From c6d2c89e31ab63d2710a8270d147bdf15cdba350 Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Wed, 14 Jul 2021 11:54:53 +0200 Subject: [PATCH 01/10] Helm enable to config controller manager port The current port can be taken when running in hostNetwork mode Signed-off-by: Edvin Norling --- cmd/build/helmify/kustomization.yaml | 2 ++ cmd/build/helmify/kustomize-for-helm.yaml | 6 +++++- cmd/build/helmify/replacements.go | 2 ++ cmd/build/helmify/static/README.md | 1 + cmd/build/helmify/static/values.yaml | 1 + manifest_staging/charts/gatekeeper/README.md | 1 + .../templates/gatekeeper-controller-manager-deployment.yaml | 4 ++-- manifest_staging/charts/gatekeeper/values.yaml | 1 + 8 files changed, 15 insertions(+), 3 deletions(-) diff --git a/cmd/build/helmify/kustomization.yaml b/cmd/build/helmify/kustomization.yaml index b788e79a5f2..702a760a293 100644 --- a/cmd/build/helmify/kustomization.yaml +++ b/cmd/build/helmify/kustomization.yaml @@ -78,3 +78,5 @@ patchesJson6902: path: /spec/template/spec/nodeSelector/kubernetes.io~1os - op: remove path: /spec/template/spec/affinity/podAntiAffinity + - op: remove + path: /spec/template/spec/containers/0/ports/1 diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 1cdee3409dc..f3b03d93452 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -63,7 +63,7 @@ spec: containers: - name: manager args: - - --port=8443 + - --port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT - --logtostderr - --log-denies={{ .Values.logDenies }} - --emit-admission-events={{ .Values.emitAdmissionEvents }} @@ -75,6 +75,10 @@ spec: - HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_EXEMPT_NAMESPACES imagePullPolicy: "{{ .Values.image.pullPolicy }}" image: "{{ .Values.image.repository }}:{{ .Values.image.release }}" + ports: + - containerPort: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT + name: webhook-server + protocol: TCP resources: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_CONTAINER_RESOURCES: "" nodeSelector: diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index b3a6e586f24..fbb028b3dec 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -7,6 +7,8 @@ var replacements = map[string]string{ "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HOST_NETWORK": `{{ .Values.controllerManager.hostNetwork }}`, + "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT": `{{ .Values.controllerManager.port }}`, + "HELMSUBST_DEPLOYMENT_AUDIT_HOST_NETWORK": `{{ .Values.audit.hostNetwork }}`, `HELMSUBST_DEPLOYMENT_AUDIT_NODE_SELECTOR: ""`: `{{- toYaml .Values.audit.nodeSelector | nindent 8 }}`, diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index fcaa3ee7536..b2eea613fb2 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -92,6 +92,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | affinity | The node affinity to use for pod scheduling | `{}` | | tolerations | The tolerations to use for pod scheduling | `[]` | +| controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | | controllerManager.exemptNamespaces | The namespaces to exempt | `[]` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 55183b42007..c9469eda8e3 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -36,6 +36,7 @@ secretAnnotations: {} controllerManager: exemptNamespaces: [] hostNetwork: false + port: 8443 priorityClassName: system-cluster-critical affinity: podAntiAffinity: diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index fcaa3ee7536..b2eea613fb2 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -92,6 +92,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | affinity | The node affinity to use for pod scheduling | `{}` | | tolerations | The tolerations to use for pod scheduling | `[]` | +| controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | | controllerManager.exemptNamespaces | The namespaces to exempt | `[]` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 8aea76c6b20..513c29b5f71 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -41,7 +41,7 @@ spec: automountServiceAccountToken: true containers: - args: - - --port=8443 + - --port={{ .Values.controllerManager.port }} - --logtostderr - --log-denies={{ .Values.logDenies }} - --emit-admission-events={{ .Values.emitAdmissionEvents }} @@ -77,7 +77,7 @@ spec: port: 9090 name: manager ports: - - containerPort: 8443 + - containerPort: {{ .Values.controllerManager.port }} name: webhook-server protocol: TCP - containerPort: 8888 diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 55183b42007..c9469eda8e3 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -36,6 +36,7 @@ secretAnnotations: {} controllerManager: exemptNamespaces: [] hostNetwork: false + port: 8443 priorityClassName: system-cluster-critical affinity: podAntiAffinity: From 16593c74d3e4f2efed2180cc817669ce9cd6b823 Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Wed, 14 Jul 2021 14:06:37 +0200 Subject: [PATCH 02/10] Additional config of metrics & healthz port Signed-off-by: Edvin Norling --- cmd/build/helmify/kustomization.yaml | 6 +++++- cmd/build/helmify/kustomize-for-helm.yaml | 8 ++++++++ cmd/build/helmify/replacements.go | 4 ++++ cmd/build/helmify/static/README.md | 2 ++ cmd/build/helmify/static/values.yaml | 2 ++ manifest_staging/charts/gatekeeper/README.md | 2 ++ .../gatekeeper-controller-manager-deployment.yaml | 6 ++++-- manifest_staging/charts/gatekeeper/values.yaml | 2 ++ 8 files changed, 29 insertions(+), 3 deletions(-) diff --git a/cmd/build/helmify/kustomization.yaml b/cmd/build/helmify/kustomization.yaml index 702a760a293..d45b458f215 100644 --- a/cmd/build/helmify/kustomization.yaml +++ b/cmd/build/helmify/kustomization.yaml @@ -79,4 +79,8 @@ patchesJson6902: - op: remove path: /spec/template/spec/affinity/podAntiAffinity - op: remove - path: /spec/template/spec/containers/0/ports/1 + path: /spec/template/spec/containers/0/ports/3 + - op: remove + path: /spec/template/spec/containers/0/ports/3 + - op: remove + path: /spec/template/spec/containers/0/ports/3 diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index f3b03d93452..4435837e0e5 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -64,6 +64,8 @@ spec: - name: manager args: - --port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT + - --health-addr=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_ADDR + - --prometheus-port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT - --logtostderr - --log-denies={{ .Values.logDenies }} - --emit-admission-events={{ .Values.emitAdmissionEvents }} @@ -79,6 +81,12 @@ spec: - containerPort: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT name: webhook-server protocol: TCP + - containerPort: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT + name: metrics + protocol: TCP + - containerPort: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_ADDR + name: healthz + protocol: TCP resources: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_CONTAINER_RESOURCES: "" nodeSelector: diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index fbb028b3dec..1a1e5ba0749 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -9,6 +9,10 @@ var replacements = map[string]string{ "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT": `{{ .Values.controllerManager.port }}`, + "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_ADDR": `{{ .Values.controllerManager.healthAddr }}`, + + "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT": `{{ .Values.controllerManager.prometheusPort }}`, + "HELMSUBST_DEPLOYMENT_AUDIT_HOST_NETWORK": `{{ .Values.audit.hostNetwork }}`, `HELMSUBST_DEPLOYMENT_AUDIT_NODE_SELECTOR: ""`: `{{- toYaml .Values.audit.nodeSelector | nindent 8 }}`, diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index b2eea613fb2..b283b92d1e5 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -92,7 +92,9 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | affinity | The node affinity to use for pod scheduling | `{}` | | tolerations | The tolerations to use for pod scheduling | `[]` | +| controllerManager.healthAddr | Health address for controller manager | `:9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | +| controllerManager.prometheusPort | Metrics port for controller manager | `8888` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | | controllerManager.exemptNamespaces | The namespaces to exempt | `[]` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index c9469eda8e3..4a415915ef4 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -37,6 +37,8 @@ controllerManager: exemptNamespaces: [] hostNetwork: false port: 8443 + prometheusPort: 8888 + healthAddr: ":9090" priorityClassName: system-cluster-critical affinity: podAntiAffinity: diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index b2eea613fb2..b283b92d1e5 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -92,7 +92,9 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | affinity | The node affinity to use for pod scheduling | `{}` | | tolerations | The tolerations to use for pod scheduling | `[]` | +| controllerManager.healthAddr | Health address for controller manager | `:9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | +| controllerManager.prometheusPort | Metrics port for controller manager | `8888` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | | controllerManager.exemptNamespaces | The namespaces to exempt | `[]` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 513c29b5f71..8ff025fc3f3 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -42,6 +42,8 @@ spec: containers: - args: - --port={{ .Values.controllerManager.port }} + - --health-addr={{ .Values.controllerManager.healthAddr }} + - --prometheus-port={{ .Values.controllerManager.prometheusPort }} - --logtostderr - --log-denies={{ .Values.logDenies }} - --emit-admission-events={{ .Values.emitAdmissionEvents }} @@ -80,10 +82,10 @@ spec: - containerPort: {{ .Values.controllerManager.port }} name: webhook-server protocol: TCP - - containerPort: 8888 + - containerPort: {{ .Values.controllerManager.prometheusPort }} name: metrics protocol: TCP - - containerPort: 9090 + - containerPort: {{ .Values.controllerManager.healthAddr }} name: healthz protocol: TCP readinessProbe: diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index c9469eda8e3..4a415915ef4 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -37,6 +37,8 @@ controllerManager: exemptNamespaces: [] hostNetwork: false port: 8443 + prometheusPort: 8888 + healthAddr: ":9090" priorityClassName: system-cluster-critical affinity: podAntiAffinity: From e3c1c7ffd099e0e08dbf8699436e74d83c756056 Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Wed, 14 Jul 2021 14:47:06 +0200 Subject: [PATCH 03/10] Remove health endpoint config Signed-off-by: Edvin Norling --- cmd/build/helmify/kustomization.yaml | 2 -- cmd/build/helmify/kustomize-for-helm.yaml | 4 ---- cmd/build/helmify/replacements.go | 2 -- cmd/build/helmify/static/README.md | 1 - manifest_staging/charts/gatekeeper/README.md | 1 - .../templates/gatekeeper-controller-manager-deployment.yaml | 5 ++--- 6 files changed, 2 insertions(+), 13 deletions(-) diff --git a/cmd/build/helmify/kustomization.yaml b/cmd/build/helmify/kustomization.yaml index d45b458f215..bbfbbf60234 100644 --- a/cmd/build/helmify/kustomization.yaml +++ b/cmd/build/helmify/kustomization.yaml @@ -82,5 +82,3 @@ patchesJson6902: path: /spec/template/spec/containers/0/ports/3 - op: remove path: /spec/template/spec/containers/0/ports/3 - - op: remove - path: /spec/template/spec/containers/0/ports/3 diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 4435837e0e5..6e8846e4fba 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -64,7 +64,6 @@ spec: - name: manager args: - --port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT - - --health-addr=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_ADDR - --prometheus-port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT - --logtostderr - --log-denies={{ .Values.logDenies }} @@ -84,9 +83,6 @@ spec: - containerPort: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT name: metrics protocol: TCP - - containerPort: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_ADDR - name: healthz - protocol: TCP resources: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_CONTAINER_RESOURCES: "" nodeSelector: diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index 1a1e5ba0749..9d140d70fbf 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -9,8 +9,6 @@ var replacements = map[string]string{ "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT": `{{ .Values.controllerManager.port }}`, - "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_ADDR": `{{ .Values.controllerManager.healthAddr }}`, - "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT": `{{ .Values.controllerManager.prometheusPort }}`, "HELMSUBST_DEPLOYMENT_AUDIT_HOST_NETWORK": `{{ .Values.audit.hostNetwork }}`, diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index b283b92d1e5..f52995db2e5 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -92,7 +92,6 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | affinity | The node affinity to use for pod scheduling | `{}` | | tolerations | The tolerations to use for pod scheduling | `[]` | -| controllerManager.healthAddr | Health address for controller manager | `:9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.prometheusPort | Metrics port for controller manager | `8888` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index b283b92d1e5..f52995db2e5 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -92,7 +92,6 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | affinity | The node affinity to use for pod scheduling | `{}` | | tolerations | The tolerations to use for pod scheduling | `[]` | -| controllerManager.healthAddr | Health address for controller manager | `:9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.prometheusPort | Metrics port for controller manager | `8888` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 8ff025fc3f3..27855250beb 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -42,7 +42,6 @@ spec: containers: - args: - --port={{ .Values.controllerManager.port }} - - --health-addr={{ .Values.controllerManager.healthAddr }} - --prometheus-port={{ .Values.controllerManager.prometheusPort }} - --logtostderr - --log-denies={{ .Values.logDenies }} @@ -85,8 +84,8 @@ spec: - containerPort: {{ .Values.controllerManager.prometheusPort }} name: metrics protocol: TCP - - containerPort: {{ .Values.controllerManager.healthAddr }} - name: healthz + - containerPort: 8443 + name: webhook-server protocol: TCP readinessProbe: httpGet: From a9375877a59cd2c240b322e4bfaf79da95619e63 Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Wed, 14 Jul 2021 14:55:41 +0200 Subject: [PATCH 04/10] Add healthPort instead of healthAddr This way we can still easily define the port but not the addr. I think it's a good enough middle way. Signed-off-by: Edvin Norling --- cmd/build/helmify/kustomization.yaml | 2 ++ cmd/build/helmify/kustomize-for-helm.yaml | 12 ++++++++++++ cmd/build/helmify/replacements.go | 2 ++ cmd/build/helmify/static/README.md | 1 + cmd/build/helmify/static/values.yaml | 2 +- manifest_staging/charts/gatekeeper/README.md | 1 + .../gatekeeper-controller-manager-deployment.yaml | 9 +++++---- manifest_staging/charts/gatekeeper/values.yaml | 2 +- 8 files changed, 25 insertions(+), 6 deletions(-) diff --git a/cmd/build/helmify/kustomization.yaml b/cmd/build/helmify/kustomization.yaml index bbfbbf60234..d45b458f215 100644 --- a/cmd/build/helmify/kustomization.yaml +++ b/cmd/build/helmify/kustomization.yaml @@ -82,3 +82,5 @@ patchesJson6902: path: /spec/template/spec/containers/0/ports/3 - op: remove path: /spec/template/spec/containers/0/ports/3 + - op: remove + path: /spec/template/spec/containers/0/ports/3 diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 6e8846e4fba..885d63c04a5 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -64,6 +64,7 @@ spec: - name: manager args: - --port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT + - --health-addr=":HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_PORT" - --prometheus-port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT - --logtostderr - --log-denies={{ .Values.logDenies }} @@ -83,6 +84,17 @@ spec: - containerPort: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT name: metrics protocol: TCP + - containerPort: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_PORT + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_PORT + livenessProbe: + httpGet: + path: /healthz + port: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_PORT resources: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_CONTAINER_RESOURCES: "" nodeSelector: diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index 9d140d70fbf..c3b5744fda6 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -9,6 +9,8 @@ var replacements = map[string]string{ "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT": `{{ .Values.controllerManager.port }}`, + "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_PORT": `{{ .Values.controllerManager.healthPort }}`, + "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT": `{{ .Values.controllerManager.prometheusPort }}`, "HELMSUBST_DEPLOYMENT_AUDIT_HOST_NETWORK": `{{ .Values.audit.hostNetwork }}`, diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index f52995db2e5..29480efbffd 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -92,6 +92,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | affinity | The node affinity to use for pod scheduling | `{}` | | tolerations | The tolerations to use for pod scheduling | `[]` | +| controllerManager.healthPort | Health port for controller manager | `9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.prometheusPort | Metrics port for controller manager | `8888` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 4a415915ef4..82a6f7ae648 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -38,7 +38,7 @@ controllerManager: hostNetwork: false port: 8443 prometheusPort: 8888 - healthAddr: ":9090" + healthPort: 9090 priorityClassName: system-cluster-critical affinity: podAntiAffinity: diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index f52995db2e5..29480efbffd 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -92,6 +92,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | affinity | The node affinity to use for pod scheduling | `{}` | | tolerations | The tolerations to use for pod scheduling | `[]` | +| controllerManager.healthPort | Health port for controller manager | `9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.prometheusPort | Metrics port for controller manager | `8888` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 27855250beb..bf9cbc97b6b 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -42,6 +42,7 @@ spec: containers: - args: - --port={{ .Values.controllerManager.port }} + - --health-addr=":{{ .Values.controllerManager.healthPort }}" - --prometheus-port={{ .Values.controllerManager.prometheusPort }} - --logtostderr - --log-denies={{ .Values.logDenies }} @@ -75,7 +76,7 @@ spec: livenessProbe: httpGet: path: /healthz - port: 9090 + port: {{ .Values.controllerManager.healthPort }} name: manager ports: - containerPort: {{ .Values.controllerManager.port }} @@ -84,13 +85,13 @@ spec: - containerPort: {{ .Values.controllerManager.prometheusPort }} name: metrics protocol: TCP - - containerPort: 8443 - name: webhook-server + - containerPort: {{ .Values.controllerManager.healthPort }} + name: healthz protocol: TCP readinessProbe: httpGet: path: /readyz - port: 9090 + port: {{ .Values.controllerManager.healthPort }} resources: {{- toYaml .Values.controllerManager.resources | nindent 10 }} securityContext: diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 4a415915ef4..82a6f7ae648 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -38,7 +38,7 @@ controllerManager: hostNetwork: false port: 8443 prometheusPort: 8888 - healthAddr: ":9090" + healthPort: 9090 priorityClassName: system-cluster-critical affinity: podAntiAffinity: From 077d4e65221e783dd28187cbdd0de06a1a155c87 Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Mon, 19 Jul 2021 12:50:13 +0200 Subject: [PATCH 05/10] Remove "" from HEALTH_PORT Signed-off-by: Edvin Norling --- cmd/build/helmify/kustomize-for-helm.yaml | 2 +- .../templates/gatekeeper-controller-manager-deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 885d63c04a5..12d2fe98e84 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -64,7 +64,7 @@ spec: - name: manager args: - --port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT - - --health-addr=":HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_PORT" + - --health-addr=:HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_PORT - --prometheus-port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT - --logtostderr - --log-denies={{ .Values.logDenies }} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index bf9cbc97b6b..f07a20c7450 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -42,7 +42,7 @@ spec: containers: - args: - --port={{ .Values.controllerManager.port }} - - --health-addr=":{{ .Values.controllerManager.healthPort }}" + - --health-addr=:{{ .Values.controllerManager.healthPort }} - --prometheus-port={{ .Values.controllerManager.prometheusPort }} - --logtostderr - --log-denies={{ .Values.logDenies }} From 02fdf0b08b0f7d976cf90d739c1f6622b97ee303 Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Wed, 4 Aug 2021 08:29:27 +0200 Subject: [PATCH 06/10] Delete port usng patchesStrategicMerge Signed-off-by: Edvin Norling --- cmd/build/helmify/delete-ports.yaml | 17 +++++++++++++++++ cmd/build/helmify/kustomization.yaml | 7 +------ 2 files changed, 18 insertions(+), 6 deletions(-) create mode 100644 cmd/build/helmify/delete-ports.yaml diff --git a/cmd/build/helmify/delete-ports.yaml b/cmd/build/helmify/delete-ports.yaml new file mode 100644 index 00000000000..485fdc94776 --- /dev/null +++ b/cmd/build/helmify/delete-ports.yaml @@ -0,0 +1,17 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + ports: + - containerPort: 8888 + $patch: delete + - containerPort: 8443 + $patch: delete + - containerPort: 9090 + $patch: delete diff --git a/cmd/build/helmify/kustomization.yaml b/cmd/build/helmify/kustomization.yaml index d45b458f215..240db813af0 100644 --- a/cmd/build/helmify/kustomization.yaml +++ b/cmd/build/helmify/kustomization.yaml @@ -8,6 +8,7 @@ bases: - "../../../config/overlays/mutation_webhook" # calls ../../default patchesStrategicMerge: - kustomize-for-helm.yaml + - delete-ports.yaml patchesJson6902: - target: group: apiextensions.k8s.io @@ -78,9 +79,3 @@ patchesJson6902: path: /spec/template/spec/nodeSelector/kubernetes.io~1os - op: remove path: /spec/template/spec/affinity/podAntiAffinity - - op: remove - path: /spec/template/spec/containers/0/ports/3 - - op: remove - path: /spec/template/spec/containers/0/ports/3 - - op: remove - path: /spec/template/spec/containers/0/ports/3 From e3d8559a8d93fd18134d5f69b935c2db419a6da5 Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Wed, 4 Aug 2021 09:51:01 +0200 Subject: [PATCH 07/10] Add port definition for audit-deployment Signed-off-by: Edvin Norling --- cmd/build/helmify/delete-ports.yaml | 20 +++++++++++++++++-- cmd/build/helmify/kustomize-for-helm.yaml | 17 ++++++++++++++++ cmd/build/helmify/replacements.go | 4 ++++ cmd/build/helmify/static/values.yaml | 2 ++ .../gatekeeper-audit-deployment.yaml | 10 ++++++---- .../charts/gatekeeper/values.yaml | 2 ++ 6 files changed, 49 insertions(+), 6 deletions(-) diff --git a/cmd/build/helmify/delete-ports.yaml b/cmd/build/helmify/delete-ports.yaml index 485fdc94776..15a402c9b6d 100644 --- a/cmd/build/helmify/delete-ports.yaml +++ b/cmd/build/helmify/delete-ports.yaml @@ -1,8 +1,8 @@ kind: Deployment apiVersion: apps/v1 metadata: - name: controller-manager - namespace: system + name: gatekeeper-controller-manager + namespace: gatekeeper-system spec: template: spec: @@ -15,3 +15,19 @@ spec: $patch: delete - containerPort: 9090 $patch: delete +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: gatekeeper-audit + namespace: gatekeeper-system +spec: + template: + spec: + containers: + - name: manager + ports: + - containerPort: 8888 + $patch: delete + - containerPort: 9090 + $patch: delete diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 12d2fe98e84..747a2424bd9 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -131,8 +131,25 @@ spec: - --operation=audit - --operation=status - --logtostderr + - --health-addr=:HELMSUBST_DEPLOYMENT_AUDIT_HEALTH_PORT + - --prometheus-port=HELMSUBST_DEPLOYMENT_AUDIT_PROMETHEUS_PORT imagePullPolicy: "{{ .Values.image.pullPolicy }}" image: "{{ .Values.image.repository }}:{{ .Values.image.release }}" + ports: + - containerPort: HELMSUBST_DEPLOYMENT_AUDIT_PROMETHEUS_PORT + name: metrics + protocol: TCP + - containerPort: HELMSUBST_DEPLOYMENT_AUDIT_HEALTH_PORT + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: HELMSUBST_DEPLOYMENT_AUDIT_HEALTH_PORT + livenessProbe: + httpGet: + path: /healthz + port: HELMSUBST_DEPLOYMENT_AUDIT_HEALTH_PORT resources: HELMSUBST_DEPLOYMENT_AUDIT_CONTAINER_RESOURCES: "" nodeSelector: diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index c3b5744fda6..92b92852c80 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -15,6 +15,10 @@ var replacements = map[string]string{ "HELMSUBST_DEPLOYMENT_AUDIT_HOST_NETWORK": `{{ .Values.audit.hostNetwork }}`, + "HELMSUBST_DEPLOYMENT_AUDIT_HEALTH_PORT": `{{ .Values.audit.healthPort }}`, + + "HELMSUBST_DEPLOYMENT_AUDIT_PROMETHEUS_PORT": `{{ .Values.audit.prometheusPort }}`, + `HELMSUBST_DEPLOYMENT_AUDIT_NODE_SELECTOR: ""`: `{{- toYaml .Values.audit.nodeSelector | nindent 8 }}`, `HELMSUBST_DEPLOYMENT_AUDIT_AFFINITY: ""`: `{{- toYaml .Values.audit.affinity | nindent 8 }}`, diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 38cb16fd97b..4995d07c098 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -63,6 +63,8 @@ controllerManager: memory: 256Mi audit: hostNetwork: false + prometheusPort: 8888 + healthPort: 9090 priorityClassName: system-cluster-critical affinity: {} tolerations: [] diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 35dca9e96c8..32d75e216a9 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -51,6 +51,8 @@ spec: - --operation=audit - --operation=status - --logtostderr + - --health-addr=:{{ .Values.audit.healthPort }} + - --prometheus-port={{ .Values.audit.prometheusPort }} command: - /manager env: @@ -68,19 +70,19 @@ spec: livenessProbe: httpGet: path: /healthz - port: 9090 + port: {{ .Values.audit.healthPort }} name: manager ports: - - containerPort: 8888 + - containerPort: {{ .Values.audit.prometheusPort }} name: metrics protocol: TCP - - containerPort: 9090 + - containerPort: {{ .Values.audit.healthPort }} name: healthz protocol: TCP readinessProbe: httpGet: path: /readyz - port: 9090 + port: {{ .Values.audit.healthPort }} resources: {{- toYaml .Values.audit.resources | nindent 10 }} securityContext: diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 38cb16fd97b..4995d07c098 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -63,6 +63,8 @@ controllerManager: memory: 256Mi audit: hostNetwork: false + prometheusPort: 8888 + healthPort: 9090 priorityClassName: system-cluster-critical affinity: {} tolerations: [] From e94896b8106bff8757cb9f3a0edf2a11b66ffc6e Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Wed, 4 Aug 2021 10:13:11 +0200 Subject: [PATCH 08/10] Update docs to match with audit Also remove some withespace Signed-off-by: Edvin Norling --- cmd/build/helmify/static/README.md | 20 +++++++++++--------- manifest_staging/charts/gatekeeper/README.md | 20 +++++++++++--------- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 0cb26ebb550..52aa703f1e1 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -29,8 +29,8 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen **Upgrading from < v3.4.0** Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. -Option 1: -A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. +Option 1: +A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. ```console $ helm uninstall gatekeeper @@ -38,7 +38,7 @@ $ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --creat ``` -Option 2: +Option 2: Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. ```console @@ -63,7 +63,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi ## Parameters | Parameter | Description | Default | -| :--------------------------------------------| :--------------------------------------------------------------------------------------| :-------------------------------------------------------------------------| +| :------------------------------------------- | :------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `line/kubectl-kustomize` | | postInstall.labelNamespace.image.tag | Image tag | `1.20.4-4.0.5` | @@ -73,11 +73,11 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | | auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | -| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | | disableValidatingWebhook | Disable the validating webhook | `false` | | validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | -| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | -| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | +| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | +| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | | enableDeleteOperations | Enable validating webhook for delete operations | `false` | | experimentalEnableMutation | Enable mutation (alpha feature) | `false` | | emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | @@ -86,7 +86,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.6.0-beta.3` | +| image.release | The image release tag to use | Current release version: `v3.6.0-beta.3` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | @@ -96,10 +96,12 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.prometheusPort | Metrics port for controller manager | `8888` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | -| controllerManager.exemptNamespaces | The namespaces to exempt | `[]` | +| controllerManager.exemptNamespaces | The namespaces to exempt | `[]` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | +| audit.healthPort | Health port for audit | `9090` | +| audit.prometheusPort | Metrics port for audit | `8888` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | | podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | | podLabels | The labels to add to the Gatekeeper pods | `{}` | diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 0cb26ebb550..52aa703f1e1 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -29,8 +29,8 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen **Upgrading from < v3.4.0** Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. -Option 1: -A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. +Option 1: +A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. ```console $ helm uninstall gatekeeper @@ -38,7 +38,7 @@ $ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --creat ``` -Option 2: +Option 2: Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. ```console @@ -63,7 +63,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi ## Parameters | Parameter | Description | Default | -| :--------------------------------------------| :--------------------------------------------------------------------------------------| :-------------------------------------------------------------------------| +| :------------------------------------------- | :------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `line/kubectl-kustomize` | | postInstall.labelNamespace.image.tag | Image tag | `1.20.4-4.0.5` | @@ -73,11 +73,11 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | | auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | -| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | | disableValidatingWebhook | Disable the validating webhook | `false` | | validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | -| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | -| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | +| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | +| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | | enableDeleteOperations | Enable validating webhook for delete operations | `false` | | experimentalEnableMutation | Enable mutation (alpha feature) | `false` | | emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | @@ -86,7 +86,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.6.0-beta.3` | +| image.release | The image release tag to use | Current release version: `v3.6.0-beta.3` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | @@ -96,10 +96,12 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.prometheusPort | Metrics port for controller manager | `8888` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | -| controllerManager.exemptNamespaces | The namespaces to exempt | `[]` | +| controllerManager.exemptNamespaces | The namespaces to exempt | `[]` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | +| audit.healthPort | Health port for audit | `9090` | +| audit.prometheusPort | Metrics port for audit | `8888` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | | podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | | podLabels | The labels to add to the Gatekeeper pods | `{}` | From 6a7433928cdfb1f0d521dab5e5f52475583e8de1 Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Wed, 4 Aug 2021 10:13:47 +0200 Subject: [PATCH 09/10] Change webhook svc from 8443 to webhook-server Update the GKE docs since we use the name webhook-server you don't have to update the svc targetPort. Signed-off-by: Edvin Norling --- config/webhook/service.yaml | 3 +-- .../templates/gatekeeper-webhook-service-service.yaml | 2 +- manifest_staging/deploy/gatekeeper.yaml | 2 +- website/docs/cloud-specific.md | 8 -------- 4 files changed, 3 insertions(+), 12 deletions(-) diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml index 94edd71c147..cea700c6a41 100644 --- a/config/webhook/service.yaml +++ b/config/webhook/service.yaml @@ -1,4 +1,3 @@ - apiVersion: v1 kind: Service metadata: @@ -7,7 +6,7 @@ metadata: spec: ports: - port: 443 - targetPort: 8443 + targetPort: webhook-server selector: control-plane: controller-manager gatekeeper.sh/operation: webhook diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml index de7300e92cb..c49790b20a9 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml @@ -18,7 +18,7 @@ spec: {{- end }} ports: - port: 443 - targetPort: 8443 + targetPort: webhook-server selector: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 1247fd4bf0a..efcda8dd39c 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -841,7 +841,7 @@ metadata: spec: ports: - port: 443 - targetPort: 8443 + targetPort: webhook-server selector: control-plane: controller-manager gatekeeper.sh/operation: webhook diff --git a/website/docs/cloud-specific.md b/website/docs/cloud-specific.md index 3110b246e1d..b8c752dc2a7 100644 --- a/website/docs/cloud-specific.md +++ b/website/docs/cloud-specific.md @@ -25,14 +25,6 @@ Two ways of working around this: protocol: TCP ``` - - update Gatekeeper service manifest spec: - - update `targetPort` from `8443` to `443` - ```yaml - ports: - - port: 443 - targetPort: 443 - ``` - ## Running on OpenShift 4.x When running on OpenShift, the `nouid` scc must be used to keep a restricted profile but being able to set the UserID. From a79e1f07f8fee1e8f286179472fba917cf7994fe Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Fri, 6 Aug 2021 10:59:29 +0200 Subject: [PATCH 10/10] Change from prometheusPort to metricsPort Signed-off-by: Edvin Norling --- cmd/build/helmify/kustomize-for-helm.yaml | 8 ++++---- cmd/build/helmify/replacements.go | 4 ++-- cmd/build/helmify/static/README.md | 4 ++-- cmd/build/helmify/static/values.yaml | 4 ++-- manifest_staging/charts/gatekeeper/README.md | 4 ++-- .../gatekeeper/templates/gatekeeper-audit-deployment.yaml | 4 ++-- .../gatekeeper-controller-manager-deployment.yaml | 4 ++-- manifest_staging/charts/gatekeeper/values.yaml | 4 ++-- 8 files changed, 18 insertions(+), 18 deletions(-) diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 747a2424bd9..dbec58c8f04 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -65,7 +65,7 @@ spec: args: - --port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT - --health-addr=:HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_PORT - - --prometheus-port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT + - --prometheus-port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_METRICS_PORT - --logtostderr - --log-denies={{ .Values.logDenies }} - --emit-admission-events={{ .Values.emitAdmissionEvents }} @@ -81,7 +81,7 @@ spec: - containerPort: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PORT name: webhook-server protocol: TCP - - containerPort: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT + - containerPort: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_METRICS_PORT name: metrics protocol: TCP - containerPort: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_PORT @@ -132,11 +132,11 @@ spec: - --operation=status - --logtostderr - --health-addr=:HELMSUBST_DEPLOYMENT_AUDIT_HEALTH_PORT - - --prometheus-port=HELMSUBST_DEPLOYMENT_AUDIT_PROMETHEUS_PORT + - --prometheus-port=HELMSUBST_DEPLOYMENT_AUDIT_METRICS_PORT imagePullPolicy: "{{ .Values.image.pullPolicy }}" image: "{{ .Values.image.repository }}:{{ .Values.image.release }}" ports: - - containerPort: HELMSUBST_DEPLOYMENT_AUDIT_PROMETHEUS_PORT + - containerPort: HELMSUBST_DEPLOYMENT_AUDIT_METRICS_PORT name: metrics protocol: TCP - containerPort: HELMSUBST_DEPLOYMENT_AUDIT_HEALTH_PORT diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index 92b92852c80..2635a76e507 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -11,13 +11,13 @@ var replacements = map[string]string{ "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HEALTH_PORT": `{{ .Values.controllerManager.healthPort }}`, - "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PROMETHEUS_PORT": `{{ .Values.controllerManager.prometheusPort }}`, + "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_METRICS_PORT": `{{ .Values.controllerManager.metricsPort }}`, "HELMSUBST_DEPLOYMENT_AUDIT_HOST_NETWORK": `{{ .Values.audit.hostNetwork }}`, "HELMSUBST_DEPLOYMENT_AUDIT_HEALTH_PORT": `{{ .Values.audit.healthPort }}`, - "HELMSUBST_DEPLOYMENT_AUDIT_PROMETHEUS_PORT": `{{ .Values.audit.prometheusPort }}`, + "HELMSUBST_DEPLOYMENT_AUDIT_METRICS_PORT": `{{ .Values.audit.metricsPort }}`, `HELMSUBST_DEPLOYMENT_AUDIT_NODE_SELECTOR: ""`: `{{- toYaml .Values.audit.nodeSelector | nindent 8 }}`, diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 52aa703f1e1..6dc295f499f 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -94,14 +94,14 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | tolerations | The tolerations to use for pod scheduling | `[]` | | controllerManager.healthPort | Health port for controller manager | `9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | -| controllerManager.prometheusPort | Metrics port for controller manager | `8888` | +| controllerManager.metricsPort | Metrics port for controller manager | `8888` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | | controllerManager.exemptNamespaces | The namespaces to exempt | `[]` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | | audit.healthPort | Health port for audit | `9090` | -| audit.prometheusPort | Metrics port for audit | `8888` | +| audit.metricsPort | Metrics port for audit | `8888` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | | podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | | podLabels | The labels to add to the Gatekeeper pods | `{}` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 4995d07c098..342d1cb5fab 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -37,7 +37,7 @@ controllerManager: exemptNamespaces: [] hostNetwork: false port: 8443 - prometheusPort: 8888 + metricsPort: 8888 healthPort: 9090 priorityClassName: system-cluster-critical affinity: @@ -63,7 +63,7 @@ controllerManager: memory: 256Mi audit: hostNetwork: false - prometheusPort: 8888 + metricsPort: 8888 healthPort: 9090 priorityClassName: system-cluster-critical affinity: {} diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 52aa703f1e1..6dc295f499f 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -94,14 +94,14 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | tolerations | The tolerations to use for pod scheduling | `[]` | | controllerManager.healthPort | Health port for controller manager | `9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | -| controllerManager.prometheusPort | Metrics port for controller manager | `8888` | +| controllerManager.metricsPort | Metrics port for controller manager | `8888` | | controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | | controllerManager.exemptNamespaces | The namespaces to exempt | `[]` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | | audit.healthPort | Health port for audit | `9090` | -| audit.prometheusPort | Metrics port for audit | `8888` | +| audit.metricsPort | Metrics port for audit | `8888` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | | podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | | podLabels | The labels to add to the Gatekeeper pods | `{}` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 32d75e216a9..655c4a52f10 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -52,7 +52,7 @@ spec: - --operation=status - --logtostderr - --health-addr=:{{ .Values.audit.healthPort }} - - --prometheus-port={{ .Values.audit.prometheusPort }} + - --prometheus-port={{ .Values.audit.metricsPort }} command: - /manager env: @@ -73,7 +73,7 @@ spec: port: {{ .Values.audit.healthPort }} name: manager ports: - - containerPort: {{ .Values.audit.prometheusPort }} + - containerPort: {{ .Values.audit.metricsPort }} name: metrics protocol: TCP - containerPort: {{ .Values.audit.healthPort }} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index f07a20c7450..9c5565adad8 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -43,7 +43,7 @@ spec: - args: - --port={{ .Values.controllerManager.port }} - --health-addr=:{{ .Values.controllerManager.healthPort }} - - --prometheus-port={{ .Values.controllerManager.prometheusPort }} + - --prometheus-port={{ .Values.controllerManager.metricsPort }} - --logtostderr - --log-denies={{ .Values.logDenies }} - --emit-admission-events={{ .Values.emitAdmissionEvents }} @@ -82,7 +82,7 @@ spec: - containerPort: {{ .Values.controllerManager.port }} name: webhook-server protocol: TCP - - containerPort: {{ .Values.controllerManager.prometheusPort }} + - containerPort: {{ .Values.controllerManager.metricsPort }} name: metrics protocol: TCP - containerPort: {{ .Values.controllerManager.healthPort }} diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 4995d07c098..342d1cb5fab 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -37,7 +37,7 @@ controllerManager: exemptNamespaces: [] hostNetwork: false port: 8443 - prometheusPort: 8888 + metricsPort: 8888 healthPort: 9090 priorityClassName: system-cluster-critical affinity: @@ -63,7 +63,7 @@ controllerManager: memory: 256Mi audit: hostNetwork: false - prometheusPort: 8888 + metricsPort: 8888 healthPort: 9090 priorityClassName: system-cluster-critical affinity: {}