Skip to content

Commit 62f8921

Browse files
chore: Prepare v3.21.0-beta.0 release (#4068)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: JaydipGabani <[email protected]>
1 parent 8acfa71 commit 62f8921

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

59 files changed

+6251
-81
lines changed

Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ LOG_LEVEL ?= "INFO"
2222
GENERATE_VAP ?= false
2323
GENERATE_VAPBINDING ?= false
2424

25-
VERSION := v3.20.0-beta.0
25+
VERSION := v3.21.0-beta.0
2626

2727
KIND_VERSION ?= 0.27.0
2828
KIND_CLUSTER_FILE ?= ""

charts/gatekeeper/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,8 @@ name: gatekeeper
44
icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg
55
keywords:
66
- open policy agent
7-
version: 3.20.0-beta.0
7+
version: 3.21.0-beta.0
88
home: https://github.com/open-policy-agent/gatekeeper
99
sources:
1010
- https://github.com/open-policy-agent/gatekeeper.git
11-
appVersion: v3.20.0-beta.0
11+
appVersion: v3.21.0-beta.0

charts/gatekeeper/README.md

Lines changed: 24 additions & 9 deletions
Large diffs are not rendered by default.
Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
---
2+
apiVersion: apiextensions.k8s.io/v1
3+
kind: CustomResourceDefinition
4+
metadata:
5+
annotations:
6+
controller-gen.kubebuilder.io/version: v0.14.0
7+
labels:
8+
gatekeeper.sh/system: "yes"
9+
name: connections.connection.gatekeeper.sh
10+
spec:
11+
group: connection.gatekeeper.sh
12+
names:
13+
kind: Connection
14+
listKind: ConnectionList
15+
plural: connections
16+
singular: connection
17+
preserveUnknownFields: false
18+
scope: Namespaced
19+
versions:
20+
- name: v1alpha1
21+
schema:
22+
openAPIV3Schema:
23+
description: Connection is the Schema for the connections API
24+
properties:
25+
apiVersion:
26+
description: |-
27+
APIVersion defines the versioned schema of this representation of an object.
28+
Servers should convert recognized schemas to the latest internal value, and
29+
may reject unrecognized values.
30+
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
31+
type: string
32+
kind:
33+
description: |-
34+
Kind is a string value representing the REST resource this object represents.
35+
Servers may infer this from the endpoint the client submits requests to.
36+
Cannot be updated.
37+
In CamelCase.
38+
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
39+
type: string
40+
metadata:
41+
type: object
42+
spec:
43+
description: ConnectionSpec defines the desired state of Connection
44+
properties:
45+
config:
46+
x-kubernetes-preserve-unknown-fields: true
47+
driver:
48+
description: Driver is the name of one of the expected drivers i.e. dapr, disk
49+
type: string
50+
required:
51+
- config
52+
- driver
53+
type: object
54+
status:
55+
description: ConnectionStatus defines the observed state of Connection
56+
properties:
57+
byPod:
58+
items:
59+
description: ConnectionPodStatusStatus defines the observed state of ConnectionPodStatus
60+
properties:
61+
active:
62+
description: Indicator for alive connection with at least one successful publish
63+
type: boolean
64+
connectionUID:
65+
description: |-
66+
UID is a type that holds unique ID values, including UUIDs. Because we
67+
don't ONLY use UUIDs, this is an alias to string. Being a type captures
68+
intent and helps make sure that UIDs and names do not get conflated.
69+
type: string
70+
errors:
71+
items:
72+
properties:
73+
message:
74+
type: string
75+
type:
76+
type: string
77+
required:
78+
- message
79+
- type
80+
type: object
81+
type: array
82+
id:
83+
description: ID is the unique identifier for the pod that wrote the status
84+
type: string
85+
observedGeneration:
86+
format: int64
87+
type: integer
88+
operations:
89+
items:
90+
type: string
91+
type: array
92+
type: object
93+
type: array
94+
type: object
95+
type: object
96+
served: true
97+
storage: true
98+
subresources:
99+
status: {}
Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
---
2+
apiVersion: apiextensions.k8s.io/v1
3+
kind: CustomResourceDefinition
4+
metadata:
5+
annotations:
6+
controller-gen.kubebuilder.io/version: v0.14.0
7+
labels:
8+
gatekeeper.sh/system: "yes"
9+
name: connectionpodstatuses.status.gatekeeper.sh
10+
spec:
11+
group: status.gatekeeper.sh
12+
names:
13+
kind: ConnectionPodStatus
14+
listKind: ConnectionPodStatusList
15+
plural: connectionpodstatuses
16+
singular: connectionpodstatus
17+
preserveUnknownFields: false
18+
scope: Namespaced
19+
versions:
20+
- name: v1alpha1
21+
schema:
22+
openAPIV3Schema:
23+
description: ConnectionPodStatus is the Schema for the connectionpodstatuses API
24+
properties:
25+
apiVersion:
26+
description: |-
27+
APIVersion defines the versioned schema of this representation of an object.
28+
Servers should convert recognized schemas to the latest internal value, and
29+
may reject unrecognized values.
30+
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
31+
type: string
32+
kind:
33+
description: |-
34+
Kind is a string value representing the REST resource this object represents.
35+
Servers may infer this from the endpoint the client submits requests to.
36+
Cannot be updated.
37+
In CamelCase.
38+
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
39+
type: string
40+
metadata:
41+
type: object
42+
status:
43+
description: No spec field is defined here, as this is a status-only resource.
44+
properties:
45+
active:
46+
description: Indicator for alive connection with at least one successful publish
47+
type: boolean
48+
connectionUID:
49+
description: |-
50+
UID is a type that holds unique ID values, including UUIDs. Because we
51+
don't ONLY use UUIDs, this is an alias to string. Being a type captures
52+
intent and helps make sure that UIDs and names do not get conflated.
53+
type: string
54+
errors:
55+
items:
56+
properties:
57+
message:
58+
type: string
59+
type:
60+
type: string
61+
required:
62+
- message
63+
- type
64+
type: object
65+
type: array
66+
id:
67+
description: ID is the unique identifier for the pod that wrote the status
68+
type: string
69+
observedGeneration:
70+
format: int64
71+
type: integer
72+
operations:
73+
items:
74+
type: string
75+
type: array
76+
type: object
77+
type: object
78+
served: true
79+
storage: true

charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -68,9 +68,16 @@ spec:
6868
{{ if hasKey .Values "emitAuditEvents" }}- --emit-audit-events={{ .Values.emitAuditEvents }}{{- end }}
6969
{{ if hasKey .Values "logStatsAudit" }}- --log-stats-audit={{ .Values.logStatsAudit }}{{- end }}
7070
- --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
71+
72+
{{- if not .Values.audit.disableGenerateOperation }}
73+
- --operation=generate
74+
{{- end }}
75+
{{- if not .Values.audit.disableAuditOperation }}
7176
- --operation=audit
77+
{{- end }}
78+
{{- if not .Values.audit.disableStatusOperation }}
7279
- --operation=status
73-
- --operation=generate
80+
{{- end }}
7481
{{ if hasKey .Values "enableViolationExport" }}
7582
- --enable-violation-export={{ .Values.enableViolationExport }}
7683
{{- end }}
@@ -105,7 +112,8 @@ spec:
105112
{{- if hasKey .Values "defaultCreateVAPBindingForConstraints"}}
106113
- --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }}
107114
{{- end }}
108-
{{ if hasKey .Values "defaultWaitForVAPBGeneration"}}
115+
116+
{{- if hasKey .Values "defaultWaitForVAPBGeneration"}}
109117
- --default-wait-for-vapb-generation={{ .Values.defaultWaitForVAPBGeneration }}
110118
{{- end }}
111119
command:
@@ -162,6 +170,13 @@ spec:
162170
readOnly: true
163171
- mountPath: /tmp/audit
164172
name: tmp-volume
173+
{{- if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default "" | lower) "disk") }}
174+
- mountPath: {{ .Values.audit.exportVolumeMount.path }}
175+
name: {{ .Values.audit.exportVolume.name }}
176+
{{- end }}
177+
{{ if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default "" | lower) "disk") }}
178+
- {{ toYaml .Values.audit.exportSidecar | nindent 8 }}
179+
{{- end }}
165180
dnsPolicy: {{ .Values.audit.dnsPolicy }}
166181
hostNetwork: {{ .Values.audit.hostNetwork }}
167182
imagePullSecrets:
@@ -182,6 +197,9 @@ spec:
182197
secret:
183198
defaultMode: 420
184199
secretName: gatekeeper-webhook-server-cert
200+
{{- if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default "" | lower) "disk") }}
201+
- {{- toYaml .Values.audit.exportVolume | nindent 8 }}
202+
{{- end }}
185203
{{- if .Values.audit.writeToRAMDisk }}
186204
- emptyDir:
187205
medium: Memory
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
---
2+
{{- if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default "" | lower) "disk") }}
3+
apiVersion: connection.gatekeeper.sh/v1alpha1
4+
kind: Connection
5+
metadata:
6+
name: '{{ .Values.audit.connection }}'
7+
namespace: '{{ .Release.Namespace }}'
8+
spec:
9+
driver: '{{ .Values.exportBackend }}'
10+
config:
11+
path: "{{ .Values.audit.exportConnection.path }}"
12+
maxAuditResults: {{ .Values.audit.exportConnection.maxAuditResults }}
13+
{{- end }}

charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,13 @@ spec:
6969
- --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }}
7070
- --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }}
7171
- --exempt-namespace={{ .Release.Namespace }}
72+
73+
{{- if not .Values.controllerManager.disableWebhookOperation }}
7274
- --operation=webhook
75+
{{- end }}
76+
{{- if not .Values.controllerManager.disableGenerateOperation }}
77+
- --operation=generate
78+
{{- end }}
7379
- --enable-external-data={{ .Values.enableExternalData }}
7480
- --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }}
7581
- --log-mutations={{ .Values.logMutations }}
@@ -116,6 +122,10 @@ spec:
116122
{{- if hasKey .Values "defaultCreateVAPBindingForConstraints"}}
117123
- --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }}
118124
{{- end }}
125+
126+
{{- if hasKey .Values "defaultWaitForVAPBGeneration"}}
127+
- --default-wait-for-vapb-generation={{ .Values.defaultWaitForVAPBGeneration }}
128+
{{- end }}
119129
command:
120130
- /manager
121131
env:

charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,18 @@ rules:
9595
- get
9696
- patch
9797
- update
98+
- apiGroups:
99+
- connection.gatekeeper.sh
100+
resources:
101+
- '*'
102+
verbs:
103+
- create
104+
- delete
105+
- get
106+
- list
107+
- patch
108+
- update
109+
- watch
98110
- apiGroups:
99111
- constraints.gatekeeper.sh
100112
resources:
@@ -177,6 +189,12 @@ rules:
177189
- patch
178190
- update
179191
- watch
192+
- apiGroups:
193+
- templates.gatekeeper.sh
194+
resources:
195+
- constrainttemplates/finalizers
196+
verbs:
197+
- update
180198
- apiGroups:
181199
- templates.gatekeeper.sh
182200
resources:

charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml

Lines changed: 5 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -62,23 +62,12 @@ webhooks:
6262
operations:
6363
- CREATE
6464
- UPDATE
65-
resources:
65+
resources:
6666
- '*'
67-
- pods/ephemeralcontainers
68-
- pods/exec
69-
- pods/log
70-
- pods/eviction
71-
- pods/portforward
72-
- pods/proxy
73-
- pods/attach
74-
- pods/binding
75-
- deployments/scale
76-
- replicasets/scale
77-
- statefulsets/scale
78-
- replicationcontrollers/scale
79-
- services/proxy
80-
- nodes/proxy
81-
- services/status
67+
{{- range .Values.mutatingWebhookSubResources }}
68+
- {{ . }}
69+
{{- end }}
70+
scope: '{{ .Values.mutatingWebhookScope }}'
8271
{{- end }}
8372
sideEffects: None
8473
timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }}

0 commit comments

Comments
 (0)