update chart version to 0.1.2

kubesphere-extensions · Mar 31, 2024 · 258b15f · 258b15f
1 parent 4972407
commit 258b15f
Show file tree

Hide file tree

Showing 7 changed files with 153 additions and 72 deletions.
diff --git a/charts/gatekeeper/charts/agent/templates/_images.tpl b/charts/gatekeeper/charts/agent/templates/_images.tpl
@@ -0,0 +1,52 @@
+{{/*
+Return the proper image name
+*/}}
+
+{{- define "apiserver.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.apiserver.image "global" .Values.global) }}
+{{- end -}}
+
+{{- define "kubectl.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.kubectl.image "global" .Values.global) }}
+{{- end -}}
+
+{{- define "common.images.image" -}}
+{{- $registryName := .global.imageRegistry -}}
+{{- $repositoryName := .imageRoot.repository -}}
+{{- $separator := ":" -}}
+{{- $termination := .global.tag | toString -}}
+{{- if .imageRoot.registry }}
+    {{- $registryName = .imageRoot.registry -}}
+{{- end -}}
+{{- if .imageRoot.tag }}
+    {{- $termination = .imageRoot.tag | toString -}}
+{{- end -}}
+{{- if .imageRoot.digest }}
+    {{- $separator = "@" -}}
+    {{- $termination = .imageRoot.digest | toString -}}
+{{- end -}}
+{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
+{{- end -}}
+
+{{- define "common.images.pullSecrets" -}}
+  {{- $pullSecrets := list }}
+
+  {{- if .global }}
+    {{- range .global.imagePullSecrets -}}
+      {{- $pullSecrets = append $pullSecrets . -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- range .images -}}
+    {{- range .pullSecrets -}}
+      {{- $pullSecrets = append $pullSecrets . -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+    {{- range $pullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
diff --git a/charts/gatekeeper/charts/agent/templates/deployment.yaml b/charts/gatekeeper/charts/agent/templates/deployment.yaml
@@ -26,7 +26,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: {{ template "apiserver.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}

diff --git a/charts/gatekeeper/charts/agent/templates/post-patch-crd.yaml b/charts/gatekeeper/charts/agent/templates/post-patch-crd.yaml
@@ -0,0 +1,22 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-post-patch-crd"
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: helm-executor.gatekeeper
+      containers:
+        - name: post-patch-crds
+          image:  {{ template "kubectl.image" . }}
+          command:
+            - /bin/bash
+            - -c
+            - |
+              kubectl label crd constrainttemplates.templates.gatekeeper.sh kubesphere.io/resource-served=true --overwrite
+          resources: {{- toYaml .Values.resources | nindent 12 }}
diff --git a/charts/gatekeeper/charts/agent/templates/serviceaccount.yaml b/charts/gatekeeper/charts/agent/templates/serviceaccount.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: helm-executor.gatekeeper
diff --git a/charts/gatekeeper/charts/agent/values.yaml b/charts/gatekeeper/charts/agent/values.yaml
@@ -1,36 +1,47 @@
+global:
+  imageRegistry: docker.io
+  imagePullSecrets: []
+
 replicaCount: 1
 
-image:
-  repository:  docker.io/kubesphere/gatekeeper-extension-apiserver
-  tag: "v0.1.0"
-  pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
+apiserver:
+  image:
+    repository: kubesphere/gatekeeper-extension-apiserver
+    tag: "v0.1.0"
+    pullPolicy: IfNotPresent
+    # Overrides the image tag whose default is the chart appVersion.
+
+kubectl:
+  image:
+    repository: kubesphere/kubectl
+    tag: "v1.27.12"
+    pullPolicy: IfNotPresent
 
 imagePullSecrets: []
 podAnnotations: {}
 
 podSecurityContext: {}
-  # fsGroup: 2000
+# fsGroup: 2000
 
 securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+# capabilities:
+#   drop:
+#   - ALL
+# readOnlyRootFilesystem: true
+# runAsNonRoot: true
+# runAsUser: 1000
 
 resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+# limits:
+#   cpu: 100m
+#   memory: 128Mi
+# requests:
+#   cpu: 100m
+#   memory: 128Mi
 
 nodeSelector: {}
 

diff --git a/charts/gatekeeper/extension.yaml b/charts/gatekeeper/extension.yaml
@@ -1,6 +1,6 @@
 apiVersion: kubesphere.io/v1alpha1
 name: gatekeeper
-version: 0.1.1
+version: 0.1.2
 displayName:
   en: Gatekeeper
   zh: Gatekeeper
@@ -42,4 +42,7 @@ dependencies:
 # installationMode describes how to install subcharts, it can be HostOnly or Multicluster.
 # In Multicluster mode, the subchart with tag `extension` will only be deployed to the host cluster,
 # and the subchart with tag `agent` will be deployed to all selected clusters.
-installationMode: Multicluster
+installationMode: Multicluster
+images:
+- registry.cn-beijing.aliyuncs.com/kse/gatekeeper-extension-apiserver:v0.1.0"
+- registry.cn-beijing.aliyuncs.com/kubesphereio/kubectl:v1.27.12"
diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml
@@ -62,26 +62,18 @@ gatekeeper:
         pullPolicy: IfNotPresent
         pullSecrets: []
       extraNamespaces: []
-      podSecurity:
-        [
-          "pod-security.kubernetes.io/audit=restricted",
-          "pod-security.kubernetes.io/audit-version=latest",
-          "pod-security.kubernetes.io/warn=restricted",
-          "pod-security.kubernetes.io/warn-version=latest",
-          "pod-security.kubernetes.io/enforce=privileged",
-          "pod-security.kubernetes.io/enforce-version=v1.24",
-        ]
+      podSecurity: ["pod-security.kubernetes.io/audit=restricted", "pod-security.kubernetes.io/audit-version=latest", "pod-security.kubernetes.io/warn=restricted", "pod-security.kubernetes.io/warn-version=latest", "pod-security.kubernetes.io/enforce=privileged", "pod-security.kubernetes.io/enforce-version=v1.24"]
       extraAnnotations: {}
       priorityClassName: ""
     affinity: {}
     tolerations: []
-    nodeSelector: { kubernetes.io/os: linux }
+    nodeSelector: {kubernetes.io/os: linux}
     resources: {}
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
-          - ALL
+        - ALL
       readOnlyRootFilesystem: true
       runAsGroup: 999
       runAsNonRoot: true
@@ -96,15 +88,7 @@ gatekeeper:
         pullPolicy: IfNotPresent
         pullSecrets: []
       extraNamespaces: []
-      podSecurity:
-        [
-          "pod-security.kubernetes.io/audit=restricted",
-          "pod-security.kubernetes.io/audit-version=latest",
-          "pod-security.kubernetes.io/warn=restricted",
-          "pod-security.kubernetes.io/warn-version=latest",
-          "pod-security.kubernetes.io/enforce=privileged",
-          "pod-security.kubernetes.io/enforce-version=v1.24",
-        ]
+      podSecurity: ["pod-security.kubernetes.io/audit=restricted", "pod-security.kubernetes.io/audit-version=latest", "pod-security.kubernetes.io/warn=restricted", "pod-security.kubernetes.io/warn-version=latest", "pod-security.kubernetes.io/enforce=privileged", "pod-security.kubernetes.io/enforce-version=v1.24"]
       extraAnnotations: {}
       priorityClassName: ""
     probeWebhook:
@@ -120,12 +104,12 @@ gatekeeper:
       priorityClassName: ""
     affinity: {}
     tolerations: []
-    nodeSelector: { kubernetes.io/os: linux }
+    nodeSelector: {kubernetes.io/os: linux}
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
-          - ALL
+        - ALL
       readOnlyRootFilesystem: true
       runAsGroup: 999
       runAsNonRoot: true
@@ -142,13 +126,13 @@ gatekeeper:
       priorityClassName: ""
     affinity: {}
     tolerations: []
-    nodeSelector: { kubernetes.io/os: linux }
+    nodeSelector: {kubernetes.io/os: linux}
     resources: {}
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
-          - ALL
+        - ALL
       readOnlyRootFilesystem: true
       runAsGroup: 999
       runAsNonRoot: true
@@ -177,18 +161,18 @@ gatekeeper:
     affinity:
       podAntiAffinity:
         preferredDuringSchedulingIgnoredDuringExecution:
-          - podAffinityTerm:
-              labelSelector:
-                matchExpressions:
-                  - key: gatekeeper.sh/operation
-                    operator: In
-                    values:
-                      - webhook
-              topologyKey: kubernetes.io/hostname
-            weight: 100
+        - podAffinityTerm:
+            labelSelector:
+              matchExpressions:
+              - key: gatekeeper.sh/operation
+                operator: In
+                values:
+                - webhook
+            topologyKey: kubernetes.io/hostname
+          weight: 100
     topologySpreadConstraints: []
     tolerations: []
-    nodeSelector: { kubernetes.io/os: linux }
+    nodeSelector: {kubernetes.io/os: linux}
     resources:
       limits:
         memory: 512Mi
@@ -199,23 +183,22 @@ gatekeeper:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
-          - ALL
+        - ALL
       readOnlyRootFilesystem: true
       runAsGroup: 999
       runAsNonRoot: true
       runAsUser: 1000
     podSecurityContext:
       fsGroup: 999
       supplementalGroups:
-        - 999
+      - 999
     extraRules: []
     networkPolicy:
       enabled: false
-      ingress:
-        {}
-        # - from:
-        #   - ipBlock:
-        #       cidr: 0.0.0.0/0
+      ingress: {}
+      # - from:
+      #   - ipBlock:
+      #       cidr: 0.0.0.0/0
   audit:
     enablePubsub: false
     hostNetwork: false
@@ -228,7 +211,7 @@ gatekeeper:
     disableCertRotation: false
     affinity: {}
     tolerations: []
-    nodeSelector: { kubernetes.io/os: linux }
+    nodeSelector: {kubernetes.io/os: linux}
     resources:
       limits:
         memory: 512Mi
@@ -239,27 +222,27 @@ gatekeeper:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
-          - ALL
+        - ALL
       readOnlyRootFilesystem: true
       runAsGroup: 999
       runAsNonRoot: true
       runAsUser: 1000
     podSecurityContext:
       fsGroup: 999
       supplementalGroups:
-        - 999
+      - 999
     writeToRAMDisk: false
     extraRules: []
   crds:
     affinity: {}
     tolerations: []
-    nodeSelector: { kubernetes.io/os: linux }
+    nodeSelector: {kubernetes.io/os: linux}
     resources: {}
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
-          - ALL
+        - ALL
       readOnlyRootFilesystem: true
       runAsGroup: 65532
       runAsNonRoot: true
@@ -284,6 +267,12 @@ gatekeeper:
 agent:
   replicaCount: 1
   image:
-    repository: docker.io/kubesphere/gatekeeper-extension-apiserver
+    repository: kubesphere/gatekeeper-extension-apiserver
     tag: "v0.1.0"
     pullPolicy: IfNotPresent
+  kubectl:
+    image:
+      repository: kubesphere/kubectl
+      tag: "v1.27.12"
+      pullPolicy: IfNotPresent
+