13:27:00 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20Support=20helm=20lookup=20for=20inj?= =?UTF-8?q?ector=20namespaces?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- manifests/helm/templates/NOTES.txt | 3 ++- manifests/helm/templates/_helpers.tpl | 27 +++++++++++++++++++ .../helm/templates/agent-injectors.yaml.tpl | 2 +- manifests/helm/values.yaml | 9 ++++++- 4 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 manifests/helm/templates/_helpers.tpl diff --git a/manifests/helm/templates/NOTES.txt b/manifests/helm/templates/NOTES.txt index 5d1b4fb0..c9af0219 100644 --- a/manifests/helm/templates/NOTES.txt +++ b/manifests/helm/templates/NOTES.txt @@ -1,7 +1,8 @@ {{ .Chart.Name }} chart version {{ .Chart.Version }} deployed! {{- if .Values.agentInjectors.enabled }} -✅ {{ len .Values.agentInjectors.injectors }} {{ len .Values.agentInjectors.injectors | plural "injector" "injectors" }} {{ len .Values.agentInjectors.injectors | plural "has" "have" }} been deployed to {{ len .Values.agentInjectors.namespaces | plural "namespace" "namespaces" }}: {{ join ", " .Values.agentInjectors.namespaces}} +{{- $namespaces := include "contrast-agent-operator.filterInjectorNamespaces" . | fromJsonArray }} +✅ {{ len .Values.agentInjectors.injectors }} {{ len .Values.agentInjectors.injectors | plural "injector" "injectors" }} {{ len .Values.agentInjectors.injectors | plural "has" "have" }} been deployed to {{ len $namespaces | plural "namespace" "namespaces" }}: {{ join ", " $namespaces}} To use with your workloads: {{- range $injector := $.Values.agentInjectors.injectors }} diff --git a/manifests/helm/templates/_helpers.tpl b/manifests/helm/templates/_helpers.tpl new file mode 100644 index 00000000..fb9d27a2 --- /dev/null +++ b/manifests/helm/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* +Determine namespaces applicable for deploying the agent injectors +*/}} +{{- define "contrast-agent-operator.filterInjectorNamespaces" -}} +{{- $namespaceNames := list }} +{{- if .Values.agentInjectors.lookupNamespaces.deployToAllAccessibleNamespaces }} + {{- $namespaces := lookup "v1" "Namespace" "" "" }} + {{- if $namespaces.items }} + {{- range $ns := $namespaces.items}} + {{- $include := true }} + {{- range $index, $exclude := default (list "gatekeeper*" "kube*") $.Values.agentInjectors.lookupNamespaces.excludePatterns }} + {{- if regexMatch $exclude $ns.metadata.name }} + {{- $include = false}} + {{- end }} + {{- end }} + {{- if $include }} + {{- $namespaceNames = append $namespaceNames $ns.metadata.name }} + {{- end }} + {{- end }} + {{- else }} + {{- $namespaceNames = list "dry-run-namespace-not-representative-of-reality" }} + {{- end }} +{{- else }} + {{- $namespaceNames = default (list .Release.Namespace) .Values.agentInjectors.namespaces -}} +{{- end }} +{{ toJson $namespaceNames }} +{{- end }} \ No newline at end of file diff --git a/manifests/helm/templates/agent-injectors.yaml.tpl b/manifests/helm/templates/agent-injectors.yaml.tpl index 6fe57a95..d72b1330 100644 --- a/manifests/helm/templates/agent-injectors.yaml.tpl +++ b/manifests/helm/templates/agent-injectors.yaml.tpl @@ -1,5 +1,5 @@ {{ if .Values.agentInjectors.enabled }} -{{- range $namespace := .Values.agentInjectors.namespaces }} +{{- range $namespace := include "contrast-agent-operator.filterInjectorNamespaces" . | fromJsonArray }} {{- range $injector := $.Values.agentInjectors.injectors }} --- apiVersion: agents.contrastsecurity.com/v1beta1 diff --git a/manifests/helm/values.yaml b/manifests/helm/values.yaml index 3285b647..e6abde0b 100644 --- a/manifests/helm/values.yaml +++ b/manifests/helm/values.yaml @@ -75,7 +75,14 @@ clusterDefaults: agentInjectors: enabled: true - # Required. All injectors will be created in each specified namespace. + lookupNamespaces: + # If enabled, Helm will lookup namespaces and deploy AgentInjectors to any accessible namespaces. + deployToAllAccessibleNamespaces: false + # List of namespace patterns to exclude deploying AgentInjectors to only when looking up namespaces. + excludePatterns: + - gatekeeper* + - kube* + # Required if lookupNamespaces.deployToAllAccessibleNamespaces is not enabled. All injectors will be created in each specified namespace. namespaces: - default injectors: