Skip to content

Commit 4e5d6ea

Browse files
bianchi2CopilotJaydipGabani
authored
feat: Make automount service account token and deployment annotations configurable, add extra volumes and volumeMounts (#4124)
Signed-off-by: Yevhen Ivantsov <[email protected]> Signed-off-by: yivan-atl <[email protected]> Signed-off-by: Jaydip Gabani <[email protected]> Co-authored-by: Copilot <[email protected]> Co-authored-by: Jaydip Gabani <[email protected]>
1 parent 4ecfddd commit 4e5d6ea

File tree

11 files changed

+104
-2
lines changed

11 files changed

+104
-2
lines changed

cmd/build/helmify/kustomize-for-helm.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,8 @@ metadata:
6262
namespace: gatekeeper-system
6363
labels:
6464
HELMSUBST_DEPLOYMENT_LABELS: ""
65+
annotations:
66+
HELMSUBST_DEPLOYMENT_ANNOTATIONS: ""
6567
spec:
6668
replicas: HELMSUBST_DEPLOYMENT_REPLICAS
6769
revisionHistoryLimit: HELMSUBST_DEPLOYMENT_REVISION_HISTORY_LIMIT
@@ -73,6 +75,7 @@ spec:
7375
annotations:
7476
HELMSUBST_ANNOTATIONS: ""
7577
spec:
78+
automountServiceAccountToken: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_SERVICE_ACCOUNT_AUTOMOUNT_TOKEN
7679
containers:
7780
- name: manager
7881
args:
@@ -159,6 +162,8 @@ metadata:
159162
namespace: gatekeeper-system
160163
labels:
161164
HELMSUBST_DEPLOYMENT_LABELS: ""
165+
annotations:
166+
HELMSUBST_DEPLOYMENT_ANNOTATIONS: ""
162167
spec:
163168
revisionHistoryLimit: HELMSUBST_DEPLOYMENT_REVISION_HISTORY_LIMIT
164169
template:
@@ -167,6 +172,7 @@ spec:
167172
HELMSUBST_ANNOTATIONS: ""
168173
HELMSUBST_AUDIT_POD_ANNOTATIONS: ""
169174
spec:
175+
automountServiceAccountToken: HELMSUBST_DEPLOYMENT_AUDIT_SERVICE_ACCOUNT_AUTOMOUNT_TOKEN
170176
containers:
171177
- name: manager
172178
args:

cmd/build/helmify/main.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -135,14 +135,22 @@ func (ks *kindSet) Write() error {
135135
if name == "gatekeeper-controller-manager" && kind == DeploymentKind {
136136
obj = strings.Replace(obj, " labels:", " labels:\n {{- include \"gatekeeper.podLabels\" . | nindent 8 }}\n {{- include \"controllerManager.podLabels\" . | nindent 8 }}\n {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
137137
obj = strings.Replace(obj, " priorityClassName: system-cluster-critical", " {{- if .Values.controllerManager.priorityClassName }}\n priorityClassName: {{ .Values.controllerManager.priorityClassName }}\n {{- end }}", 1)
138+
// Inject extra volume mounts at the start of the volumeMounts section for stability
139+
obj = strings.Replace(obj, " volumeMounts:", " volumeMounts:\n {{- include \"gatekeeper.extraVolumeMounts\" . | nindent 8 }}", 1)
140+
// Inject extra volumes at the start of the volumes section for stability
141+
obj = strings.Replace(obj, " volumes:", " volumes:\n {{- include \"gatekeeper.extraVolumes\" . | nindent 6 }}", 1)
138142
}
139143

140144
if name == "gatekeeper-audit" && kind == DeploymentKind {
141145
obj = "{{- if not .Values.disableAudit }}\n" + obj + "{{- end }}\n"
142146
obj = strings.Replace(obj, " labels:", " labels:\n {{- include \"gatekeeper.podLabels\" . | nindent 8 }}\n {{- include \"audit.podLabels\" . | nindent 8 }}\n {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
143147
obj = strings.Replace(obj, " priorityClassName: system-cluster-critical", " {{- if .Values.audit.priorityClassName }}\n priorityClassName: {{ .Values.audit.priorityClassName }}\n {{- end }}", 1)
148+
// Inject export-related volume mount and possible export sidecar
144149
obj = strings.Replace(obj, " name: tmp-volume", " name: tmp-volume\n {{- if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default \"\" | lower) \"disk\") }}\n - mountPath: {{ .Values.audit.exportVolumeMount.path }}\n name: {{ .Values.audit.exportVolume.name }}\n {{- end }}\n {{ if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default \"\" | lower) \"disk\") }}\n - {{ toYaml .Values.audit.exportSidecar | nindent 8 }}\n {{- end }}", 1)
145150
obj = strings.Replace(obj, " - emptyDir: {}", " {{- if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default \"\" | lower) \"disk\") }}\n - {{- toYaml .Values.audit.exportVolume | nindent 8 }}\n {{- end }}\n {{- if .Values.audit.writeToRAMDisk }}\n - emptyDir:\n medium: Memory\n {{ else }}\n - emptyDir: {}\n {{- end }}", 1)
151+
// Inject extra mounts/volumes at the headers for stability
152+
obj = strings.Replace(obj, " volumeMounts:", " volumeMounts:\n {{- include \"gatekeeper.extraVolumeMounts\" . | nindent 8 }}", 1)
153+
obj = strings.Replace(obj, " volumes:", " volumes:\n {{- include \"gatekeeper.extraVolumes\" . | nindent 6 }}", 1)
146154
}
147155

148156
if name == "gatekeeper-manager-role" && kind == "Role" {

cmd/build/helmify/replacements.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,12 @@ var replacements = map[string]string{
2929

3030
"HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_SERVICE_ACCOUNT_NAME": `{{ .Values.controllerManager.serviceAccount.name }}`,
3131

32+
"HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_SERVICE_ACCOUNT_AUTOMOUNT_TOKEN": `{{ .Values.controllerManager.serviceAccount.automountServiceAccountToken }}`,
33+
3234
"HELMSUBST_DEPLOYMENT_AUDIT_SERVICE_ACCOUNT_NAME": `{{ .Values.audit.serviceAccount.name }}`,
3335

36+
"HELMSUBST_DEPLOYMENT_AUDIT_SERVICE_ACCOUNT_AUTOMOUNT_TOKEN": `{{ .Values.audit.serviceAccount.automountServiceAccountToken }}`,
37+
3438
"HELMSUBST_DEPLOYMENT_AUDIT_HEALTH_PORT": `{{ .Values.audit.healthPort }}`,
3539

3640
"HELMSUBST_DEPLOYMENT_AUDIT_METRICS_PORT": `{{ .Values.audit.metricsPort }}`,
@@ -90,6 +94,8 @@ var replacements = map[string]string{
9094

9195
"HELMSUBST_DEPLOYMENT_REVISION_HISTORY_LIMIT": `{{ .Values.revisionHistoryLimit }}`,
9296

97+
`HELMSUBST_DEPLOYMENT_ANNOTATIONS: ""`: `{{- include "gatekeeper.commonAnnotations" . | nindent 4 }}`,
98+
9399
`HELMSUBST_ANNOTATIONS: ""`: `{{- if .Values.podAnnotations }}
94100
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
95101
{{- end }}`,

cmd/build/helmify/static/README.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -254,6 +254,11 @@ information._
254254
| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` |
255255
| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` |
256256
| externaldataProviderResponseCacheTTL | TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. | `3m` |
257+
| commonAnnotations | Additional annotations added to manager and audit Deployments only | `{}` |
258+
| extraVolumeMounts | Extra volumeMounts injected into controller-manager and audit containers | `[]` |
259+
| extraVolumes | Extra volumes injected into controller-manager and audit pods | `[]` |
260+
| controllerManager.serviceAccount.automountServiceAccountToken | Whether to automount the service account token for controller-manager pods | `true` |
261+
| audit.serviceAccount.automountServiceAccountToken | Whether to automount the service account token for audit pods | `true` |
257262

258263
## Contributing Changes
259264

cmd/build/helmify/static/templates/_helpers.tpl

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,15 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
8585
{{- end }}
8686
{{- end }}
8787

88+
{{/*
89+
Common annotations
90+
*/}}
91+
{{- define "gatekeeper.commonAnnotations" -}}
92+
{{- if .Values.commonAnnotations }}
93+
{{ toYaml .Values.commonAnnotations }}
94+
{{- end }}
95+
{{- end }}
96+
8897
{{/*
8998
Selector labels
9099
*/}}
@@ -142,3 +151,21 @@ Output post install webhook probe volume entry
142151
secret:
143152
secretName: {{ .Values.externalCertInjection.secretName }}
144153
{{- end -}}
154+
155+
{{/*
156+
Extra volume mounts for audit and controller-manager pods
157+
*/}}
158+
{{- define "gatekeeper.extraVolumeMounts" -}}
159+
{{- if .Values.extraVolumeMounts }}
160+
{{- toYaml .Values.extraVolumeMounts }}
161+
{{- end -}}
162+
{{- end -}}
163+
164+
{{/*
165+
Extra volume mounts for audit and controller-manager pods
166+
*/}}
167+
{{- define "gatekeeper.extraVolumes" -}}
168+
{{- if .Values.extraVolumes }}
169+
{{- toYaml .Values.extraVolumes }}
170+
{{- end -}}
171+
{{- end -}}

cmd/build/helmify/static/values.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,9 @@ auditEventsInvolvedNamespace: false
4848
resourceQuota: true
4949
externaldataProviderResponseCacheTTL: 3m
5050
enableK8sNativeValidation: true
51+
commonAnnotations: {}
52+
extraVolumeMounts: []
53+
extraVolumes: []
5154
image:
5255
repository: openpolicyagent/gatekeeper
5356
crdRepository: openpolicyagent/gatekeeper-crds
@@ -171,6 +174,7 @@ enableRuntimeDefaultSeccompProfile: true
171174
controllerManager:
172175
serviceAccount:
173176
name: gatekeeper-admin
177+
automountServiceAccountToken: true
174178
containerName: manager
175179
exemptNamespaces: []
176180
exemptNamespacePrefixes: []
@@ -261,6 +265,7 @@ audit:
261265
name: tmp-violations
262266
serviceAccount:
263267
name: gatekeeper-admin
268+
automountServiceAccountToken: true
264269
containerName: manager
265270
hostNetwork: false
266271
dnsPolicy: ClusterFirst

manifest_staging/charts/gatekeeper/README.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -254,6 +254,11 @@ information._
254254
| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` |
255255
| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` |
256256
| externaldataProviderResponseCacheTTL | TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. | `3m` |
257+
| commonAnnotations | Additional annotations added to manager and audit Deployments only | `{}` |
258+
| extraVolumeMounts | Extra volumeMounts injected into controller-manager and audit containers | `[]` |
259+
| extraVolumes | Extra volumes injected into controller-manager and audit pods | `[]` |
260+
| controllerManager.serviceAccount.automountServiceAccountToken | Whether to automount the service account token for controller-manager pods | `true` |
261+
| audit.serviceAccount.automountServiceAccountToken | Whether to automount the service account token for audit pods | `true` |
257262

258263
## Contributing Changes
259264

manifest_staging/charts/gatekeeper/templates/_helpers.tpl

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,15 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
8585
{{- end }}
8686
{{- end }}
8787

88+
{{/*
89+
Common annotations
90+
*/}}
91+
{{- define "gatekeeper.commonAnnotations" -}}
92+
{{- if .Values.commonAnnotations }}
93+
{{ toYaml .Values.commonAnnotations }}
94+
{{- end }}
95+
{{- end }}
96+
8897
{{/*
8998
Selector labels
9099
*/}}
@@ -142,3 +151,21 @@ Output post install webhook probe volume entry
142151
secret:
143152
secretName: {{ .Values.externalCertInjection.secretName }}
144153
{{- end -}}
154+
155+
{{/*
156+
Extra volume mounts for audit and controller-manager pods
157+
*/}}
158+
{{- define "gatekeeper.extraVolumeMounts" -}}
159+
{{- if .Values.extraVolumeMounts }}
160+
{{- toYaml .Values.extraVolumeMounts }}
161+
{{- end -}}
162+
{{- end -}}
163+
164+
{{/*
165+
Extra volume mounts for audit and controller-manager pods
166+
*/}}
167+
{{- define "gatekeeper.extraVolumes" -}}
168+
{{- if .Values.extraVolumes }}
169+
{{- toYaml .Values.extraVolumes }}
170+
{{- end -}}
171+
{{- end -}}

manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@
33
apiVersion: apps/v1
44
kind: Deployment
55
metadata:
6+
annotations:
7+
{{- include "gatekeeper.commonAnnotations" . | nindent 4 }}
68
labels:
79
{{- include "gatekeeper.commonLabels" . | nindent 4 }}
810
app: '{{ template "gatekeeper.name" . }}'
@@ -49,7 +51,7 @@ spec:
4951
spec:
5052
affinity:
5153
{{- toYaml .Values.audit.affinity | nindent 8 }}
52-
automountServiceAccountToken: true
54+
automountServiceAccountToken: {{ .Values.audit.serviceAccount.automountServiceAccountToken }}
5355
containers:
5456
- {{- if .Values.image.release }}
5557
image: {{ .Values.image.repository }}:{{ .Values.image.release }}
@@ -165,6 +167,7 @@ spec:
165167
{{- end }}
166168
{{- toYaml .Values.audit.securityContext | nindent 10}}
167169
volumeMounts:
170+
{{- include "gatekeeper.extraVolumeMounts" . | nindent 8 }}
168171
- mountPath: /certs
169172
name: cert
170173
readOnly: true
@@ -193,6 +196,7 @@ spec:
193196
tolerations:
194197
{{- toYaml .Values.audit.tolerations | nindent 8 }}
195198
volumes:
199+
{{- include "gatekeeper.extraVolumes" . | nindent 6 }}
196200
- name: cert
197201
secret:
198202
defaultMode: 420

manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@
22
apiVersion: apps/v1
33
kind: Deployment
44
metadata:
5+
annotations:
6+
{{- include "gatekeeper.commonAnnotations" . | nindent 4 }}
57
labels:
68
{{- include "gatekeeper.commonLabels" . | nindent 4 }}
79
app: '{{ template "gatekeeper.name" . }}'
@@ -51,7 +53,7 @@ spec:
5153
spec:
5254
affinity:
5355
{{- toYaml .Values.controllerManager.affinity | nindent 8 }}
54-
automountServiceAccountToken: true
56+
automountServiceAccountToken: {{ .Values.controllerManager.serviceAccount.automountServiceAccountToken }}
5557
containers:
5658
- {{- if .Values.image.release }}
5759
image: {{ .Values.image.repository }}:{{ .Values.image.release }}
@@ -178,6 +180,7 @@ spec:
178180
{{- end }}
179181
{{- toYaml .Values.controllerManager.securityContext | nindent 10}}
180182
volumeMounts:
183+
{{- include "gatekeeper.extraVolumeMounts" . | nindent 8 }}
181184
- mountPath: /certs
182185
name: cert
183186
readOnly: true
@@ -199,6 +202,7 @@ spec:
199202
topologySpreadConstraints:
200203
{{- toYaml .Values.controllerManager.topologySpreadConstraints | nindent 8 }}
201204
volumes:
205+
{{- include "gatekeeper.extraVolumes" . | nindent 6 }}
202206
- name: cert
203207
secret:
204208
defaultMode: 420

0 commit comments

Comments
 (0)