From 258b15f82b5310303fe3b2ee11cdb9648935f25e Mon Sep 17 00:00:00 2001 From: hongming Date: Mon, 1 Apr 2024 00:04:17 +0800 Subject: [PATCH] update chart version to 0.1.2 --- .../charts/agent/templates/_images.tpl | 52 ++++++++++++ .../charts/agent/templates/deployment.yaml | 2 +- .../agent/templates/post-patch-crd.yaml | 22 +++++ .../agent/templates/serviceaccount.yaml | 4 + charts/gatekeeper/charts/agent/values.yaml | 55 +++++++----- charts/gatekeeper/extension.yaml | 7 +- charts/gatekeeper/values.yaml | 83 ++++++++----------- 7 files changed, 153 insertions(+), 72 deletions(-) create mode 100644 charts/gatekeeper/charts/agent/templates/_images.tpl create mode 100644 charts/gatekeeper/charts/agent/templates/post-patch-crd.yaml create mode 100644 charts/gatekeeper/charts/agent/templates/serviceaccount.yaml diff --git a/charts/gatekeeper/charts/agent/templates/_images.tpl b/charts/gatekeeper/charts/agent/templates/_images.tpl new file mode 100644 index 0000000..817f494 --- /dev/null +++ b/charts/gatekeeper/charts/agent/templates/_images.tpl @@ -0,0 +1,52 @@ +{{/* +Return the proper image name +*/}} + +{{- define "apiserver.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.apiserver.image "global" .Values.global) }} +{{- end -}} + +{{- define "kubectl.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.kubectl.image "global" .Values.global) }} +{{- end -}} + +{{- define "common.images.image" -}} +{{- $registryName := .global.imageRegistry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .global.tag | toString -}} +{{- if .imageRoot.registry }} + {{- $registryName = .imageRoot.registry -}} +{{- end -}} +{{- if .imageRoot.tag }} + {{- $termination = .imageRoot.tag | toString -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- end -}} + +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/gatekeeper/charts/agent/templates/deployment.yaml b/charts/gatekeeper/charts/agent/templates/deployment.yaml index 1dbda4c..d698f01 100644 --- a/charts/gatekeeper/charts/agent/templates/deployment.yaml +++ b/charts/gatekeeper/charts/agent/templates/deployment.yaml @@ -26,7 +26,7 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: {{ template "apiserver.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/charts/gatekeeper/charts/agent/templates/post-patch-crd.yaml b/charts/gatekeeper/charts/agent/templates/post-patch-crd.yaml new file mode 100644 index 0000000..bd5438d --- /dev/null +++ b/charts/gatekeeper/charts/agent/templates/post-patch-crd.yaml @@ -0,0 +1,22 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-post-patch-crd" + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +spec: + template: + spec: + restartPolicy: Never + serviceAccountName: helm-executor.gatekeeper + containers: + - name: post-patch-crds + image: {{ template "kubectl.image" . }} + command: + - /bin/bash + - -c + - | + kubectl label crd constrainttemplates.templates.gatekeeper.sh kubesphere.io/resource-served=true --overwrite + resources: {{- toYaml .Values.resources | nindent 12 }} \ No newline at end of file diff --git a/charts/gatekeeper/charts/agent/templates/serviceaccount.yaml b/charts/gatekeeper/charts/agent/templates/serviceaccount.yaml new file mode 100644 index 0000000..e7a2acd --- /dev/null +++ b/charts/gatekeeper/charts/agent/templates/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: helm-executor.gatekeeper \ No newline at end of file diff --git a/charts/gatekeeper/charts/agent/values.yaml b/charts/gatekeeper/charts/agent/values.yaml index f60e47e..a357996 100644 --- a/charts/gatekeeper/charts/agent/values.yaml +++ b/charts/gatekeeper/charts/agent/values.yaml @@ -1,36 +1,47 @@ +global: + imageRegistry: docker.io + imagePullSecrets: [] + replicaCount: 1 -image: - repository: docker.io/kubesphere/gatekeeper-extension-apiserver - tag: "v0.1.0" - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. +apiserver: + image: + repository: kubesphere/gatekeeper-extension-apiserver + tag: "v0.1.0" + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + +kubectl: + image: + repository: kubesphere/kubectl + tag: "v1.27.12" + pullPolicy: IfNotPresent imagePullSecrets: [] podAnnotations: {} podSecurityContext: {} - # fsGroup: 2000 +# fsGroup: 2000 securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# runAsUser: 1000 resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi nodeSelector: {} diff --git a/charts/gatekeeper/extension.yaml b/charts/gatekeeper/extension.yaml index 6642252..392e869 100644 --- a/charts/gatekeeper/extension.yaml +++ b/charts/gatekeeper/extension.yaml @@ -1,6 +1,6 @@ apiVersion: kubesphere.io/v1alpha1 name: gatekeeper -version: 0.1.1 +version: 0.1.2 displayName: en: Gatekeeper zh: Gatekeeper @@ -42,4 +42,7 @@ dependencies: # installationMode describes how to install subcharts, it can be HostOnly or Multicluster. # In Multicluster mode, the subchart with tag `extension` will only be deployed to the host cluster, # and the subchart with tag `agent` will be deployed to all selected clusters. -installationMode: Multicluster \ No newline at end of file +installationMode: Multicluster +images: +- registry.cn-beijing.aliyuncs.com/kse/gatekeeper-extension-apiserver:v0.1.0" +- registry.cn-beijing.aliyuncs.com/kubesphereio/kubectl:v1.27.12" \ No newline at end of file diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml index bbb2a0f..7511d2a 100644 --- a/charts/gatekeeper/values.yaml +++ b/charts/gatekeeper/values.yaml @@ -62,26 +62,18 @@ gatekeeper: pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] - podSecurity: - [ - "pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=privileged", - "pod-security.kubernetes.io/enforce-version=v1.24", - ] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", "pod-security.kubernetes.io/audit-version=latest", "pod-security.kubernetes.io/warn=restricted", "pod-security.kubernetes.io/warn-version=latest", "pod-security.kubernetes.io/enforce=privileged", "pod-security.kubernetes.io/enforce-version=v1.24"] extraAnnotations: {} priorityClassName: "" affinity: {} tolerations: [] - nodeSelector: { kubernetes.io/os: linux } + nodeSelector: {kubernetes.io/os: linux} resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -96,15 +88,7 @@ gatekeeper: pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] - podSecurity: - [ - "pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=privileged", - "pod-security.kubernetes.io/enforce-version=v1.24", - ] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", "pod-security.kubernetes.io/audit-version=latest", "pod-security.kubernetes.io/warn=restricted", "pod-security.kubernetes.io/warn-version=latest", "pod-security.kubernetes.io/enforce=privileged", "pod-security.kubernetes.io/enforce-version=v1.24"] extraAnnotations: {} priorityClassName: "" probeWebhook: @@ -120,12 +104,12 @@ gatekeeper: priorityClassName: "" affinity: {} tolerations: [] - nodeSelector: { kubernetes.io/os: linux } + nodeSelector: {kubernetes.io/os: linux} securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -142,13 +126,13 @@ gatekeeper: priorityClassName: "" affinity: {} tolerations: [] - nodeSelector: { kubernetes.io/os: linux } + nodeSelector: {kubernetes.io/os: linux} resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -177,18 +161,18 @@ gatekeeper: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: gatekeeper.sh/operation - operator: In - values: - - webhook - topologyKey: kubernetes.io/hostname - weight: 100 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: gatekeeper.sh/operation + operator: In + values: + - webhook + topologyKey: kubernetes.io/hostname + weight: 100 topologySpreadConstraints: [] tolerations: [] - nodeSelector: { kubernetes.io/os: linux } + nodeSelector: {kubernetes.io/os: linux} resources: limits: memory: 512Mi @@ -199,7 +183,7 @@ gatekeeper: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -207,15 +191,14 @@ gatekeeper: podSecurityContext: fsGroup: 999 supplementalGroups: - - 999 + - 999 extraRules: [] networkPolicy: enabled: false - ingress: - {} - # - from: - # - ipBlock: - # cidr: 0.0.0.0/0 + ingress: {} + # - from: + # - ipBlock: + # cidr: 0.0.0.0/0 audit: enablePubsub: false hostNetwork: false @@ -228,7 +211,7 @@ gatekeeper: disableCertRotation: false affinity: {} tolerations: [] - nodeSelector: { kubernetes.io/os: linux } + nodeSelector: {kubernetes.io/os: linux} resources: limits: memory: 512Mi @@ -239,7 +222,7 @@ gatekeeper: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -247,19 +230,19 @@ gatekeeper: podSecurityContext: fsGroup: 999 supplementalGroups: - - 999 + - 999 writeToRAMDisk: false extraRules: [] crds: affinity: {} tolerations: [] - nodeSelector: { kubernetes.io/os: linux } + nodeSelector: {kubernetes.io/os: linux} resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 65532 runAsNonRoot: true @@ -284,6 +267,12 @@ gatekeeper: agent: replicaCount: 1 image: - repository: docker.io/kubesphere/gatekeeper-extension-apiserver + repository: kubesphere/gatekeeper-extension-apiserver tag: "v0.1.0" pullPolicy: IfNotPresent + kubectl: + image: + repository: kubesphere/kubectl + tag: "v1.27.12" + pullPolicy: IfNotPresent +