diff --git a/apis/config/groups.go b/apis/config/groups.go new file mode 100644 index 000000000..ed12c536e --- /dev/null +++ b/apis/config/groups.go @@ -0,0 +1,9 @@ +package config + +import ( + "fmt" + + "github.com/open-policy-agent/gatekeeper/v3/apis/disambiguator" +) + +var ConfigGroupName = fmt.Sprintf("config.%s%s", disambiguator.Disambiguator, disambiguator.GatekeeprApiSuffix) diff --git a/apis/config/v1alpha1/groupversion_info.go b/apis/config/v1alpha1/groupversion_info.go index 2e0dc7185..90eb12ed9 100644 --- a/apis/config/v1alpha1/groupversion_info.go +++ b/apis/config/v1alpha1/groupversion_info.go @@ -19,13 +19,14 @@ limitations under the License. package v1alpha1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/config" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" ) var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "config.gatekeeper.sh", Version: "v1alpha1"} + GroupVersion = schema.GroupVersion{Group: config.ConfigGroupName, Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/apis/disambiguator/disambiguator.go b/apis/disambiguator/disambiguator.go new file mode 100644 index 000000000..6c7dba7a5 --- /dev/null +++ b/apis/disambiguator/disambiguator.go @@ -0,0 +1,19 @@ +package disambiguator + +import ( + "fmt" + "os" +) + +const GatekeeprApiSuffix = "gatekeeper.sh" + +var Disambiguator string = readDisambiguatorFromEnvVars() + +func readDisambiguatorFromEnvVars() string { + value, exists := os.LookupEnv("GATEKEEPER_API_NAME_DISAMBIGUATOR") + if exists { + return fmt.Sprintf("%s-", value) + } + + return "" +} diff --git a/apis/expansion/groups.go b/apis/expansion/groups.go new file mode 100644 index 000000000..79f1f3195 --- /dev/null +++ b/apis/expansion/groups.go @@ -0,0 +1,9 @@ +package expansion + +import ( + "fmt" + + "github.com/open-policy-agent/gatekeeper/v3/apis/disambiguator" +) + +var ExpansionGroupName = fmt.Sprintf("expansion.%s%s", disambiguator.Disambiguator, disambiguator.GatekeeprApiSuffix) diff --git a/apis/expansion/v1beta1/groupversion_info.go b/apis/expansion/v1beta1/groupversion_info.go index 843f98e7e..6fa029b00 100644 --- a/apis/expansion/v1beta1/groupversion_info.go +++ b/apis/expansion/v1beta1/groupversion_info.go @@ -19,6 +19,7 @@ limitations under the License. package v1beta1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/expansion" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -26,7 +27,7 @@ import ( var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "expansion.gatekeeper.sh", Version: "v1beta1"} + GroupVersion = schema.GroupVersion{Group: expansion.ExpansionGroupName, Version: "v1beta1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/apis/mutations/group.go b/apis/mutations/group.go new file mode 100644 index 000000000..b64d1e89b --- /dev/null +++ b/apis/mutations/group.go @@ -0,0 +1,9 @@ +package mutations + +import ( + "fmt" + + "github.com/open-policy-agent/gatekeeper/v3/apis/disambiguator" +) + +var MutationGroupName string = fmt.Sprintf("mutations.%s%s", disambiguator.Disambiguator, disambiguator.GatekeeprApiSuffix) diff --git a/apis/mutations/v1/groupversion_info.go b/apis/mutations/v1/groupversion_info.go index eb5847396..c845c416a 100644 --- a/apis/mutations/v1/groupversion_info.go +++ b/apis/mutations/v1/groupversion_info.go @@ -19,6 +19,7 @@ limitations under the License. package v1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/mutations" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -26,7 +27,7 @@ import ( var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "mutations.gatekeeper.sh", Version: "v1"} + GroupVersion = schema.GroupVersion{Group: mutations.MutationGroupName, Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/apis/mutations/v1alpha1/groupversion_info.go b/apis/mutations/v1alpha1/groupversion_info.go index ea6ba683f..bd83e2f38 100644 --- a/apis/mutations/v1alpha1/groupversion_info.go +++ b/apis/mutations/v1alpha1/groupversion_info.go @@ -19,6 +19,7 @@ limitations under the License. package v1alpha1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/mutations" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -26,7 +27,7 @@ import ( var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "mutations.gatekeeper.sh", Version: "v1alpha1"} + GroupVersion = schema.GroupVersion{Group: mutations.MutationGroupName, Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/apis/mutations/v1beta1/groupversion_info.go b/apis/mutations/v1beta1/groupversion_info.go index 7fc6eaa57..4f91bb37e 100644 --- a/apis/mutations/v1beta1/groupversion_info.go +++ b/apis/mutations/v1beta1/groupversion_info.go @@ -19,6 +19,7 @@ limitations under the License. package v1beta1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/mutations" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -26,7 +27,7 @@ import ( var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "mutations.gatekeeper.sh", Version: "v1beta1"} + GroupVersion = schema.GroupVersion{Group: mutations.MutationGroupName, Version: "v1beta1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/apis/status/groups.go b/apis/status/groups.go new file mode 100644 index 000000000..9ca7e9b35 --- /dev/null +++ b/apis/status/groups.go @@ -0,0 +1,10 @@ +package status + +import ( + "fmt" + + "github.com/open-policy-agent/gatekeeper/v3/apis/disambiguator" +) + +var StatusGroupName string = fmt.Sprintf("status.%s%s", disambiguator.Disambiguator, disambiguator.GatekeeprApiSuffix) +var ConstraintsGroupName = fmt.Sprintf("constraints.%s%s", disambiguator.Disambiguator, disambiguator.GatekeeprApiSuffix) diff --git a/apis/status/v1beta1/constraintpodstatus_types.go b/apis/status/v1beta1/constraintpodstatus_types.go index 292a298d1..b04ac1f25 100644 --- a/apis/status/v1beta1/constraintpodstatus_types.go +++ b/apis/status/v1beta1/constraintpodstatus_types.go @@ -18,6 +18,7 @@ package v1beta1 import ( "strings" + "github.com/open-policy-agent/gatekeeper/v3/apis/status" "github.com/open-policy-agent/gatekeeper/v3/pkg/operations" "github.com/open-policy-agent/gatekeeper/v3/pkg/util" corev1 "k8s.io/api/core/v1" @@ -28,8 +29,8 @@ import ( "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" ) -// ConstraintsGroup is the API Group for Gatekeeper Constraints. -const ConstraintsGroup = "constraints.gatekeeper.sh" +// ConstraintsGroupName is the API Group for Gatekeeper Constraints. +var ConstraintsGroupName = status.ConstraintsGroupName // ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. type ConstraintPodStatusStatus struct { diff --git a/apis/status/v1beta1/constraintpodstatus_types_test.go b/apis/status/v1beta1/constraintpodstatus_types_test.go index db88a672f..5bd5240cf 100644 --- a/apis/status/v1beta1/constraintpodstatus_types_test.go +++ b/apis/status/v1beta1/constraintpodstatus_types_test.go @@ -39,7 +39,7 @@ func TestNewConstraintStatusForPod(t *testing.T) { ) cstr := &unstructured.Unstructured{} - cstr.SetGroupVersionKind(schema.GroupVersionKind{Group: v1beta1.ConstraintsGroup, Version: "v1beta1", Kind: cstrKind}) + cstr.SetGroupVersionKind(schema.GroupVersionKind{Group: v1beta1.ConstraintsGroupName, Version: "v1beta1", Kind: cstrKind}) cstr.SetName(cstrName) wantStatus := &v1beta1.ConstraintPodStatus{} diff --git a/apis/status/v1beta1/groupversion_info.go b/apis/status/v1beta1/groupversion_info.go index 75d7ba295..b4bdf2611 100644 --- a/apis/status/v1beta1/groupversion_info.go +++ b/apis/status/v1beta1/groupversion_info.go @@ -19,13 +19,14 @@ limitations under the License. package v1beta1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/status" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" ) var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "status.gatekeeper.sh", Version: "v1beta1"} + GroupVersion = schema.GroupVersion{Group: status.StatusGroupName, Version: "v1beta1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/apis/status/v1beta1/mutatorpodstatus_types.go b/apis/status/v1beta1/mutatorpodstatus_types.go index fa13849ee..ca413c5bf 100644 --- a/apis/status/v1beta1/mutatorpodstatus_types.go +++ b/apis/status/v1beta1/mutatorpodstatus_types.go @@ -18,6 +18,7 @@ package v1beta1 import ( "strings" + "github.com/open-policy-agent/gatekeeper/v3/apis/mutations" mtypes "github.com/open-policy-agent/gatekeeper/v3/pkg/mutation/types" "github.com/open-policy-agent/gatekeeper/v3/pkg/operations" "github.com/open-policy-agent/gatekeeper/v3/pkg/util" @@ -29,7 +30,7 @@ import ( ) // MutationsGroup is the API Group for Gatekeeper Mutators. -const MutationsGroup = "mutations.gatekeeper.sh" +var MutationsGroup = mutations.MutationGroupName // MutatorPodStatusStatus defines the observed state of MutatorPodStatus. type MutatorPodStatusStatus struct { diff --git a/apis/syncset/groups.go b/apis/syncset/groups.go new file mode 100644 index 000000000..c5ef153c9 --- /dev/null +++ b/apis/syncset/groups.go @@ -0,0 +1,9 @@ +package syncset + +import ( + "fmt" + + "github.com/open-policy-agent/gatekeeper/v3/apis/disambiguator" +) + +var SyncSetGroupNama = fmt.Sprintf("syncset.%s%s", disambiguator.Disambiguator, disambiguator.GatekeeprApiSuffix) diff --git a/apis/syncset/v1alpha1/groupversion_info.go b/apis/syncset/v1alpha1/groupversion_info.go index 076385290..a3ed3572f 100644 --- a/apis/syncset/v1alpha1/groupversion_info.go +++ b/apis/syncset/v1alpha1/groupversion_info.go @@ -4,13 +4,14 @@ package v1alpha1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/syncset" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" ) var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "syncset.gatekeeper.sh", Version: "v1alpha1"} + GroupVersion = schema.GroupVersion{Group: syncset.SyncSetGroupNama, Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/charts/gatekeeper/crds/assign-customresourcedefinition.yaml b/charts/gatekeeper/crds/assign-customresourcedefinition.yaml index 0221a1948..4eb2486f7 100644 --- a/charts/gatekeeper/crds/assign-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assign-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: assign.mutations.gatekeeper.sh + name: assign.mutations.asafalg-gatekeeper.sh spec: - group: mutations.gatekeeper.sh + group: mutations.asafalg-gatekeeper.sh names: kind: Assign listKind: AssignList diff --git a/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml b/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml index 197f2f179..c53c8976a 100644 --- a/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: assignimage.mutations.gatekeeper.sh + name: assignimage.mutations.asafalg-gatekeeper.sh spec: - group: mutations.gatekeeper.sh + group: mutations.asafalg-gatekeeper.sh names: kind: AssignImage listKind: AssignImageList diff --git a/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml b/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml index 65c17ed3a..ba4c6e786 100644 --- a/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: assignmetadata.mutations.gatekeeper.sh + name: assignmetadata.mutations.asafalg-gatekeeper.sh spec: - group: mutations.gatekeeper.sh + group: mutations.asafalg-gatekeeper.sh names: kind: AssignMetadata listKind: AssignMetadataList diff --git a/charts/gatekeeper/crds/config-customresourcedefinition.yaml b/charts/gatekeeper/crds/config-customresourcedefinition.yaml index 269ca95f9..11f3ea837 100644 --- a/charts/gatekeeper/crds/config-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/config-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: configs.config.gatekeeper.sh + name: configs.config.asafalg-gatekeeper.sh spec: - group: config.gatekeeper.sh + group: config.asafalg-gatekeeper.sh names: kind: Config listKind: ConfigList diff --git a/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml index 230a541bb..08b821fe7 100644 --- a/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: constraintpodstatuses.status.gatekeeper.sh + name: constraintpodstatuses.status.asafalg-gatekeeper.sh spec: - group: status.gatekeeper.sh + group: status.asafalg-gatekeeper.sh names: kind: ConstraintPodStatus listKind: ConstraintPodStatusList diff --git a/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml b/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml index afc89d03b..18bc49bb9 100644 --- a/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: constrainttemplates.templates.gatekeeper.sh + name: constrainttemplates.templates.asafalg-gatekeeper.sh spec: - group: templates.gatekeeper.sh + group: templates.asafalg-gatekeeper.sh names: kind: ConstraintTemplate listKind: ConstraintTemplateList diff --git a/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml index 271572bd7..3603674f6 100644 --- a/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: constrainttemplatepodstatuses.status.gatekeeper.sh + name: constrainttemplatepodstatuses.status.asafalg-gatekeeper.sh spec: - group: status.gatekeeper.sh + group: status.asafalg-gatekeeper.sh names: kind: ConstraintTemplatePodStatus listKind: ConstraintTemplatePodStatusList diff --git a/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml b/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml index 0452edb77..3806ecbd9 100644 --- a/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: expansiontemplate.expansion.gatekeeper.sh + name: expansiontemplate.expansion.asafalg-gatekeeper.sh spec: - group: expansion.gatekeeper.sh + group: expansion.asafalg-gatekeeper.sh names: kind: ExpansionTemplate listKind: ExpansionTemplateList diff --git a/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml index 8f49b4c5f..0fe762aef 100644 --- a/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: expansiontemplatepodstatuses.status.gatekeeper.sh + name: expansiontemplatepodstatuses.status.asafalg-gatekeeper.sh spec: - group: status.gatekeeper.sh + group: status.asafalg-gatekeeper.sh names: kind: ExpansionTemplatePodStatus listKind: ExpansionTemplatePodStatusList diff --git a/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml b/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml index 46574fd36..34bd2e585 100644 --- a/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: modifyset.mutations.gatekeeper.sh + name: modifyset.mutations.asafalg-gatekeeper.sh spec: - group: mutations.gatekeeper.sh + group: mutations.asafalg-gatekeeper.sh names: kind: ModifySet listKind: ModifySetList diff --git a/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml index fd6a0f6de..bc4f5d6b9 100644 --- a/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: mutatorpodstatuses.status.gatekeeper.sh + name: mutatorpodstatuses.status.asafalg-gatekeeper.sh spec: - group: status.gatekeeper.sh + group: status.asafalg-gatekeeper.sh names: kind: MutatorPodStatus listKind: MutatorPodStatusList diff --git a/charts/gatekeeper/crds/provider-customresourcedefinition.yaml b/charts/gatekeeper/crds/provider-customresourcedefinition.yaml index 177afbb67..f216c656f 100644 --- a/charts/gatekeeper/crds/provider-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/provider-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: providers.externaldata.gatekeeper.sh + name: providers.externaldata.asafalg-gatekeeper.sh spec: - group: externaldata.gatekeeper.sh + group: externaldata.asafalg-gatekeeper.sh names: kind: Provider listKind: ProviderList diff --git a/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml b/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml index c5c51f9da..259eb133b 100644 --- a/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: syncsets.syncset.gatekeeper.sh + name: syncsets.syncset.asafalg-gatekeeper.sh spec: - group: syncset.gatekeeper.sh + group: syncset.asafalg-gatekeeper.sh names: kind: SyncSet listKind: SyncSetList diff --git a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 33c1cbecc..dc7a62bf8 100644 --- a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -106,6 +106,8 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) + - name: GATEKEEPER_API_NAME_DISAMBIGUATOR + value: asafalg imagePullPolicy: '{{ .Values.image.pullPolicy }}' livenessProbe: httpGet: diff --git a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 9edd16218..86d4c6e6e 100644 --- a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -119,6 +119,8 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) + - name: GATEKEEPER_API_NAME_DISAMBIGUATOR + value: asafalg imagePullPolicy: '{{ .Values.image.pullPolicy }}' livenessProbe: httpGet: diff --git a/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml index 3e5592336..348fff806 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml @@ -9,7 +9,7 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-manager-role + name: {{ .Values.managerRoleName }} rules: - apiGroups: - "" @@ -71,7 +71,7 @@ rules: - patch - update - apiGroups: - - constraints.gatekeeper.sh + - {{ empty .Values.disambiguator | ternary "constraints.gatekeeper.sh" (printf "constraints.%s-gatekeeper.sh" .Values.disambiguator) }} resources: - '*' verbs: @@ -83,7 +83,7 @@ rules: - update - watch - apiGroups: - - expansion.gatekeeper.sh + - {{ empty .Values.disambiguator | ternary "expansion.gatekeeper.sh" (printf "expansion.%s-gatekeeper.sh" .Values.disambiguator) }} resources: - '*' verbs: @@ -95,7 +95,7 @@ rules: - update - watch - apiGroups: - - externaldata.gatekeeper.sh + - {{ empty .Values.disambiguator | ternary "externaldata.gatekeeper.sh" (printf "externaldata.%s-gatekeeper.sh" .Values.disambiguator) }} resources: - providers verbs: @@ -107,7 +107,7 @@ rules: - update - watch - apiGroups: - - mutations.gatekeeper.sh + - {{ empty .Values.disambiguator | ternary "mutations.gatekeeper.sh" (printf "mutations.%s-gatekeeper.sh" .Values.disambiguator) }} resources: - '*' verbs: @@ -129,7 +129,7 @@ rules: - use {{- end }} - apiGroups: - - status.gatekeeper.sh + - {{ empty .Values.disambiguator | ternary "status.gatekeeper.sh" (printf "status.%s-gatekeeper.sh" .Values.disambiguator) }} resources: - '*' verbs: @@ -141,7 +141,7 @@ rules: - update - watch - apiGroups: - - templates.gatekeeper.sh + - {{ empty .Values.disambiguator | ternary "templates.gatekeeper.sh" (printf "templates.%s-gatekeeper.sh" .Values.disambiguator) }} resources: - constrainttemplates verbs: @@ -153,7 +153,7 @@ rules: - update - watch - apiGroups: - - templates.gatekeeper.sh + - {{ empty .Values.disambiguator | ternary "templates.gatekeeper.sh" (printf "templates.%s-gatekeeper.sh" .Values.disambiguator) }} resources: - constrainttemplates/finalizers verbs: @@ -162,7 +162,7 @@ rules: - patch - update - apiGroups: - - templates.gatekeeper.sh + - {{ empty .Values.disambiguator | ternary "templates.gatekeeper.sh" (printf "templates.%s-gatekeeper.sh" .Values.disambiguator) }} resources: - constrainttemplates/status verbs: diff --git a/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml b/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml index 1018dcdb6..2fa573daf 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml @@ -9,7 +9,7 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-manager-role + name: {{ .Values.managerRoleName }} namespace: '{{ .Release.Namespace }}' rules: - apiGroups: diff --git a/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml index 1fb9f6c87..b8bc72f30 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml @@ -8,11 +8,11 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-manager-rolebinding + name: {{ .Values.roleBindingName }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: gatekeeper-manager-role + name: {{ .Values.managerRoleName }} subjects: - kind: ServiceAccount name: gatekeeper-admin diff --git a/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml index fbe9580d5..36505e4a2 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml @@ -8,12 +8,12 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-manager-rolebinding + name: {{ .Values.roleBindingName }} namespace: '{{ .Release.Namespace }}' roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: gatekeeper-manager-role + name: {{ .Values.managerRoleName }} subjects: - kind: ServiceAccount name: gatekeeper-admin diff --git a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 5705f5679..01ea49c59 100644 --- a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -33,8 +33,7 @@ webhooks: - key: kubernetes.io/metadata.name operator: NotIn values: - - {{ .Release.Namespace }} - + - {{ .Release.Namespace }} {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}} - key: {{ $key }} operator: NotIn diff --git a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index 9b65cebd2..a3177be2f 100644 --- a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -34,7 +34,6 @@ webhooks: operator: NotIn values: - {{ .Release.Namespace }} - {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}} - key: {{ $key }} operator: NotIn diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml index eaf5a7396..26ec751c3 100644 --- a/charts/gatekeeper/values.yaml +++ b/charts/gatekeeper/values.yaml @@ -7,7 +7,7 @@ constraintViolationsLimit: 20 auditFromCache: false disableMutation: false disableValidatingWebhook: false -validatingWebhookName: gatekeeper-validating-webhook-configuration +validatingWebhookName: mdc-gatekeeper-validating-webhook-configuration validatingWebhookTimeoutSeconds: 3 validatingWebhookFailurePolicy: Ignore validatingWebhookAnnotations: {} @@ -17,11 +17,11 @@ validatingWebhookCheckIgnoreFailurePolicy: Fail validatingWebhookCustomRules: {} validatingWebhookURL: null enableDeleteOperations: false -enableExternalData: true +enableExternalData: false enableGeneratorResourceExpansion: true enableTLSHealthcheck: false maxServingThreads: -1 -mutatingWebhookName: gatekeeper-mutating-webhook-configuration +mutatingWebhookName: mdc-gatekeeper-mutating-webhook-configuration mutatingWebhookFailurePolicy: Ignore mutatingWebhookReinvocationPolicy: Never mutatingWebhookAnnotations: {} @@ -41,43 +41,48 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true externaldataProviderResponseCacheTTL: 3m +managerRoleName: mdc-gatekeeper-manager-role +roleBindingName: mdc-gatekeeper-manager-rolebinding image: - repository: openpolicyagent/gatekeeper - crdRepository: openpolicyagent/gatekeeper-crds - release: v3.16.0-beta.0 - pullPolicy: IfNotPresent + repository: testacrasafalg.azurecr.io/gatekeeper-disc + crdRepository: testacrasafalg.azurecr.io/gatekeeper-crds-mdc + release: latest + pullPolicy: Always pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.16.0-beta.0 + tag: latest postUpgrade: labelNamespace: enabled: false image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.0 - pullPolicy: IfNotPresent + repository: testacrasafalg.azurecr.io/gatekeeper-crds-mdc + tag: latest + pullPolicy: Always pullSecrets: [] extraNamespaces: [] - podSecurity: ["pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=restricted", - "pod-security.kubernetes.io/enforce-version=v1.24"] + podSecurity: + [ + "pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24", + ] extraAnnotations: {} priorityClassName: "" affinity: {} tolerations: [] - nodeSelector: {kubernetes.io/os: linux} + nodeSelector: { kubernetes.io/os: linux } resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -87,17 +92,20 @@ postInstall: enabled: true extraRules: [] image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.0 - pullPolicy: IfNotPresent + repository: testacrasafalg.azurecr.io/gatekeeper-crds-mdc + tag: latest + pullPolicy: Always pullSecrets: [] extraNamespaces: [] - podSecurity: ["pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=restricted", - "pod-security.kubernetes.io/enforce-version=v1.24"] + podSecurity: + [ + "pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24", + ] extraAnnotations: {} priorityClassName: "" probeWebhook: @@ -105,7 +113,7 @@ postInstall: image: repository: curlimages/curl tag: 7.83.1 - pullPolicy: IfNotPresent + pullPolicy: Always pullSecrets: [] waitTimeout: 60 httpTimeout: 2 @@ -113,12 +121,12 @@ postInstall: priorityClassName: "" affinity: {} tolerations: [] - nodeSelector: {kubernetes.io/os: linux} + nodeSelector: { kubernetes.io/os: linux } securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -128,20 +136,20 @@ preUninstall: extraRules: [] enabled: false image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.0 - pullPolicy: IfNotPresent + repository: testacrasafalg.azurecr.io/gatekeeper-crds-mdc + tag: latest + pullPolicy: Always pullSecrets: [] priorityClassName: "" affinity: {} tolerations: [] - nodeSelector: {kubernetes.io/os: linux} + nodeSelector: { kubernetes.io/os: linux } resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -181,7 +189,7 @@ controllerManager: weight: 100 topologySpreadConstraints: [] tolerations: [] - nodeSelector: {kubernetes.io/os: linux} + nodeSelector: { kubernetes.io/os: linux } resources: limits: memory: 512Mi @@ -192,7 +200,7 @@ controllerManager: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -204,7 +212,8 @@ controllerManager: extraRules: [] networkPolicy: enabled: false - ingress: { } + ingress: + {} # - from: # - ipBlock: # cidr: 0.0.0.0/0 @@ -222,7 +231,7 @@ audit: disableCertRotation: false affinity: {} tolerations: [] - nodeSelector: {kubernetes.io/os: linux} + nodeSelector: { kubernetes.io/os: linux } resources: limits: memory: 512Mi @@ -233,7 +242,7 @@ audit: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -247,13 +256,13 @@ audit: crds: affinity: {} tolerations: [] - nodeSelector: {kubernetes.io/os: linux} + nodeSelector: { kubernetes.io/os: linux } resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 65532 runAsNonRoot: true @@ -266,7 +275,7 @@ disabledBuiltins: ["{http.send}"] psp: enabled: false upgradeCRDs: - enabled: true + enabled: false extraRules: [] priorityClassName: "" rbac: @@ -274,3 +283,4 @@ rbac: externalCertInjection: enabled: false secretName: gatekeeper-webhook-server-cert +disambiguator: 'asafalg' \ No newline at end of file diff --git a/main.go b/main.go index e609948ba..73c65d325 100644 --- a/main.go +++ b/main.go @@ -31,10 +31,12 @@ import ( "github.com/go-logr/zapr" "github.com/open-policy-agent/cert-controller/pkg/rotator" + externaldataapi "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/k8scel" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" frameworksexternaldata "github.com/open-policy-agent/frameworks/constraint/pkg/externaldata" + api "github.com/open-policy-agent/gatekeeper/v3/apis" configv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/config/v1alpha1" expansionv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/expansion/v1alpha1" @@ -47,6 +49,7 @@ import ( "github.com/open-policy-agent/gatekeeper/v3/pkg/controller" "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process" "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constraint" + "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constrainttemplate" "github.com/open-policy-agent/gatekeeper/v3/pkg/expansion" "github.com/open-policy-agent/gatekeeper/v3/pkg/externaldata" "github.com/open-policy-agent/gatekeeper/v3/pkg/metrics" @@ -213,6 +216,8 @@ func innerMain() int { config := ctrl.GetConfigOrDie() config.UserAgent = version.GetUserAgent("gatekeeper") setupLog.Info("setting up manager", "user agent", config.UserAgent) + setupLog.Info("Constraint template name", "crd-name", constrainttemplate.ConstraintTemplateCrdName) + setupLog.Info("externaldata group name", "group", externaldataapi.ExternalDataGroupName) var webhooks []rotator.WebhookInfo webhooks = webhook.AppendValidationWebhookIfEnabled(webhooks) diff --git a/pkg/audit/manager.go b/pkg/audit/manager.go index 16bb6a3f4..c1c4bc83f 100644 --- a/pkg/audit/manager.go +++ b/pkg/audit/manager.go @@ -17,7 +17,9 @@ import ( "github.com/go-logr/logr" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers" + "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process" + "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constrainttemplate" pubsubController "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/pubsub" "github.com/open-policy-agent/gatekeeper/v3/pkg/expansion" "github.com/open-policy-agent/gatekeeper/v3/pkg/logging" @@ -47,8 +49,6 @@ import ( var log = logf.Log.WithName("controller").WithValues(logging.Process, "audit") const ( - crdName = "constrainttemplates.templates.gatekeeper.sh" - constraintsGV = "constraints.gatekeeper.sh/v1beta1" msgSize = 256 defaultAuditInterval = 60 defaultConstraintViolationsLimit = 20 @@ -58,6 +58,10 @@ const ( defaultChannel = "audit-channel" ) +var ( + constraintsGV = v1beta1.ConstraintsGroupName + "/v1beta1" +) + var ( auditInterval = flag.Uint("audit-interval", defaultAuditInterval, "interval to run audit in seconds. defaulted to 60 secs if unspecified, 0 to disable") constraintViolationsLimit = flag.Uint("constraint-violations-limit", defaultConstraintViolationsLimit, "limit of number of violations per constraint. defaulted to 20 violations if unspecified") @@ -252,7 +256,7 @@ func (am *Manager) audit(ctx context.Context) error { am.client = c // don't audit anything until the constraintTemplate crd is in the cluster if err := am.ensureCRDExists(ctx); err != nil { - am.log.Info("Audit exits, required crd has not been deployed ", "CRD", crdName) + am.log.Info("Audit exits, required crd has not been deployed ", "CRD", constrainttemplate.ConstraintTemplateCrdName) return nil } @@ -776,7 +780,8 @@ func (am *Manager) Start(ctx context.Context) error { func (am *Manager) ensureCRDExists(ctx context.Context) error { crd := &apiextensionsv1.CustomResourceDefinition{} - return am.client.Get(ctx, types.NamespacedName{Name: crdName}, crd) + log.Info("Ensuring CRD exists", "crd", constrainttemplate.ConstraintTemplateCrdName) + return am.client.Get(ctx, types.NamespacedName{Name: constrainttemplate.ConstraintTemplateCrdName}, crd) } func (am *Manager) getAllConstraintKinds() ([]schema.GroupVersionKind, error) { @@ -785,6 +790,7 @@ func (am *Manager) getAllConstraintKinds() ([]schema.GroupVersionKind, error) { return nil, err } l, err := discoveryClient.ServerResourcesForGroupVersion(constraintsGV) + log.Info("Getting all constraints", "gv", constraintsGV) if err != nil { return nil, err } diff --git a/pkg/controller/constraint/constraint_controller.go b/pkg/controller/constraint/constraint_controller.go index c0cefcab8..76a116448 100644 --- a/pkg/controller/constraint/constraint_controller.go +++ b/pkg/controller/constraint/constraint_controller.go @@ -270,7 +270,7 @@ func (r *ReconcileConstraint) Reconcile(ctx context.Context, request reconcile.R } // Sanity - make sure it is a constraint resource. - if gvk.Group != constraintstatusv1beta1.ConstraintsGroup { + if gvk.Group != constraintstatusv1beta1.ConstraintsGroupName { // Unrecoverable, do not retry. log.Error(err, "invalid constraint GroupVersion", "gvk", gvk) return reconcile.Result{}, nil diff --git a/pkg/controller/constraintstatus/constraintstatus_controller.go b/pkg/controller/constraintstatus/constraintstatus_controller.go index 3095cccb9..3e495dc03 100644 --- a/pkg/controller/constraintstatus/constraintstatus_controller.go +++ b/pkg/controller/constraintstatus/constraintstatus_controller.go @@ -107,7 +107,7 @@ func PodStatusToConstraintMapper(selfOnly bool, packerMap handler.MapFunc) handl } } u := &unstructured.Unstructured{} - u.SetGroupVersionKind(schema.GroupVersionKind{Group: v1beta1.ConstraintsGroup, Version: "v1beta1", Kind: kind}) + u.SetGroupVersionKind(schema.GroupVersionKind{Group: v1beta1.ConstraintsGroupName, Version: "v1beta1", Kind: kind}) u.SetName(name) return packerMap(ctx, u) } @@ -177,7 +177,7 @@ func (r *ReconcileConstraintStatus) Reconcile(ctx context.Context, request recon } // Sanity - make sure it is a constraint resource. - if gvk.Group != v1beta1.ConstraintsGroup { + if gvk.Group != v1beta1.ConstraintsGroupName { // Unrecoverable, do not retry. log.Error(err, "invalid constraint GroupVersion", "gvk", gvk) return reconcile.Result{}, nil diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller.go b/pkg/controller/constrainttemplate/constrainttemplate_controller.go index e6ef7571f..747cf5731 100644 --- a/pkg/controller/constrainttemplate/constrainttemplate_controller.go +++ b/pkg/controller/constrainttemplate/constrainttemplate_controller.go @@ -19,6 +19,7 @@ import ( "context" "errors" "fmt" + "os" "reflect" "time" @@ -81,9 +82,21 @@ type Adder struct { GetPod func(context.Context) (*corev1.Pod, error) } +var ConstraintTemplateCrdName string = getGroupFromEnvVars() + +func getGroupFromEnvVars() string { + value, exists := os.LookupEnv("CONSTRAINT_TEMPLATE_GROUP_NAME") + if exists { + return value + } + + return "constrainttemplates.templates.gatekeeper.sh" +} + // Add creates a new ConstraintTemplate Controller and adds it to the Manager with default RBAC. The Manager will set fields on the Controller // and Start it when the Manager is Started. func (a *Adder) Add(mgr manager.Manager) error { + logger.Info("Adding manager for constraint template.", ConstraintTemplateCrdName) if !operations.HasValidationOperations() { return nil } @@ -746,8 +759,9 @@ func logError(name string) { } func makeGvk(kind string) schema.GroupVersionKind { + logger.Info("Making GVK for constraint group", "constraint-gropup", statusv1beta1.ConstraintsGroupName) return schema.GroupVersionKind{ - Group: "constraints.gatekeeper.sh", + Group: statusv1beta1.ConstraintsGroupName, Version: "v1beta1", Kind: kind, } diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go index 4c196ba59..56344fe64 100644 --- a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go +++ b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go @@ -741,7 +741,7 @@ violation[{"msg": "denied!"}] { t.Cleanup(testutils.DeleteObject(t, c, instance)) gvk := schema.GroupVersionKind{ - Group: "constraints.gatekeeper.sh", + Group: statusv1beta1.ConstraintsGroupName, Version: "v1beta1", Kind: DenyAll, } diff --git a/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller.go b/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller.go index c1d44bf19..b6d066d9f 100644 --- a/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller.go +++ b/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller.go @@ -152,6 +152,7 @@ func (r *ReconcileConstraintStatus) Reconcile(ctx context.Context, request recon } template := &unstructured.Unstructured{} gv := constrainttemplatev1beta1.SchemeGroupVersion + r.log.Info("reconcile gv", "gv", gv.Group) template.SetGroupVersionKind(gv.WithKind("ConstraintTemplate")) if err := r.reader.Get(ctx, request.NamespacedName, template); err != nil { // If the template does not exist, we are done diff --git a/pkg/controller/externaldata/externaldata_controller.go b/pkg/controller/externaldata/externaldata_controller.go index efe59ec39..bdefe4c4e 100644 --- a/pkg/controller/externaldata/externaldata_controller.go +++ b/pkg/controller/externaldata/externaldata_controller.go @@ -26,9 +26,9 @@ import ( ) var ( - log = logf.Log.WithName("controller").WithValues(logging.Process, "externaldata_controller") - - gvkExternalData = schema.GroupVersionKind{ + log = logf.Log.WithName("controller").WithValues(logging.Process, "externaldata_controller") + ExternalDataGroupName = "externaldata.gatekeeper.sh" + gvkExternalData = schema.GroupVersionKind{ Group: "externaldata.gatekeeper.sh", Version: "v1beta1", Kind: "Provider", diff --git a/pkg/gator/reader/read_constraints.go b/pkg/gator/reader/read_constraints.go index 09623dbc6..cfc313f44 100644 --- a/pkg/gator/reader/read_constraints.go +++ b/pkg/gator/reader/read_constraints.go @@ -10,6 +10,7 @@ import ( templatesv1 "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1" "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" + "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" "github.com/open-policy-agent/gatekeeper/v3/pkg/gator" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" @@ -170,7 +171,7 @@ func ReadConstraint(f fs.FS, path string) (*unstructured.Unstructured, error) { } gvk := u.GroupVersionKind() - if gvk.Group != "constraints.gatekeeper.sh" { + if gvk.Group != v1beta1.ConstraintsGroupName { return nil, gator.ErrNotAConstraint } diff --git a/pkg/gator/test/test.go b/pkg/gator/test/test.go index d09aafcb6..920abf092 100644 --- a/pkg/gator/test/test.go +++ b/pkg/gator/test/test.go @@ -9,6 +9,7 @@ import ( constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/k8scel" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" + statusv1beta1 "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" "github.com/open-policy-agent/gatekeeper/v3/pkg/expansion" "github.com/open-policy-agent/gatekeeper/v3/pkg/gator/expand" "github.com/open-policy-agent/gatekeeper/v3/pkg/gator/reader" @@ -180,7 +181,7 @@ func isTemplate(u *unstructured.Unstructured) bool { func isConstraint(u *unstructured.Unstructured) bool { gvk := u.GroupVersionKind() - return gvk.Group == "constraints.gatekeeper.sh" + return gvk.Group == statusv1beta1.ConstraintsGroupName } func makeRegoDriver(tOpts Opts) (*rego.Driver, error) { diff --git a/pkg/readiness/ready_tracker.go b/pkg/readiness/ready_tracker.go index 94c86cade..5b36011d4 100644 --- a/pkg/readiness/ready_tracker.go +++ b/pkg/readiness/ready_tracker.go @@ -29,6 +29,7 @@ import ( expansionv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/expansion/v1alpha1" mutationv1 "github.com/open-policy-agent/gatekeeper/v3/apis/mutations/v1" mutationsv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/mutations/v1alpha1" + statusv1beta1 "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" syncsetv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/syncset/v1alpha1" "github.com/open-policy-agent/gatekeeper/v3/pkg/keys" "github.com/open-policy-agent/gatekeeper/v3/pkg/logging" @@ -45,10 +46,10 @@ import ( ) var log = logf.Log.WithName("readiness-tracker") +var constraintGroup = statusv1beta1.ConstraintsGroupName const ( - constraintGroup = "constraints.gatekeeper.sh" - statsPeriod = 1 * time.Second + statsPeriod = 1 * time.Second ) // Lister lists resources from a cache. diff --git a/pkg/upgrade/manager.go b/pkg/upgrade/manager.go index 6b4f1eccf..0feb61fc8 100644 --- a/pkg/upgrade/manager.go +++ b/pkg/upgrade/manager.go @@ -8,6 +8,11 @@ import ( "strings" "time" + "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates" + "github.com/open-policy-agent/gatekeeper/v3/apis/mutations" + "github.com/open-policy-agent/gatekeeper/v3/apis/status" + "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constrainttemplate" + "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/externaldata" "github.com/open-policy-agent/gatekeeper/v3/pkg/util" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -24,8 +29,12 @@ import ( var log = logf.Log.WithName("controller").WithValues("metaKind", "upgrade") -const ( - crdName = "constrainttemplates.templates.gatekeeper.sh" +var ( + crdName = &constrainttemplate.ConstraintTemplateCrdName + constraintGvV1Alpha = status.ConstraintsGroupName + "/v1alpha" + templateGvV1Alpha = templates.TemplateGroupName + "/v1alpha" + mutationsGvV1Alpha = mutations.MutationGroupName + "/v1alpha" + externaldataGvV1Alpha = externaldata.ExternalDataGroupName + "v1alpha" ) // Manager allows us to upgrade resources on startup. @@ -63,7 +72,7 @@ func (um *Manager) Start(ctx context.Context) error { func (um *Manager) ensureCRDExists(ctx context.Context) error { crd := &apiextensionsv1.CustomResourceDefinition{} - return um.client.Get(ctx, types.NamespacedName{Name: crdName}, crd) + return um.client.Get(ctx, types.NamespacedName{Name: *crdName}, crd) } func (um *Manager) getAllKinds(groupVersion string) (*metav1.APIResourceList, error) { @@ -76,10 +85,10 @@ func (um *Manager) getAllKinds(groupVersion string) (*metav1.APIResourceList, er func (um *Manager) upgrade(ctx context.Context) error { gvs := []string{ - "constraints.gatekeeper.sh/v1alpha1", - "templates.gatekeeper.sh/v1alpha1", - "mutations.gatekeeper.sh/v1alpha1", - "externaldata.gatekeeper.sh/v1alpha1", + constraintGvV1Alpha, + templateGvV1Alpha, + mutationsGvV1Alpha, + externaldataGvV1Alpha, } for _, gv := range gvs { if err := um.upgradeGroupVersion(ctx, gv); err != nil { @@ -98,7 +107,7 @@ func (um *Manager) upgradeGroupVersion(ctx context.Context, groupVersion string) } um.client = c if err := um.ensureCRDExists(ctx); err != nil { - log.Info("required crd has not been deployed ", "CRD", crdName) + log.Info("required crd has not been deployed ", "CRD", *crdName) return err } // get all resource kinds diff --git a/pkg/webhook/common.go b/pkg/webhook/common.go index 193c5ccc1..2f8f291e6 100644 --- a/pkg/webhook/common.go +++ b/pkg/webhook/common.go @@ -8,9 +8,13 @@ import ( "fmt" "strings" + templates "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates" "github.com/open-policy-agent/gatekeeper/v3/apis" "github.com/open-policy-agent/gatekeeper/v3/apis/config/v1alpha1" + "github.com/open-policy-agent/gatekeeper/v3/apis/mutations" + "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process" + externalData "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/externaldata" "github.com/open-policy-agent/gatekeeper/v3/pkg/keys" "github.com/open-policy-agent/gatekeeper/v3/pkg/util" admissionv1 "k8s.io/api/admission/v1" @@ -39,11 +43,14 @@ var log = logf.Log.WithName("webhook") const ( serviceAccountName = "gatekeeper-admin" - mutationsGroup = "mutations.gatekeeper.sh" - externalDataGroup = "externaldata.gatekeeper.sh" namespaceKind = "Namespace" ) +var ( + mutationsGroup = mutations.MutationGroupName + externalDataGroup = externalData.ExternalDataGroupName +) + var ( runtimeScheme = k8sruntime.NewScheme() codecs = serializer.NewCodecFactory(runtimeScheme) @@ -112,8 +119,8 @@ func (h *webhookHandler) getConfig(ctx context.Context) (*v1alpha1.Config, error // isGatekeeperResource returns true if the request relates to a gatekeeper resource. func (h *webhookHandler) isGatekeeperResource(req *admission.Request) bool { - if req.AdmissionRequest.Kind.Group == "templates.gatekeeper.sh" || - req.AdmissionRequest.Kind.Group == "constraints.gatekeeper.sh" || + if req.AdmissionRequest.Kind.Group == templates.TemplateGroupName || + req.AdmissionRequest.Kind.Group == v1beta1.ConstraintsGroupName || req.AdmissionRequest.Kind.Group == mutationsGroup || req.AdmissionRequest.Kind.Group == "config.gatekeeper.sh" || req.AdmissionRequest.Kind.Group == externalDataGroup || diff --git a/pkg/webhook/policy.go b/pkg/webhook/policy.go index e6c36d46a..eee39a2fb 100644 --- a/pkg/webhook/policy.go +++ b/pkg/webhook/policy.go @@ -28,6 +28,7 @@ import ( "github.com/go-logr/logr" "github.com/open-policy-agent/cert-controller/pkg/rotator" externaldataUnversioned "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/unversioned" + templatesapi "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers" "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" @@ -36,6 +37,7 @@ import ( "github.com/open-policy-agent/gatekeeper/v3/apis" expansionunversioned "github.com/open-policy-agent/gatekeeper/v3/apis/expansion/unversioned" mutationsunversioned "github.com/open-policy-agent/gatekeeper/v3/apis/mutations/unversioned" + statusv1beta1 "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process" "github.com/open-policy-agent/gatekeeper/v3/pkg/expansion" "github.com/open-policy-agent/gatekeeper/v3/pkg/keys" @@ -347,11 +349,11 @@ func (h *validationHandler) validateGatekeeperResources(ctx context.Context, req gvk := req.AdmissionRequest.Kind switch { - case gvk.Group == "templates.gatekeeper.sh" && gvk.Kind == "ConstraintTemplate": + case gvk.Group == templatesapi.TemplateGroupName && gvk.Kind == "ConstraintTemplate": return h.validateTemplate(ctx, req) case gvk.Group == "expansion.gatekeeper.sh" && gvk.Kind == "ExpansionTemplate": return h.validateExpansionTemplate(req) - case gvk.Group == "constraints.gatekeeper.sh": + case gvk.Group == statusv1beta1.ConstraintsGroupName: return h.validateConstraint(req) case gvk.Group == "config.gatekeeper.sh" && gvk.Kind == "Config": if err := h.validateConfigResource(req); err != nil { diff --git a/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go b/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go index dc00c8563..c5d783d2f 100644 --- a/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go +++ b/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go @@ -103,11 +103,23 @@ func (w WebhookInfo) gvk() schema.GroupVersionKind { Mutating: {Group: "admissionregistration.k8s.io", Version: "v1", Kind: "MutatingWebhookConfiguration"}, CRDConversion: {Group: "apiextensions.k8s.io", Version: "v1", Kind: "CustomResourceDefinition"}, APIService: {Group: "apiregistration.k8s.io", Version: "v1", Kind: "APIService"}, - ExternalDataProvider: {Group: "externaldata.gatekeeper.sh", Version: "v1beta1", Kind: "Provider"}, + ExternalDataProvider: {Group: getExternalDataGroupFromEnvVars(), Version: "v1beta1", Kind: "Provider"}, } return t2g[w.Type] } +func getExternalDataGroupFromEnvVars() string { + value, exists := os.LookupEnv("EXTERNALDATA_GROUP_NAME") + if exists { + crLog.Info("external group name", "group", value) + + return value + } + crLog.Info("external group name", "group", "externaldata.gatekeeper.sh") + + return "externaldata.gatekeeper.sh" +} + // AddRotator adds the CertRotator and ReconcileWH to the manager. func AddRotator(mgr manager.Manager, cr *CertRotator) error { if mgr == nil || cr == nil { diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/constraints/apis.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/constraints/apis.go index 4dbb15318..db32e40f9 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/constraints/apis.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/constraints/apis.go @@ -4,13 +4,11 @@ import ( "errors" "fmt" + "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) const ( - // Group is the API Group of Constraints. - Group = "constraints.gatekeeper.sh" - // EnforcementActionDeny indicates that if a review fails validation for a // Constraint, that it should be rejected. Errors encountered running // validation are treated as failing validation. @@ -20,6 +18,9 @@ const ( ) var ( + // Group is the API Group of Constraints. + Group = v1beta1.ConstraintsGroupName + // ErrInvalidConstraint is a generic error that a Constraint is invalid for // some reason. ErrInvalidConstraint = errors.New("invalid Constraint") diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/disambiguator/disambiguator.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/disambiguator/disambiguator.go new file mode 100644 index 000000000..6c7dba7a5 --- /dev/null +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/disambiguator/disambiguator.go @@ -0,0 +1,19 @@ +package disambiguator + +import ( + "fmt" + "os" +) + +const GatekeeprApiSuffix = "gatekeeper.sh" + +var Disambiguator string = readDisambiguatorFromEnvVars() + +func readDisambiguatorFromEnvVars() string { + value, exists := os.LookupEnv("GATEKEEPER_API_NAME_DISAMBIGUATOR") + if exists { + return fmt.Sprintf("%s-", value) + } + + return "" +} diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/groups.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/groups.go new file mode 100644 index 000000000..f155553d4 --- /dev/null +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/groups.go @@ -0,0 +1,9 @@ +package externaldata + +import ( + "fmt" + + "github.com/open-policy-agent/frameworks/constraint/pkg/apis/disambiguator" +) + +var ExternalDataGroupName = fmt.Sprintf("externaldata.%s%s", disambiguator.Disambiguator, disambiguator.GatekeeprApiSuffix) diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/v1alpha1/register.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/v1alpha1/register.go index 793ba1cf4..bf8dc8e14 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/v1alpha1/register.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/v1alpha1/register.go @@ -24,6 +24,7 @@ limitations under the License. package v1alpha1 import ( + "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -31,7 +32,7 @@ import ( var ( // SchemeGroupVersion is group version used to register these objects. - SchemeGroupVersion = schema.GroupVersion{Group: "externaldata.gatekeeper.sh", Version: "v1alpha1"} + SchemeGroupVersion = schema.GroupVersion{Group: externaldata.ExternalDataGroupName, Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion} diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/v1beta1/register.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/v1beta1/register.go index 1378f2305..5dd388de0 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/v1beta1/register.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/v1beta1/register.go @@ -24,6 +24,7 @@ limitations under the License. package v1beta1 import ( + "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -31,7 +32,7 @@ import ( var ( // SchemeGroupVersion is group version used to register these objects. - SchemeGroupVersion = schema.GroupVersion{Group: "externaldata.gatekeeper.sh", Version: "v1beta1"} + SchemeGroupVersion = schema.GroupVersion{Group: externaldata.ExternalDataGroupName, Version: "v1beta1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion} diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/groups.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/groups.go new file mode 100644 index 000000000..1aa5ba4e5 --- /dev/null +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/groups.go @@ -0,0 +1,9 @@ +package templates + +import ( + "fmt" + + "github.com/open-policy-agent/frameworks/constraint/pkg/apis/disambiguator" +) + +var TemplateGroupName string = fmt.Sprintf("templates.%s%s", disambiguator.Disambiguator, disambiguator.GatekeeprApiSuffix) diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/register.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/register.go index 57172fd2a..29be2ad5f 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/register.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/register.go @@ -24,6 +24,7 @@ limitations under the License. package v1 import ( + templates "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -31,7 +32,7 @@ import ( var ( // SchemeGroupVersion is group version used to register these objects. - SchemeGroupVersion = schema.GroupVersion{Group: "templates.gatekeeper.sh", Version: "v1"} + SchemeGroupVersion = schema.GroupVersion{Group: templates.TemplateGroupName, Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion} diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/register.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/register.go index 1656526c1..12eab92e3 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/register.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/register.go @@ -24,6 +24,7 @@ limitations under the License. package v1alpha1 import ( + templates "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -31,7 +32,7 @@ import ( var ( // SchemeGroupVersion is group version used to register these objects. - SchemeGroupVersion = schema.GroupVersion{Group: "templates.gatekeeper.sh", Version: "v1alpha1"} + SchemeGroupVersion = schema.GroupVersion{Group: templates.TemplateGroupName, Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion} diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/register.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/register.go index ad1c27cc9..4df997943 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/register.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/register.go @@ -24,6 +24,7 @@ limitations under the License. package v1beta1 import ( + templates "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -31,7 +32,7 @@ import ( var ( // SchemeGroupVersion is group version used to register these objects. - SchemeGroupVersion = schema.GroupVersion{Group: "templates.gatekeeper.sh", Version: "v1beta1"} + SchemeGroupVersion = schema.GroupVersion{Group: templates.TemplateGroupName, Version: "v1beta1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion} diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/builtin.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/builtin.go index 7ea46eb6f..ecc7ecd4b 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/builtin.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/builtin.go @@ -4,16 +4,18 @@ import ( "net/http" "time" + externaldataapis "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata" "github.com/open-policy-agent/frameworks/constraint/pkg/externaldata" "github.com/open-policy-agent/opa/ast" "github.com/open-policy-agent/opa/rego" ) const ( - providerResponseAPIVersion = "externaldata.gatekeeper.sh/v1beta1" - providerResponseKind = "ProviderResponse" + providerResponseKind = "ProviderResponse" ) +var providerResponseAPIVersion = externaldataapis.ExternalDataGroupName + "/v1beta1" + func externalDataBuiltin(d *Driver) func(bctx rego.BuiltinContext, regorequest *ast.Term) (*ast.Term, error) { return func(bctx rego.BuiltinContext, regorequest *ast.Term) (*ast.Term, error) { var regoReq externaldata.RegoRequest diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/externaldata/request.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/externaldata/request.go index f30f9967b..bb3185ee9 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/externaldata/request.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/externaldata/request.go @@ -13,6 +13,7 @@ import ( "net/url" "time" + "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata" "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/unversioned" ) @@ -48,7 +49,7 @@ type Request struct { // NewProviderRequest creates a new request for the external data provider. func NewProviderRequest(keys []string) *ProviderRequest { return &ProviderRequest{ - APIVersion: "externaldata.gatekeeper.sh/v1beta1", + APIVersion: externaldata.ExternalDataGroupName + "/v1beta1", Kind: "ProviderRequest", Request: Request{ Keys: keys, diff --git a/vendor/k8s.io/apimachinery/pkg/api/meta/errors.go b/vendor/k8s.io/apimachinery/pkg/api/meta/errors.go index f36aa4ec2..449f6c7e8 100644 --- a/vendor/k8s.io/apimachinery/pkg/api/meta/errors.go +++ b/vendor/k8s.io/apimachinery/pkg/api/meta/errors.go @@ -113,9 +113,9 @@ func (e *NoKindMatchError) Error() string { case 0: return fmt.Sprintf("no matches for kind %q in group %q", e.GroupKind.Kind, e.GroupKind.Group) case 1: - return fmt.Sprintf("no matches for kind %q in version %q", e.GroupKind.Kind, searchedVersions.List()[0]) + return fmt.Sprintf("no matches for kind %q in version %q and group %q", e.GroupKind.Kind, searchedVersions.List()[0], e.GroupKind.Group) default: - return fmt.Sprintf("no matches for kind %q in versions %q", e.GroupKind.Kind, searchedVersions.List()) + return fmt.Sprintf("no matches for kind %q in versions %q and group %q", e.GroupKind.Kind, searchedVersions.List(), e.GroupKind.Group) } }