Update helm chart to be compatible with latest version of kubemod (#22)

* Upgrade chart with all changes

* fix cert job

* added section to remind labelin the namespace

* bump chart version

* Update README.md

* change failure policy

README.md

@@ -16,3 +16,23 @@ Linting/validation uses the [helm/chart-testing tool](https://github.com/helm/ch
 ct lint --all --config ct.yaml
 ct install --all --config ct.yaml
 ```
+
+## Ignore kubemod-system namespace before installing the cart
+
+```
+# Make KubeMod ignore Kubernetes' system namespace.
+kubectl label namespace kubemod-system admission.kubemod.io/ignore=true --overwrite
+```
+
+## Ignore webhooks differences when using ArgoCD
+```
+ignoreDifferences:
+- kind: ValidatingWebhookConfiguration
+  group: admissionregistration.k8s.io
+  jqPathExpressions:
+  - '.webhooks[]?.clientConfig.caBundle'
+- kind: MutatingWebhookConfiguration
+  group: admissionregistration.k8s.io
+  jqPathExpressions:
+  - '.webhooks[]?.clientConfig.caBundle'
+```

helm-chart/kubemod/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 name: kubemod
 description: KubeMod is a universal Kubernetes mutating operator.
-version: 0.3.0
-appVersion: "0.13.0"
+version: 0.4.0
+appVersion: "v0.19.1"
 kubeVersion: ">= 1.16.0-0"
 home: https://github.com/kubemod/kubemod
 sources:
@@ -12,3 +12,4 @@ maintainers:
   - name: desaintmartin
     email: [email protected]
   - name: vassilvk
+  - name: abirsigron

helm-chart/kubemod/crds/crd-kubemod.yaml

@@ -34,6 +34,37 @@ spec:
           spec:
             description: ModRuleSpec defines the desired state of ModRule
             properties:
+              admissionOperations:
+                default:
+                - CREATE
+                - UPDATE
+                description: 'AdmissionOperations specifies which admission hook operations
+                  this ModRule applies to. Valid values are: - "CREATE" - the rule
+                  applies to all matching resources as they are created. - "UPDATE"
+                  - the rule applies to all matching resources as they are updated.
+                  - "DELETE" - the rule applies to all matching resources as they
+                  are deleted. By default, a ModRule applies to all admission operations.'
+                items:
+                  description: ModRuleAdmissionOperation describes the operation a
+                    ModRule is executed on. Only the following ModRuleAdmissionOperation(s)
+                    may be specified.
+                  enum:
+                  - CREATE
+                  - UPDATE
+                  - DELETE
+                  type: string
+                type: array
+              executionTier:
+                default: 0
+                description: ExecutionTier is a value between -32767 and 32766. ExecutionTier
+                  controls when this ModRule will be executed as it relates to the
+                  other ModRules loaded in the system. ModRules are matched and executed
+                  in tiers, starting with the lowest tier. The results of executing
+                  all ModRules in a tier are passed as input to the ModRules in the
+                  next tier. This cascading execution continues until the highest
+                  tier of ModRules has been executed. ModRules in the same tier are
+                  executed in indeterminate order.
+                type: integer
               match:
                 description: Match is a list of match items which consist of select
                   queries and expected match values or regular expressions. When all
@@ -174,4 +205,4 @@ status:
     kind: ""
     plural: ""
   conditions: []
-  storedVersions: []
+  storedVersions: []

helm-chart/kubemod/templates/job-crt/cronjob-crt.yaml

@@ -0,0 +1,25 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "kubemod.fullname" . }}-crt-cron-job
+  labels:
+    {{- include "kubemod.labels" . | nindent 4 }}
+spec:
+  jobTemplate:
+    spec:
+      backoffLimit: 4
+      template:
+        spec:
+          {{- if .Values.priorityClassName }}
+          priorityClassName: {{ .Values.priorityClassName | quote }}
+          {{- end }}
+          containers:
+          - command:
+            - /bin/sh
+            - -c
+            - ./cert-renew.sh
+            image: kubemod/kubemod-crt:v1.3.0
+            name: kubemod-crt
+          restartPolicy: Never
+          serviceAccountName: {{ include "kubemod.serviceAccountName" . }}-crt
+  schedule: 0 0 1 * *

helm-chart/kubemod/templates/job-crt/job-crt.yaml

@@ -0,0 +1,22 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "kubemod.fullname" . }}-crt-job
+  labels:
+    {{- include "kubemod.labels" . | nindent 4 }}
+spec:
+  backoffLimit: 4
+  template:
+    spec:
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName | quote }}
+      {{- end }}
+      containers:
+      - command:
+        - /bin/sh
+        - -c
+        - ./cert-renew.sh
+        image: kubemod/kubemod-crt:v1.3.0
+        name: kubemod-crt
+      restartPolicy: Never
+      serviceAccountName: {{ include "kubemod.serviceAccountName" . }}-crt

helm-chart/kubemod/templates/job-crt/role-crt.yaml

@@ -4,9 +4,6 @@ metadata:
   name: {{ include "kubemod.fullname" . }}-crt
   labels:
     {{- include "kubemod.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 rules:
 - apiGroups:
   - ""
@@ -27,9 +24,6 @@ metadata:
   name: {{ include "kubemod.fullname" . }}-crt
   labels:
     {{- include "kubemod.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -47,9 +41,6 @@ metadata:
   name: {{ include "kubemod.fullname" . }}-crt
   labels:
     {{- include "kubemod.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 rules:
 - apiGroups:
   - admissionregistration.k8s.io
@@ -74,9 +65,6 @@ metadata:
   name: {{ include "kubemod.fullname" . }}-crt
   labels:
     {{- include "kubemod.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

helm-chart/kubemod/templates/job-crt/serviceaccount-crt.yaml

@@ -5,9 +5,6 @@ metadata:
   name: {{ include "kubemod.serviceAccountName" . }}-crt
   labels:
     {{- include "kubemod.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 {{- with .Values.serviceAccount.annotations }}
 {{- toYaml . | nindent 4 }}
 {{- end }}

helm-chart/kubemod/templates/mutatingwebhookconfiguration.yaml

@@ -4,7 +4,6 @@ metadata:
   name: {{ include "kubemod.fullname" . }}-mutating-webhook-configuration
   labels:
     {{- include "kubemod.labels" . | nindent 4 }}
-  creationTimestamp: null
 webhooks:
 - admissionReviewVersions:
   - v1beta1
@@ -14,7 +13,7 @@ webhooks:
       name: {{ include "kubemod.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
       path: /mutate-api-kubemod-io-v1beta1-modrule
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhook.failurePolicy }}
   name: mmodrule.kubemod.io
   rules:
   - apiGroups:
@@ -50,8 +49,38 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
     {{- toYaml .Values.webhook.resources | nindent 4 }}
     scope: '*'
   sideEffects: None
-  timeoutSeconds: 3
+  timeoutSeconds: 10
+- admissionReviewVersions:
+  - v1beta1
+  clientConfig:
+    caBundle: Cg==
+    service:
+      name: kubemod-webhook-service
+      namespace: kubemod-system
+      path: /podbinding-webhook
+  failurePolicy: {{ .Values.webhook.failurePolicy }}
+  name: podbinding.kubemod.io
+  namespaceSelector:
+    matchExpressions:
+    - key: admission.kubemod.io/ignore
+      operator: NotIn
+      values:
+      - "true"
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - pods/binding
+    scope: '*'
+  sideEffects: None
+  timeoutSeconds: 10

helm-chart/kubemod/templates/roles.yaml

@@ -17,7 +17,32 @@ rules:
   - patch
   - update
   - watch
-
+- apiGroups:
+  - api.kubemod.io
+  resources:
+  - modrules/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  - nodes
+  verbs:
+  - list
+  - get
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+  - get
+  - watch
+  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

helm-chart/kubemod/templates/validatingwebhookconfiguration.yaml

@@ -14,7 +14,7 @@ webhooks:
       name: {{ include "kubemod.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
       path: /validate-api-kubemod-io-v1beta1-modrule
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhook.failurePolicy }}
   name: vmodrule.kubemod.io
   rules:
   - apiGroups:

helm-chart/kubemod/values.yaml

@@ -7,13 +7,13 @@ replicaCount: 1
 image:
   repository: kubemod/kubemod
   pullPolicy: IfNotPresent
-  tag: "v0.13.0"
+  tag: "v0.19.1"
 
 job:
   image:
     repository: kubemod/kubemod-crt
     pullPolicy: IfNotPresent
-    tag: "v1.1.1"
+    tag: "v1.3.0"
 
 imagePullSecrets: []
 nameOverride: ""