diff --git a/apis/config/groups.go b/apis/config/groups.go new file mode 100644 index 000000000..b8b179b04 --- /dev/null +++ b/apis/config/groups.go @@ -0,0 +1,21 @@ +package config + +import ( + "flag" + "os" +) + +var ConfigGroupName = getGroupFromEnvVars() + +func init() { + flag.String("config-group-name", "config.gatekeeper.sh", "config group name") +} + +func getGroupFromEnvVars() string { + value, exists := os.LookupEnv("CONFIG_GROUP_NAME") + if exists { + return value + } + + return "config.gatekeeper.sh" +} diff --git a/apis/config/v1alpha1/groupversion_info.go b/apis/config/v1alpha1/groupversion_info.go index 2e0dc7185..90eb12ed9 100644 --- a/apis/config/v1alpha1/groupversion_info.go +++ b/apis/config/v1alpha1/groupversion_info.go @@ -19,13 +19,14 @@ limitations under the License. package v1alpha1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/config" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" ) var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "config.gatekeeper.sh", Version: "v1alpha1"} + GroupVersion = schema.GroupVersion{Group: config.ConfigGroupName, Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/apis/expansion/groups.go b/apis/expansion/groups.go new file mode 100644 index 000000000..cc9124990 --- /dev/null +++ b/apis/expansion/groups.go @@ -0,0 +1,21 @@ +package expansion + +import ( + "flag" + "os" +) + +var ExpansionGroupName = getGroupNameFromEnvVars() + +func init() { + flag.String("expansion-group-name", "expansion.gatekeeper.sh", "expansion group name") +} + +func getGroupNameFromEnvVars() string { + value, exists := os.LookupEnv("EXPANSION_GROUP_NAME") + if exists { + return value + } + + return "expansion.gatekeeper.sh" +} diff --git a/apis/expansion/v1beta1/groupversion_info.go b/apis/expansion/v1beta1/groupversion_info.go index 843f98e7e..6fa029b00 100644 --- a/apis/expansion/v1beta1/groupversion_info.go +++ b/apis/expansion/v1beta1/groupversion_info.go @@ -19,6 +19,7 @@ limitations under the License. package v1beta1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/expansion" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -26,7 +27,7 @@ import ( var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "expansion.gatekeeper.sh", Version: "v1beta1"} + GroupVersion = schema.GroupVersion{Group: expansion.ExpansionGroupName, Version: "v1beta1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/apis/mutations/group.go b/apis/mutations/group.go new file mode 100644 index 000000000..7d52934de --- /dev/null +++ b/apis/mutations/group.go @@ -0,0 +1,21 @@ +package mutations + +import ( + "flag" + "os" +) + +var MutationGroupName string = getGroupFromEnvVars() + +func init() { + flag.String("mutation-group-name", "mutations.gatekeeper.sh", "mutations group name") +} + +func getGroupFromEnvVars() string { + value, exists := os.LookupEnv("MUTATIONS_GROUP_NAME") + if exists { + return value + } + + return "mutations.gatekeeper.sh" +} diff --git a/apis/mutations/v1/groupversion_info.go b/apis/mutations/v1/groupversion_info.go index eb5847396..c845c416a 100644 --- a/apis/mutations/v1/groupversion_info.go +++ b/apis/mutations/v1/groupversion_info.go @@ -19,6 +19,7 @@ limitations under the License. package v1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/mutations" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -26,7 +27,7 @@ import ( var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "mutations.gatekeeper.sh", Version: "v1"} + GroupVersion = schema.GroupVersion{Group: mutations.MutationGroupName, Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/apis/mutations/v1alpha1/groupversion_info.go b/apis/mutations/v1alpha1/groupversion_info.go index ea6ba683f..bd83e2f38 100644 --- a/apis/mutations/v1alpha1/groupversion_info.go +++ b/apis/mutations/v1alpha1/groupversion_info.go @@ -19,6 +19,7 @@ limitations under the License. package v1alpha1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/mutations" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -26,7 +27,7 @@ import ( var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "mutations.gatekeeper.sh", Version: "v1alpha1"} + GroupVersion = schema.GroupVersion{Group: mutations.MutationGroupName, Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/apis/mutations/v1beta1/groupversion_info.go b/apis/mutations/v1beta1/groupversion_info.go index 7fc6eaa57..4f91bb37e 100644 --- a/apis/mutations/v1beta1/groupversion_info.go +++ b/apis/mutations/v1beta1/groupversion_info.go @@ -19,6 +19,7 @@ limitations under the License. package v1beta1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/mutations" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" @@ -26,7 +27,7 @@ import ( var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "mutations.gatekeeper.sh", Version: "v1beta1"} + GroupVersion = schema.GroupVersion{Group: mutations.MutationGroupName, Version: "v1beta1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/apis/status/groups.go b/apis/status/groups.go new file mode 100644 index 000000000..4b631274a --- /dev/null +++ b/apis/status/groups.go @@ -0,0 +1,31 @@ +package status + +import ( + "flag" + "os" +) + +var StatusGroupName string = getStatusGroupNameFromEnvVars() +var ConstraintGroupName string = getConstraintGroupNameFromEnvVars() + +func getStatusGroupNameFromEnvVars() string { + value, exists := os.LookupEnv("STATUS_GROUP_NAME") + if exists { + return value + } + + return "status.gatekeeper.sh" +} + +func getConstraintGroupNameFromEnvVars() string { + value, exists := os.LookupEnv("CONSTRAINTS_GROUP_NAME") + if exists { + return value + } + + return "constraints.gatekeeper.sh" +} + +func init() { + flag.String("status-group-name", "status.gatekeeper.sh", "Status group name") +} diff --git a/apis/status/v1beta1/constraintpodstatus_types.go b/apis/status/v1beta1/constraintpodstatus_types.go index 292a298d1..1c277fbfc 100644 --- a/apis/status/v1beta1/constraintpodstatus_types.go +++ b/apis/status/v1beta1/constraintpodstatus_types.go @@ -16,8 +16,10 @@ limitations under the License. package v1beta1 import ( + "flag" "strings" + "github.com/open-policy-agent/gatekeeper/v3/apis/status" "github.com/open-policy-agent/gatekeeper/v3/pkg/operations" "github.com/open-policy-agent/gatekeeper/v3/pkg/util" corev1 "k8s.io/api/core/v1" @@ -29,7 +31,7 @@ import ( ) // ConstraintsGroup is the API Group for Gatekeeper Constraints. -const ConstraintsGroup = "constraints.gatekeeper.sh" +var ConstraintsGroup = status.ConstraintGroupName // ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. type ConstraintPodStatusStatus struct { @@ -75,6 +77,7 @@ type ConstraintPodStatusList struct { func init() { SchemeBuilder.Register(&ConstraintPodStatus{}, &ConstraintPodStatusList{}) + flag.String("constarints-group-name", "constraints.gatekeeper.sh", "Constraints group name") } // NewConstraintStatusForPod returns a constraint status object diff --git a/apis/status/v1beta1/groupversion_info.go b/apis/status/v1beta1/groupversion_info.go index 75d7ba295..b4bdf2611 100644 --- a/apis/status/v1beta1/groupversion_info.go +++ b/apis/status/v1beta1/groupversion_info.go @@ -19,13 +19,14 @@ limitations under the License. package v1beta1 import ( + "github.com/open-policy-agent/gatekeeper/v3/apis/status" "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/scheme" ) var ( // GroupVersion is group version used to register these objects. - GroupVersion = schema.GroupVersion{Group: "status.gatekeeper.sh", Version: "v1beta1"} + GroupVersion = schema.GroupVersion{Group: status.StatusGroupName, Version: "v1beta1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} diff --git a/apis/status/v1beta1/mutatorpodstatus_types.go b/apis/status/v1beta1/mutatorpodstatus_types.go index fa13849ee..ca413c5bf 100644 --- a/apis/status/v1beta1/mutatorpodstatus_types.go +++ b/apis/status/v1beta1/mutatorpodstatus_types.go @@ -18,6 +18,7 @@ package v1beta1 import ( "strings" + "github.com/open-policy-agent/gatekeeper/v3/apis/mutations" mtypes "github.com/open-policy-agent/gatekeeper/v3/pkg/mutation/types" "github.com/open-policy-agent/gatekeeper/v3/pkg/operations" "github.com/open-policy-agent/gatekeeper/v3/pkg/util" @@ -29,7 +30,7 @@ import ( ) // MutationsGroup is the API Group for Gatekeeper Mutators. -const MutationsGroup = "mutations.gatekeeper.sh" +var MutationsGroup = mutations.MutationGroupName // MutatorPodStatusStatus defines the observed state of MutatorPodStatus. type MutatorPodStatusStatus struct { diff --git a/charts/gatekeeper/crds/assign-customresourcedefinition.yaml b/charts/gatekeeper/crds/assign-customresourcedefinition.yaml index 0221a1948..86623a3a3 100644 --- a/charts/gatekeeper/crds/assign-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assign-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: assign.mutations.gatekeeper.sh + name: assign.mutations.asafalg.sh spec: - group: mutations.gatekeeper.sh + group: mutations.asafalg.sh names: kind: Assign listKind: AssignList diff --git a/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml b/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml index 197f2f179..a7c369aaf 100644 --- a/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: assignimage.mutations.gatekeeper.sh + name: assignimage.mutations.asafalg.sh spec: - group: mutations.gatekeeper.sh + group: mutations.asafalg.sh names: kind: AssignImage listKind: AssignImageList diff --git a/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml b/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml index 65c17ed3a..f043087c1 100644 --- a/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: assignmetadata.mutations.gatekeeper.sh + name: assignmetadata.mutations.asafalg.sh spec: - group: mutations.gatekeeper.sh + group: mutations.asafalg.sh names: kind: AssignMetadata listKind: AssignMetadataList diff --git a/charts/gatekeeper/crds/config-customresourcedefinition.yaml b/charts/gatekeeper/crds/config-customresourcedefinition.yaml index 269ca95f9..a700b0246 100644 --- a/charts/gatekeeper/crds/config-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/config-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: configs.config.gatekeeper.sh + name: configs.config.asafalg.sh spec: - group: config.gatekeeper.sh + group: config.asafalg.sh names: kind: Config listKind: ConfigList diff --git a/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml index 230a541bb..f97df619d 100644 --- a/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: constraintpodstatuses.status.gatekeeper.sh + name: constraintpodstatuses.status.asafalg.sh spec: - group: status.gatekeeper.sh + group: status.asafalg.sh names: kind: ConstraintPodStatus listKind: ConstraintPodStatusList diff --git a/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml b/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml index afc89d03b..aa8595004 100644 --- a/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: constrainttemplates.templates.gatekeeper.sh + name: constrainttemplates.templates.asafalg.sh spec: - group: templates.gatekeeper.sh + group: templates.asafalg.sh names: kind: ConstraintTemplate listKind: ConstraintTemplateList diff --git a/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml index 271572bd7..adc733253 100644 --- a/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: constrainttemplatepodstatuses.status.gatekeeper.sh + name: constrainttemplatepodstatuses.status.asafalg.sh spec: - group: status.gatekeeper.sh + group: status.asafalg.sh names: kind: ConstraintTemplatePodStatus listKind: ConstraintTemplatePodStatusList diff --git a/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml b/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml index 0452edb77..cf7372be3 100644 --- a/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: expansiontemplate.expansion.gatekeeper.sh + name: expansiontemplate.expansion.asafalg.sh spec: - group: expansion.gatekeeper.sh + group: expansion.asafalg.sh names: kind: ExpansionTemplate listKind: ExpansionTemplateList diff --git a/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml index 8f49b4c5f..51930619b 100644 --- a/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: expansiontemplatepodstatuses.status.gatekeeper.sh + name: expansiontemplatepodstatuses.status.asafalg.sh spec: - group: status.gatekeeper.sh + group: status.asafalg.sh names: kind: ExpansionTemplatePodStatus listKind: ExpansionTemplatePodStatusList diff --git a/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml b/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml index 46574fd36..0bdf5074f 100644 --- a/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: modifyset.mutations.gatekeeper.sh + name: modifyset.mutations.asafalg.sh spec: - group: mutations.gatekeeper.sh + group: mutations.asafalg.sh names: kind: ModifySet listKind: ModifySetList diff --git a/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml index fd6a0f6de..0851df674 100644 --- a/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: mutatorpodstatuses.status.gatekeeper.sh + name: mutatorpodstatuses.status.asafalg.sh spec: - group: status.gatekeeper.sh + group: status.asafalg.sh names: kind: MutatorPodStatus listKind: MutatorPodStatusList diff --git a/charts/gatekeeper/crds/provider-customresourcedefinition.yaml b/charts/gatekeeper/crds/provider-customresourcedefinition.yaml index 177afbb67..6881063c6 100644 --- a/charts/gatekeeper/crds/provider-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/provider-customresourcedefinition.yaml @@ -5,9 +5,9 @@ metadata: controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" - name: providers.externaldata.gatekeeper.sh + name: providers.externaldata.asafalg.sh spec: - group: externaldata.gatekeeper.sh + group: externaldata.asafalg.sh names: kind: Provider listKind: ProviderList diff --git a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 33c1cbecc..002811e1f 100644 --- a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -85,6 +85,10 @@ spec: {{- end }} - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} + - --constraint-template-crd-name={{ .Values.crdNames.constraintTemplateCrdName }} + - --template-group-name={{ .Values.crdNames.templatesGroupName }} + - --constarints-group-name={{ .Values.crdNames.constarintsGroupName }} + - --status-group-name={{ .Values.crdNames.statusGroupName }} command: - /manager env: @@ -106,6 +110,20 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) + - name: TEMPLATE_GROUP_NAME + value: {{ .Values.crdNames.templatesGroupName }} + - name: CONSTRAINTS_GROUP_NAME + value: {{ .Values.crdNames.constarintsGroupName }} + - name: CONSTRAINT_TEMPLATE_GROUP_NAME + value: {{ .Values.crdNames.constraintTemplateCrdName }} + - name: STATUS_GROUP_NAME + value: {{ .Values.crdNames.statusGroupName }} + - name: MUTATIONS_GROUP_NAME + value: {{ .Values.crdNames.mutationsGroupName }} + - name: EXPANSION_GROUP_NAME + value: {{ .Values.crdNames.expansionGroupName }} + - name: EXTERNALDATA_GROUP_NAME + value: {{ .Values.crdNames.externalDataGroupName }} imagePullPolicy: '{{ .Values.image.pullPolicy }}' livenessProbe: httpGet: diff --git a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 9edd16218..4af726c56 100644 --- a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -71,6 +71,10 @@ spec: - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} + - --constraint-template-crd-name={{ .Values.crdNames.constraintTemplateCrdName }} + - --template-group-name={{ .Values.crdNames.templatesGroupName }} + - --constarints-group-name={{ .Values.crdNames.constarintsGroupName }} + - --status-group-name={{ .Values.crdNames.statusGroupName }} {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }} {{- range .Values.metricsBackends}} @@ -119,6 +123,20 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) + - name: TEMPLATE_GROUP_NAME + value: {{ .Values.crdNames.templatesGroupName }} + - name: CONSTRAINTS_GROUP_NAME + value: {{ .Values.crdNames.constarintsGroupName }} + - name: CONSTAINT_TEMPLATE_GROUP_NAME + value: {{ .Values.crdNames.constraintTemplateCrdName }} + - name: STATUS_GROUP_NAME + value: {{ .Values.crdNames.statusGroupName }} + - name: EXPANSION_GROUP_NAME + value: {{ .Values.crdNames.expansionGroupName }} + - name: EXTERNALDATA_GROUP_NAME + value: {{ .Values.crdNames.externalDataGroupName }} + - name: MUTATIONS_GROUP_NAME + value: {{ .Values.crdNames.mutationsGroupName }} imagePullPolicy: '{{ .Values.image.pullPolicy }}' livenessProbe: httpGet: diff --git a/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml index 3e5592336..55e903798 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml @@ -9,7 +9,7 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-manager-role + name: {{ .Values.managerRoleName }} rules: - apiGroups: - "" @@ -71,7 +71,7 @@ rules: - patch - update - apiGroups: - - constraints.gatekeeper.sh + - {{ .Values.crdNames.constarintsGroupName }} resources: - '*' verbs: @@ -83,7 +83,7 @@ rules: - update - watch - apiGroups: - - expansion.gatekeeper.sh + - {{ .Values.crdNames.expansionGroupName }} resources: - '*' verbs: @@ -95,7 +95,7 @@ rules: - update - watch - apiGroups: - - externaldata.gatekeeper.sh + - {{ .Values.crdNames.externalDataGroupName }} resources: - providers verbs: @@ -107,7 +107,7 @@ rules: - update - watch - apiGroups: - - mutations.gatekeeper.sh + - {{ .Values.crdNames.mutationsGroupName }} resources: - '*' verbs: @@ -129,7 +129,7 @@ rules: - use {{- end }} - apiGroups: - - status.gatekeeper.sh + - {{ .Values.crdNames.statusGroupName }} resources: - '*' verbs: @@ -141,7 +141,7 @@ rules: - update - watch - apiGroups: - - templates.gatekeeper.sh + - {{ .Values.crdNames.templatesGroupName }} resources: - constrainttemplates verbs: @@ -153,7 +153,7 @@ rules: - update - watch - apiGroups: - - templates.gatekeeper.sh + - {{ .Values.crdNames.templatesGroupName }} resources: - constrainttemplates/finalizers verbs: @@ -162,7 +162,7 @@ rules: - patch - update - apiGroups: - - templates.gatekeeper.sh + - {{ .Values.crdNames.templatesGroupName }} resources: - constrainttemplates/status verbs: diff --git a/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml b/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml index 1018dcdb6..2fa573daf 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml @@ -9,7 +9,7 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-manager-role + name: {{ .Values.managerRoleName }} namespace: '{{ .Release.Namespace }}' rules: - apiGroups: diff --git a/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml index 1fb9f6c87..b8bc72f30 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml @@ -8,11 +8,11 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-manager-rolebinding + name: {{ .Values.roleBindingName }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: gatekeeper-manager-role + name: {{ .Values.managerRoleName }} subjects: - kind: ServiceAccount name: gatekeeper-admin diff --git a/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml index fbe9580d5..36505e4a2 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml @@ -8,12 +8,12 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-manager-rolebinding + name: {{ .Values.roleBindingName }} namespace: '{{ .Release.Namespace }}' roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: gatekeeper-manager-role + name: {{ .Values.managerRoleName }} subjects: - kind: ServiceAccount name: gatekeeper-admin diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml index eaf5a7396..8a69a4cef 100644 --- a/charts/gatekeeper/values.yaml +++ b/charts/gatekeeper/values.yaml @@ -7,7 +7,7 @@ constraintViolationsLimit: 20 auditFromCache: false disableMutation: false disableValidatingWebhook: false -validatingWebhookName: gatekeeper-validating-webhook-configuration +validatingWebhookName: mdc-gatekeeper-validating-webhook-configuration validatingWebhookTimeoutSeconds: 3 validatingWebhookFailurePolicy: Ignore validatingWebhookAnnotations: {} @@ -17,11 +17,11 @@ validatingWebhookCheckIgnoreFailurePolicy: Fail validatingWebhookCustomRules: {} validatingWebhookURL: null enableDeleteOperations: false -enableExternalData: true +enableExternalData: false enableGeneratorResourceExpansion: true enableTLSHealthcheck: false maxServingThreads: -1 -mutatingWebhookName: gatekeeper-mutating-webhook-configuration +mutatingWebhookName: mdc-gatekeeper-mutating-webhook-configuration mutatingWebhookFailurePolicy: Ignore mutatingWebhookReinvocationPolicy: Never mutatingWebhookAnnotations: {} @@ -41,43 +41,48 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true externaldataProviderResponseCacheTTL: 3m +managerRoleName: mdc-gatekeeper-manager-role +roleBindingName: mdc-gatekeeper-manager-rolebinding image: - repository: openpolicyagent/gatekeeper - crdRepository: openpolicyagent/gatekeeper-crds - release: v3.16.0-beta.0 - pullPolicy: IfNotPresent + repository: testacrasafalg.azurecr.io/gatekeeper-mdc-vanilla + crdRepository: testacrasafalg.azurecr.io/gatekeeper-crds-mdc + release: latest + pullPolicy: Always pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.16.0-beta.0 + tag: latest postUpgrade: labelNamespace: enabled: false image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.0 - pullPolicy: IfNotPresent + repository: testacrasafalg.azurecr.io/gatekeeper-crds-mdc + tag: latest + pullPolicy: Always pullSecrets: [] extraNamespaces: [] - podSecurity: ["pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=restricted", - "pod-security.kubernetes.io/enforce-version=v1.24"] + podSecurity: + [ + "pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24", + ] extraAnnotations: {} priorityClassName: "" affinity: {} tolerations: [] - nodeSelector: {kubernetes.io/os: linux} + nodeSelector: { kubernetes.io/os: linux } resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -87,17 +92,20 @@ postInstall: enabled: true extraRules: [] image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.0 - pullPolicy: IfNotPresent + repository: testacrasafalg.azurecr.io/gatekeeper-crds-mdc + tag: latest + pullPolicy: Always pullSecrets: [] extraNamespaces: [] - podSecurity: ["pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=restricted", - "pod-security.kubernetes.io/enforce-version=v1.24"] + podSecurity: + [ + "pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24", + ] extraAnnotations: {} priorityClassName: "" probeWebhook: @@ -105,7 +113,7 @@ postInstall: image: repository: curlimages/curl tag: 7.83.1 - pullPolicy: IfNotPresent + pullPolicy: Always pullSecrets: [] waitTimeout: 60 httpTimeout: 2 @@ -113,12 +121,12 @@ postInstall: priorityClassName: "" affinity: {} tolerations: [] - nodeSelector: {kubernetes.io/os: linux} + nodeSelector: { kubernetes.io/os: linux } securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -128,20 +136,20 @@ preUninstall: extraRules: [] enabled: false image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.0 - pullPolicy: IfNotPresent + repository: testacrasafalg.azurecr.io/gatekeeper-crds-mdc + tag: latest + pullPolicy: Always pullSecrets: [] priorityClassName: "" affinity: {} tolerations: [] - nodeSelector: {kubernetes.io/os: linux} + nodeSelector: { kubernetes.io/os: linux } resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -181,7 +189,7 @@ controllerManager: weight: 100 topologySpreadConstraints: [] tolerations: [] - nodeSelector: {kubernetes.io/os: linux} + nodeSelector: { kubernetes.io/os: linux } resources: limits: memory: 512Mi @@ -192,7 +200,7 @@ controllerManager: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -204,7 +212,8 @@ controllerManager: extraRules: [] networkPolicy: enabled: false - ingress: { } + ingress: + {} # - from: # - ipBlock: # cidr: 0.0.0.0/0 @@ -222,7 +231,7 @@ audit: disableCertRotation: false affinity: {} tolerations: [] - nodeSelector: {kubernetes.io/os: linux} + nodeSelector: { kubernetes.io/os: linux } resources: limits: memory: 512Mi @@ -233,7 +242,7 @@ audit: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true @@ -247,13 +256,13 @@ audit: crds: affinity: {} tolerations: [] - nodeSelector: {kubernetes.io/os: linux} + nodeSelector: { kubernetes.io/os: linux } resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsGroup: 65532 runAsNonRoot: true @@ -266,7 +275,7 @@ disabledBuiltins: ["{http.send}"] psp: enabled: false upgradeCRDs: - enabled: true + enabled: false extraRules: [] priorityClassName: "" rbac: @@ -274,3 +283,12 @@ rbac: externalCertInjection: enabled: false secretName: gatekeeper-webhook-server-cert +crdNames: + constraintTemplateCrdName: "constrainttemplates.templates.asafalg.sh" + constarintsGroupName: "constraints.asafalg.sh" + templatesGroupName: "templates.asafalg.sh" + statusGroupName: "status.asafalg.sh" + mutationsGroupName: "mutations.asafalg.sh" + configGroupName: "config.asafalg.sh" + expansionGroupName: "expansion.asafalg.sh" + externalDataGroupName: "externaldata.asafalg.sh" diff --git a/go.mod b/go.mod index 4c9fb6af2..addac64a3 100644 --- a/go.mod +++ b/go.mod @@ -34,7 +34,7 @@ require ( golang.org/x/oauth2 v0.16.0 golang.org/x/sync v0.6.0 golang.org/x/time v0.5.0 - google.golang.org/grpc v1.61.0 + google.golang.org/grpc v1.61.1 google.golang.org/protobuf v1.33.0 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index b51adeaf9..250b469bd 100644 --- a/go.sum +++ b/go.sum @@ -539,8 +539,8 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0= -google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= +google.golang.org/grpc v1.61.1 h1:kLAiWrZs7YeDM6MumDe7m3y4aM6wacLzM1Y/wiLP9XY= +google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= diff --git a/main.go b/main.go index e609948ba..8ed73a0ae 100644 --- a/main.go +++ b/main.go @@ -31,10 +31,12 @@ import ( "github.com/go-logr/zapr" "github.com/open-policy-agent/cert-controller/pkg/rotator" + externaldataapi "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/k8scel" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" frameworksexternaldata "github.com/open-policy-agent/frameworks/constraint/pkg/externaldata" + api "github.com/open-policy-agent/gatekeeper/v3/apis" configv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/config/v1alpha1" expansionv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/expansion/v1alpha1" @@ -47,6 +49,7 @@ import ( "github.com/open-policy-agent/gatekeeper/v3/pkg/controller" "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process" "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constraint" + "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constrainttemplate" "github.com/open-policy-agent/gatekeeper/v3/pkg/expansion" "github.com/open-policy-agent/gatekeeper/v3/pkg/externaldata" "github.com/open-policy-agent/gatekeeper/v3/pkg/metrics" @@ -134,6 +137,7 @@ func init() { // +kubebuilder:scaffold:scheme flag.Var(disabledBuiltins, "disable-opa-builtin", "disable opa built-in function, this flag can be declared more than once.") flag.Var(&constraint.VapEnforcement, "vap-enforcement", "control VAP resource generation. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly.") + flag.String("constraint-template-crd-name", "constrainttemplates.templates.gatekeeper.sh", "Constraint template CRD name. defaults to: constrainttemplates.templates.gatekeeper.sh") } func main() { @@ -213,6 +217,8 @@ func innerMain() int { config := ctrl.GetConfigOrDie() config.UserAgent = version.GetUserAgent("gatekeeper") setupLog.Info("setting up manager", "user agent", config.UserAgent) + setupLog.Info("Constraint template name", "crd-name", constrainttemplate.ConstraintTemplateCrdName) + setupLog.Info("externaldata group name", "group", externaldataapi.ExternalDataGroupName) var webhooks []rotator.WebhookInfo webhooks = webhook.AppendValidationWebhookIfEnabled(webhooks) diff --git a/pkg/audit/manager.go b/pkg/audit/manager.go index 16bb6a3f4..f1bd065a5 100644 --- a/pkg/audit/manager.go +++ b/pkg/audit/manager.go @@ -17,7 +17,9 @@ import ( "github.com/go-logr/logr" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers" + "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process" + "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constrainttemplate" pubsubController "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/pubsub" "github.com/open-policy-agent/gatekeeper/v3/pkg/expansion" "github.com/open-policy-agent/gatekeeper/v3/pkg/logging" @@ -47,8 +49,6 @@ import ( var log = logf.Log.WithName("controller").WithValues(logging.Process, "audit") const ( - crdName = "constrainttemplates.templates.gatekeeper.sh" - constraintsGV = "constraints.gatekeeper.sh/v1beta1" msgSize = 256 defaultAuditInterval = 60 defaultConstraintViolationsLimit = 20 @@ -58,6 +58,10 @@ const ( defaultChannel = "audit-channel" ) +var ( + constraintsGV = v1beta1.ConstraintsGroup + "/v1beta1" +) + var ( auditInterval = flag.Uint("audit-interval", defaultAuditInterval, "interval to run audit in seconds. defaulted to 60 secs if unspecified, 0 to disable") constraintViolationsLimit = flag.Uint("constraint-violations-limit", defaultConstraintViolationsLimit, "limit of number of violations per constraint. defaulted to 20 violations if unspecified") @@ -252,7 +256,7 @@ func (am *Manager) audit(ctx context.Context) error { am.client = c // don't audit anything until the constraintTemplate crd is in the cluster if err := am.ensureCRDExists(ctx); err != nil { - am.log.Info("Audit exits, required crd has not been deployed ", "CRD", crdName) + am.log.Info("Audit exits, required crd has not been deployed ", "CRD", constrainttemplate.ConstraintTemplateCrdName) return nil } @@ -776,7 +780,8 @@ func (am *Manager) Start(ctx context.Context) error { func (am *Manager) ensureCRDExists(ctx context.Context) error { crd := &apiextensionsv1.CustomResourceDefinition{} - return am.client.Get(ctx, types.NamespacedName{Name: crdName}, crd) + log.Info("Ensuring CRD exists", "crd", constrainttemplate.ConstraintTemplateCrdName) + return am.client.Get(ctx, types.NamespacedName{Name: constrainttemplate.ConstraintTemplateCrdName}, crd) } func (am *Manager) getAllConstraintKinds() ([]schema.GroupVersionKind, error) { @@ -785,6 +790,7 @@ func (am *Manager) getAllConstraintKinds() ([]schema.GroupVersionKind, error) { return nil, err } l, err := discoveryClient.ServerResourcesForGroupVersion(constraintsGV) + log.Info("Getting all constraints", "gv", constraintsGV) if err != nil { return nil, err } diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller.go b/pkg/controller/constrainttemplate/constrainttemplate_controller.go index e6ef7571f..d7895e39c 100644 --- a/pkg/controller/constrainttemplate/constrainttemplate_controller.go +++ b/pkg/controller/constrainttemplate/constrainttemplate_controller.go @@ -19,6 +19,7 @@ import ( "context" "errors" "fmt" + "os" "reflect" "time" @@ -81,9 +82,21 @@ type Adder struct { GetPod func(context.Context) (*corev1.Pod, error) } +var ConstraintTemplateCrdName string = getGroupFromEnvVars() + +func getGroupFromEnvVars() string { + value, exists := os.LookupEnv("CONSTRAINT_TEMPLATE_GROUP_NAME") + if exists { + return value + } + + return "constrainttemplates.templates.gatekeeper.sh" +} + // Add creates a new ConstraintTemplate Controller and adds it to the Manager with default RBAC. The Manager will set fields on the Controller // and Start it when the Manager is Started. func (a *Adder) Add(mgr manager.Manager) error { + logger.Info("Adding manager for constraint template.", ConstraintTemplateCrdName) if !operations.HasValidationOperations() { return nil } @@ -746,8 +759,9 @@ func logError(name string) { } func makeGvk(kind string) schema.GroupVersionKind { + logger.Info("Making GVK for constraint group", "constraint-gropup", statusv1beta1.ConstraintsGroup) return schema.GroupVersionKind{ - Group: "constraints.gatekeeper.sh", + Group: statusv1beta1.ConstraintsGroup, Version: "v1beta1", Kind: kind, } diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go index 4c196ba59..18fe0c023 100644 --- a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go +++ b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go @@ -741,7 +741,7 @@ violation[{"msg": "denied!"}] { t.Cleanup(testutils.DeleteObject(t, c, instance)) gvk := schema.GroupVersionKind{ - Group: "constraints.gatekeeper.sh", + Group: statusv1beta1.ConstraintsGroup, Version: "v1beta1", Kind: DenyAll, } diff --git a/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller.go b/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller.go index c1d44bf19..b6d066d9f 100644 --- a/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller.go +++ b/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller.go @@ -152,6 +152,7 @@ func (r *ReconcileConstraintStatus) Reconcile(ctx context.Context, request recon } template := &unstructured.Unstructured{} gv := constrainttemplatev1beta1.SchemeGroupVersion + r.log.Info("reconcile gv", "gv", gv.Group) template.SetGroupVersionKind(gv.WithKind("ConstraintTemplate")) if err := r.reader.Get(ctx, request.NamespacedName, template); err != nil { // If the template does not exist, we are done diff --git a/pkg/controller/externaldata/externaldata_controller.go b/pkg/controller/externaldata/externaldata_controller.go index efe59ec39..bdefe4c4e 100644 --- a/pkg/controller/externaldata/externaldata_controller.go +++ b/pkg/controller/externaldata/externaldata_controller.go @@ -26,9 +26,9 @@ import ( ) var ( - log = logf.Log.WithName("controller").WithValues(logging.Process, "externaldata_controller") - - gvkExternalData = schema.GroupVersionKind{ + log = logf.Log.WithName("controller").WithValues(logging.Process, "externaldata_controller") + ExternalDataGroupName = "externaldata.gatekeeper.sh" + gvkExternalData = schema.GroupVersionKind{ Group: "externaldata.gatekeeper.sh", Version: "v1beta1", Kind: "Provider", diff --git a/pkg/gator/reader/read_constraints.go b/pkg/gator/reader/read_constraints.go index 09623dbc6..7c144c853 100644 --- a/pkg/gator/reader/read_constraints.go +++ b/pkg/gator/reader/read_constraints.go @@ -10,6 +10,7 @@ import ( templatesv1 "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1" "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" + "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" "github.com/open-policy-agent/gatekeeper/v3/pkg/gator" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" @@ -170,7 +171,7 @@ func ReadConstraint(f fs.FS, path string) (*unstructured.Unstructured, error) { } gvk := u.GroupVersionKind() - if gvk.Group != "constraints.gatekeeper.sh" { + if gvk.Group != v1beta1.ConstraintsGroup { return nil, gator.ErrNotAConstraint } diff --git a/pkg/gator/test/test.go b/pkg/gator/test/test.go index d09aafcb6..3ecbd64c7 100644 --- a/pkg/gator/test/test.go +++ b/pkg/gator/test/test.go @@ -9,6 +9,7 @@ import ( constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/k8scel" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" + statusv1beta1 "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" "github.com/open-policy-agent/gatekeeper/v3/pkg/expansion" "github.com/open-policy-agent/gatekeeper/v3/pkg/gator/expand" "github.com/open-policy-agent/gatekeeper/v3/pkg/gator/reader" @@ -180,7 +181,7 @@ func isTemplate(u *unstructured.Unstructured) bool { func isConstraint(u *unstructured.Unstructured) bool { gvk := u.GroupVersionKind() - return gvk.Group == "constraints.gatekeeper.sh" + return gvk.Group == statusv1beta1.ConstraintsGroup } func makeRegoDriver(tOpts Opts) (*rego.Driver, error) { diff --git a/pkg/readiness/ready_tracker.go b/pkg/readiness/ready_tracker.go index 94c86cade..5cb13a03b 100644 --- a/pkg/readiness/ready_tracker.go +++ b/pkg/readiness/ready_tracker.go @@ -29,6 +29,7 @@ import ( expansionv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/expansion/v1alpha1" mutationv1 "github.com/open-policy-agent/gatekeeper/v3/apis/mutations/v1" mutationsv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/mutations/v1alpha1" + statusv1beta1 "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" syncsetv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/syncset/v1alpha1" "github.com/open-policy-agent/gatekeeper/v3/pkg/keys" "github.com/open-policy-agent/gatekeeper/v3/pkg/logging" @@ -45,10 +46,10 @@ import ( ) var log = logf.Log.WithName("readiness-tracker") +var constraintGroup = statusv1beta1.ConstraintsGroup const ( - constraintGroup = "constraints.gatekeeper.sh" - statsPeriod = 1 * time.Second + statsPeriod = 1 * time.Second ) // Lister lists resources from a cache. diff --git a/pkg/upgrade/manager.go b/pkg/upgrade/manager.go index 6b4f1eccf..5313875d3 100644 --- a/pkg/upgrade/manager.go +++ b/pkg/upgrade/manager.go @@ -8,6 +8,11 @@ import ( "strings" "time" + "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates" + "github.com/open-policy-agent/gatekeeper/v3/apis/mutations" + "github.com/open-policy-agent/gatekeeper/v3/apis/status" + "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constrainttemplate" + "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/externaldata" "github.com/open-policy-agent/gatekeeper/v3/pkg/util" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -24,8 +29,12 @@ import ( var log = logf.Log.WithName("controller").WithValues("metaKind", "upgrade") -const ( - crdName = "constrainttemplates.templates.gatekeeper.sh" +var ( + crdName = &constrainttemplate.ConstraintTemplateCrdName + constraintGvV1Alpha = status.ConstraintGroupName + "/v1alpha" + templateGvV1Alpha = templates.TemplateGroupName + "/v1alpha" + mutationsGvV1Alpha = mutations.MutationGroupName + "/v1alpha" + externaldataGvV1Alpha = externaldata.ExternalDataGroupName + "v1alpha" ) // Manager allows us to upgrade resources on startup. @@ -63,7 +72,7 @@ func (um *Manager) Start(ctx context.Context) error { func (um *Manager) ensureCRDExists(ctx context.Context) error { crd := &apiextensionsv1.CustomResourceDefinition{} - return um.client.Get(ctx, types.NamespacedName{Name: crdName}, crd) + return um.client.Get(ctx, types.NamespacedName{Name: *crdName}, crd) } func (um *Manager) getAllKinds(groupVersion string) (*metav1.APIResourceList, error) { @@ -76,10 +85,10 @@ func (um *Manager) getAllKinds(groupVersion string) (*metav1.APIResourceList, er func (um *Manager) upgrade(ctx context.Context) error { gvs := []string{ - "constraints.gatekeeper.sh/v1alpha1", - "templates.gatekeeper.sh/v1alpha1", - "mutations.gatekeeper.sh/v1alpha1", - "externaldata.gatekeeper.sh/v1alpha1", + constraintGvV1Alpha, + templateGvV1Alpha, + mutationsGvV1Alpha, + externaldataGvV1Alpha, } for _, gv := range gvs { if err := um.upgradeGroupVersion(ctx, gv); err != nil { @@ -98,7 +107,7 @@ func (um *Manager) upgradeGroupVersion(ctx context.Context, groupVersion string) } um.client = c if err := um.ensureCRDExists(ctx); err != nil { - log.Info("required crd has not been deployed ", "CRD", crdName) + log.Info("required crd has not been deployed ", "CRD", *crdName) return err } // get all resource kinds diff --git a/pkg/webhook/common.go b/pkg/webhook/common.go index 193c5ccc1..1a918ff45 100644 --- a/pkg/webhook/common.go +++ b/pkg/webhook/common.go @@ -8,9 +8,13 @@ import ( "fmt" "strings" + templates "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates" "github.com/open-policy-agent/gatekeeper/v3/apis" "github.com/open-policy-agent/gatekeeper/v3/apis/config/v1alpha1" + "github.com/open-policy-agent/gatekeeper/v3/apis/mutations" + "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process" + externalData "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/externaldata" "github.com/open-policy-agent/gatekeeper/v3/pkg/keys" "github.com/open-policy-agent/gatekeeper/v3/pkg/util" admissionv1 "k8s.io/api/admission/v1" @@ -39,11 +43,14 @@ var log = logf.Log.WithName("webhook") const ( serviceAccountName = "gatekeeper-admin" - mutationsGroup = "mutations.gatekeeper.sh" - externalDataGroup = "externaldata.gatekeeper.sh" namespaceKind = "Namespace" ) +var ( + mutationsGroup = mutations.MutationGroupName + externalDataGroup = externalData.ExternalDataGroupName +) + var ( runtimeScheme = k8sruntime.NewScheme() codecs = serializer.NewCodecFactory(runtimeScheme) @@ -112,8 +119,8 @@ func (h *webhookHandler) getConfig(ctx context.Context) (*v1alpha1.Config, error // isGatekeeperResource returns true if the request relates to a gatekeeper resource. func (h *webhookHandler) isGatekeeperResource(req *admission.Request) bool { - if req.AdmissionRequest.Kind.Group == "templates.gatekeeper.sh" || - req.AdmissionRequest.Kind.Group == "constraints.gatekeeper.sh" || + if req.AdmissionRequest.Kind.Group == templates.TemplateGroupName || + req.AdmissionRequest.Kind.Group == v1beta1.ConstraintsGroup || req.AdmissionRequest.Kind.Group == mutationsGroup || req.AdmissionRequest.Kind.Group == "config.gatekeeper.sh" || req.AdmissionRequest.Kind.Group == externalDataGroup || diff --git a/pkg/webhook/policy.go b/pkg/webhook/policy.go index e6c36d46a..3cda03ce1 100644 --- a/pkg/webhook/policy.go +++ b/pkg/webhook/policy.go @@ -28,6 +28,7 @@ import ( "github.com/go-logr/logr" "github.com/open-policy-agent/cert-controller/pkg/rotator" externaldataUnversioned "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/unversioned" + templatesapi "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers" "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" @@ -36,6 +37,7 @@ import ( "github.com/open-policy-agent/gatekeeper/v3/apis" expansionunversioned "github.com/open-policy-agent/gatekeeper/v3/apis/expansion/unversioned" mutationsunversioned "github.com/open-policy-agent/gatekeeper/v3/apis/mutations/unversioned" + statusv1beta1 "github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1" "github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process" "github.com/open-policy-agent/gatekeeper/v3/pkg/expansion" "github.com/open-policy-agent/gatekeeper/v3/pkg/keys" @@ -347,11 +349,11 @@ func (h *validationHandler) validateGatekeeperResources(ctx context.Context, req gvk := req.AdmissionRequest.Kind switch { - case gvk.Group == "templates.gatekeeper.sh" && gvk.Kind == "ConstraintTemplate": + case gvk.Group == templatesapi.TemplateGroupName && gvk.Kind == "ConstraintTemplate": return h.validateTemplate(ctx, req) case gvk.Group == "expansion.gatekeeper.sh" && gvk.Kind == "ExpansionTemplate": return h.validateExpansionTemplate(req) - case gvk.Group == "constraints.gatekeeper.sh": + case gvk.Group == statusv1beta1.ConstraintsGroup: return h.validateConstraint(req) case gvk.Group == "config.gatekeeper.sh" && gvk.Kind == "Config": if err := h.validateConfigResource(req); err != nil { diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/group.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/group.go new file mode 100644 index 000000000..4ab133ad6 --- /dev/null +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/group.go @@ -0,0 +1,17 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package externaldata contains externaldata API versions +package externaldata diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/doc.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/doc.go new file mode 100644 index 000000000..331c6a840 --- /dev/null +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/doc.go @@ -0,0 +1,17 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package templates contains templates API versions +package templates diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/zz_generated.deepcopy.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/zz_generated.deepcopy.go new file mode 100644 index 000000000..f1958b881 --- /dev/null +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/zz_generated.deepcopy.go @@ -0,0 +1,19 @@ +// +build !ignore_autogenerated + +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by main. DO NOT EDIT. + +package templates diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/zz_generated.defaults.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/zz_generated.defaults.go new file mode 100644 index 000000000..b11db28c3 --- /dev/null +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/zz_generated.defaults.go @@ -0,0 +1,31 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by defaulter-gen. DO NOT EDIT. + +package templates + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/vendor/google.golang.org/grpc/internal/transport/controlbuf.go b/vendor/google.golang.org/grpc/internal/transport/controlbuf.go index b330ccedc..83c382982 100644 --- a/vendor/google.golang.org/grpc/internal/transport/controlbuf.go +++ b/vendor/google.golang.org/grpc/internal/transport/controlbuf.go @@ -535,8 +535,8 @@ const minBatchSize = 1000 // size is too low to give stream goroutines a chance to fill it up. // // Upon exiting, if the error causing the exit is not an I/O error, run() -// flushes and closes the underlying connection. Otherwise, the connection is -// left open to allow the I/O error to be encountered by the reader instead. +// flushes the underlying connection. The connection is always left open to +// allow different closing behavior on the client and server. func (l *loopyWriter) run() (err error) { defer func() { if l.logger.V(logLevel) { @@ -544,7 +544,6 @@ func (l *loopyWriter) run() (err error) { } if !isIOError(err) { l.framer.writer.Flush() - l.conn.Close() } l.cbuf.finish() }() diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_client.go b/vendor/google.golang.org/grpc/internal/transport/http2_client.go index c33ac5961..eff879964 100644 --- a/vendor/google.golang.org/grpc/internal/transport/http2_client.go +++ b/vendor/google.golang.org/grpc/internal/transport/http2_client.go @@ -451,7 +451,13 @@ func newHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts } go func() { t.loopy = newLoopyWriter(clientSide, t.framer, t.controlBuf, t.bdpEst, t.conn, t.logger) - t.loopy.run() + if err := t.loopy.run(); !isIOError(err) { + // Immediately close the connection, as the loopy writer returns + // when there are no more active streams and we were draining (the + // server sent a GOAWAY). For I/O errors, the reader will hit it + // after draining any remaining incoming data. + t.conn.Close() + } close(t.writerDone) }() return t, nil diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go index f6bac0e8a..a206e2eef 100644 --- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go +++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go @@ -322,8 +322,24 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport, go func() { t.loopy = newLoopyWriter(serverSide, t.framer, t.controlBuf, t.bdpEst, t.conn, t.logger) t.loopy.ssGoAwayHandler = t.outgoingGoAwayHandler - t.loopy.run() + err := t.loopy.run() close(t.loopyWriterDone) + if !isIOError(err) { + // Close the connection if a non-I/O error occurs (for I/O errors + // the reader will also encounter the error and close). Wait 1 + // second before closing the connection, or when the reader is done + // (i.e. the client already closed the connection or a connection + // error occurred). This avoids the potential problem where there + // is unread data on the receive side of the connection, which, if + // closed, would lead to a TCP RST instead of FIN, and the client + // encountering errors. For more info: + // https://github.com/grpc/grpc-go/issues/5358 + select { + case <-t.readerDone: + case <-time.After(time.Second): + } + t.conn.Close() + } }() go t.keepalive() return t, nil @@ -609,8 +625,8 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade // traceCtx attaches trace to ctx and returns the new context. func (t *http2Server) HandleStreams(ctx context.Context, handle func(*Stream)) { defer func() { - <-t.loopyWriterDone close(t.readerDone) + <-t.loopyWriterDone }() for { t.controlBuf.throttle() @@ -1329,6 +1345,7 @@ func (t *http2Server) outgoingGoAwayHandler(g *goAway) (bool, error) { if err := t.framer.fr.WriteGoAway(sid, g.code, g.debugData); err != nil { return false, err } + t.framer.writer.Flush() if retErr != nil { return false, retErr } @@ -1349,7 +1366,7 @@ func (t *http2Server) outgoingGoAwayHandler(g *goAway) (bool, error) { return false, err } go func() { - timer := time.NewTimer(time.Minute) + timer := time.NewTimer(5 * time.Second) defer timer.Stop() select { case <-t.drainEvent.Done(): diff --git a/vendor/google.golang.org/grpc/version.go b/vendor/google.golang.org/grpc/version.go index 1ad1ba2ad..f1aec4c0a 100644 --- a/vendor/google.golang.org/grpc/version.go +++ b/vendor/google.golang.org/grpc/version.go @@ -19,4 +19,4 @@ package grpc // Version is the current grpc version. -const Version = "1.61.0" +const Version = "1.61.1" diff --git a/vendor/modules.txt b/vendor/modules.txt index 6936de026..e201c5e9f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -418,9 +418,11 @@ github.com/open-policy-agent/cert-controller/pkg/rotator github.com/open-policy-agent/frameworks/constraint/deploy github.com/open-policy-agent/frameworks/constraint/pkg/apis github.com/open-policy-agent/frameworks/constraint/pkg/apis/constraints +github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/unversioned github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/v1alpha1 github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/v1beta1 +github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1 github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1 github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1 @@ -858,7 +860,7 @@ google.golang.org/genproto/googleapis/api/monitoredres google.golang.org/genproto/googleapis/rpc/code google.golang.org/genproto/googleapis/rpc/errdetails google.golang.org/genproto/googleapis/rpc/status -# google.golang.org/grpc v1.61.0 +# google.golang.org/grpc v1.61.1 ## explicit; go 1.19 google.golang.org/grpc google.golang.org/grpc/attributes