From 7e1a1b8c5ef6801accecc192e43b8ebf541bf280 Mon Sep 17 00:00:00 2001 From: Hector Fernandez Date: Fri, 23 Jun 2023 12:45:52 +0200 Subject: [PATCH] unify policy controllers Signed-off-by: Hector Fernandez --- charts/policy-controller/Chart.yaml | 8 +- charts/policy-controller/README.md | 33 +--- .../policy-controller/templates/_helpers.tpl | 21 --- .../templates/crds/clusterimagepolicy.yaml | 2 +- .../clusterrole_policy_webhook.yaml | 86 ---------- .../clusterrolebindings_policy_webhook.yaml | 30 ---- .../templates/policy-webhook/configmap.yaml | 63 -------- .../deployment_policy_webhook.yaml | 147 ------------------ .../policy-webhook/role_policy_webhook.yaml | 51 ------ .../rolebinding_policy_webhook.yaml | 31 ---- .../policy-webhook/sa_policy_webhook.yaml | 29 ---- .../secret_certs_policy_webhook.yaml | 28 ---- .../service_policy_webhook.yaml | 63 -------- .../webhook/clusterrole_webhook.yaml | 25 ++- .../config-sigstore-keys.yaml | 0 .../configmap-clusterimagepolicy.yaml | 0 .../configmap-policy-controller.yaml | 6 +- .../templates/webhook/deployment_webhook.yaml | 2 + .../policy_webhook_configurations.yaml | 12 +- .../templates/webhook/role_webhook.yaml | 18 +++ charts/policy-controller/values.schema.json | 144 +---------------- charts/policy-controller/values.yaml | 54 +------ 22 files changed, 76 insertions(+), 777 deletions(-) delete mode 100644 charts/policy-controller/templates/policy-webhook/clusterrole_policy_webhook.yaml delete mode 100644 charts/policy-controller/templates/policy-webhook/clusterrolebindings_policy_webhook.yaml delete mode 100644 charts/policy-controller/templates/policy-webhook/configmap.yaml delete mode 100644 charts/policy-controller/templates/policy-webhook/deployment_policy_webhook.yaml delete mode 100644 charts/policy-controller/templates/policy-webhook/role_policy_webhook.yaml delete mode 100644 charts/policy-controller/templates/policy-webhook/rolebinding_policy_webhook.yaml delete mode 100644 charts/policy-controller/templates/policy-webhook/sa_policy_webhook.yaml delete mode 100644 charts/policy-controller/templates/policy-webhook/secret_certs_policy_webhook.yaml delete mode 100644 charts/policy-controller/templates/policy-webhook/service_policy_webhook.yaml rename charts/policy-controller/templates/{policy-webhook => webhook}/config-sigstore-keys.yaml (100%) rename charts/policy-controller/templates/{policy-webhook => webhook}/configmap-clusterimagepolicy.yaml (100%) rename charts/policy-controller/templates/{policy-webhook => webhook}/configmap-policy-controller.yaml (86%) rename charts/policy-controller/templates/{policy-webhook => webhook}/policy_webhook_configurations.yaml (67%) diff --git a/charts/policy-controller/Chart.yaml b/charts/policy-controller/Chart.yaml index ecbaf25c..6aebe76d 100644 --- a/charts/policy-controller/Chart.yaml +++ b/charts/policy-controller/Chart.yaml @@ -8,8 +8,8 @@ sources: type: application name: policy-controller -version: 0.5.9 -appVersion: 0.7.0 +version: 0.6.0 +appVersion: 0.8.0 maintainers: - name: dlorenc @@ -19,6 +19,4 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: policy-controller - image: ghcr.io/sigstore/policy-controller/policy-controller:v0.7.0@sha256:947693aa3a536992bc89f3c7ded8a7707b26cd4518972f293edd3e57e112438e - - name: policywebhook - image: ghcr.io/sigstore/policy-controller/policy-webhook:v0.7.0@sha256:3a3581032ff69991ddd9f19faf8acd059c8fb0ba8d3b0164a13b99a096880c84 + image: ghcr.io/sigstore/policy-controller/policy-controller:v0.8.0@sha256:e91bcd954394b414d3b80adfc2cefdae84dd7985fb938a895471eb34aac57744 diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md index 7e6c0019..2fd0efb0 100644 --- a/charts/policy-controller/README.md +++ b/charts/policy-controller/README.md @@ -27,40 +27,15 @@ The Helm chart for Policy Controller | cosign.webhookName | string | `"policy.sigstore.dev"` | | | imagePullSecrets | list | `[]` | | | installCRDs | bool | `true` | | -| policywebhook.configData | object | `{}` | Set the data of the `policy-config-controller` configmap | -| policywebhook.env | object | `{}` | | -| policywebhook.extraArgs | object | `{}` | | -| policywebhook.image.pullPolicy | string | `"IfNotPresent"` | | -| policywebhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-webhook"` | | -| policywebhook.image.version | string | `"sha256:3a3581032ff69991ddd9f19faf8acd059c8fb0ba8d3b0164a13b99a096880c84"` | `"v0.7.0"` | -| policywebhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` | | -| policywebhook.podSecurityContext.capabilities.drop[0] | string | `"ALL"` | | -| policywebhook.podSecurityContext.enabled | bool | `true` | | -| policywebhook.podSecurityContext.readOnlyRootFilesystem | bool | `true` | | -| policywebhook.podSecurityContext.runAsNonRoot | bool | `true` | | -| policywebhook.replicaCount | int | `1` | | -| policywebhook.resources.limits.cpu | string | `"100m"` | | -| policywebhook.resources.limits.memory | string | `"256Mi"` | | -| policywebhook.resources.requests.cpu | string | `"100m"` | | -| policywebhook.resources.requests.memory | string | `"128Mi"` | | -| policywebhook.securityContext.enabled | bool | `false` | | -| policywebhook.securityContext.runAsUser | int | `65532` | | -| policywebhook.service.annotations | object | `{}` | | -| policywebhook.service.port | int | `443` | | -| policywebhook.service.type | string | `"ClusterIP"` | | -| policywebhook.serviceAccount.annotations | object | `{}` | | -| policywebhook.serviceAccount.create | bool | `true` | | -| policywebhook.serviceAccount.name | string | `""` | | -| policywebhook.volumeMounts | list | `[]` | | -| policywebhook.volumes | list | `[]` | | -| policywebhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | | -| policywebhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | | +| webhook.configData | object | `{}` | Set the data of the `policy-config-controller` configmap | +| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | | +| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | | | serviceMonitor.enabled | bool | `false` | | | webhook.env | object | `{}` | | | webhook.extraArgs | object | `{}` | | | webhook.image.pullPolicy | string | `"IfNotPresent"` | | | webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` | | -| webhook.image.version | string | `"sha256:947693aa3a536992bc89f3c7ded8a7707b26cd4518972f293edd3e57e112438e"` | `"v0.7.0"` | +| webhook.image.version | string | `"sha256:e91bcd954394b414d3b80adfc2cefdae84dd7985fb938a895471eb34aac57744"` | `"v0.8.0"` | | webhook.name | string | `"webhook"` | | | webhook.failurePolicy | string | `"Fail"` | | | webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` | | diff --git a/charts/policy-controller/templates/_helpers.tpl b/charts/policy-controller/templates/_helpers.tpl index 15b21953..6ea51793 100644 --- a/charts/policy-controller/templates/_helpers.tpl +++ b/charts/policy-controller/templates/_helpers.tpl @@ -50,17 +50,6 @@ app.kubernetes.io/name: {{ include "policy-controller.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} -{{/* -Create the name of the service account to use for policy-controller -*/}} -{{- define "policywebhook.serviceAccountName" -}} -{{- if .Values.policywebhook.serviceAccount.create }} -{{- default ( print (include "policy-controller.fullname" .) "-policy-webhook" ) .Values.policywebhook.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.policywebhook.serviceAccount.name }} -{{- end }} -{{- end }} - {{/* Create the name of the service account to use for webhook */}} @@ -127,16 +116,6 @@ Create the image path for the passed in image field {{- end -}} {{- end -}} -{{/* -Create the image path for the passed in policy-webhook image field -*/}} -{{- define "policywebhook.image" -}} -{{- if eq (substr 0 7 .version) "sha256:" -}} -{{- printf "%s@%s" .repository .version -}} -{{- else -}} -{{- printf "%s:%s" .repository .version -}} -{{- end -}} -{{- end -}} {{/* Create the image path for the passed in leases-cleanup image field diff --git a/charts/policy-controller/templates/crds/clusterimagepolicy.yaml b/charts/policy-controller/templates/crds/clusterimagepolicy.yaml index 4662e967..9fb4269d 100644 --- a/charts/policy-controller/templates/crds/clusterimagepolicy.yaml +++ b/charts/policy-controller/templates/crds/clusterimagepolicy.yaml @@ -22,7 +22,7 @@ spec: conversionReviewVersions: ["v1beta1", "v1alpha1"] clientConfig: service: - name: policy-webhook + name: webhook namespace: {{ .Release.Namespace }} group: policy.sigstore.dev names: diff --git a/charts/policy-controller/templates/policy-webhook/clusterrole_policy_webhook.yaml b/charts/policy-controller/templates/policy-webhook/clusterrole_policy_webhook.yaml deleted file mode 100644 index 83719e94..00000000 --- a/charts/policy-controller/templates/policy-webhook/clusterrole_policy_webhook.yaml +++ /dev/null @@ -1,86 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "policy-controller.fullname" . }}-policy-webhook - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - # Allow the reconciliation of exactly our validating webhook. - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] - verbs: ["list", "watch"] - - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] - verbs: ["get", "update", "delete"] - resourceNames: - - {{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName | quote }} - - {{ required "A valid policywebhook.webhookNames.defaulting is required" .Values.policywebhook.webhookNames.defaulting | quote }} - - {{ required "A valid policywebhook.webhookNames.validating is required" .Values.policywebhook.webhookNames.validating | quote }} - - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations/finalizers", "mutatingwebhookconfigurations/finalizers"] - verbs: ["update"] - resourceNames: - - {{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName | quote }} - - {{ required "A valid policywebhook.webhookNames.defaulting is required" .Values.policywebhook.webhookNames.defaulting | quote }} - - {{ required "A valid policywebhook.webhookNames.validating is required" .Values.policywebhook.webhookNames.validating | quote }} - - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list"] - # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources, - # which requires we can Get the system namespace. - resourceNames: [ "{{ .Release.Namespace }}" ] - - - apiGroups: [""] - resources: ["namespaces/finalizers"] - verbs: ["update"] - # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources, - # which requires we can Get the system namespace. - resourceNames: [ "{{ .Release.Namespace }}" ] - - # This is needed by k8schain to support fetching pull secrets attached to pod specs - # or their service accounts. If pull secrets aren't used, the "secrets" below can - # be safely dropped, but the logic will fetch the service account to check for pull - # secrets. - - apiGroups: [""] - resources: ["serviceaccounts", "secrets"] - verbs: ["get"] - - # Allow reconciliation of the ClusterImagePolic CRDs. - - apiGroups: ["policy.sigstore.dev"] - resources: ["clusterimagepolicies", "clusterimagepolicies/status"] - verbs: ["get", "list", "update", "watch", "patch"] - - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch", "update"] - - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "update", "list"] - resourceNames: ["trustroots.policy.sigstore.dev"] - - - apiGroups: ["policy.sigstore.dev"] - resources: ["trustroots", "trustroots/status"] - verbs: ["get", "list", "update", "watch", "patch"] diff --git a/charts/policy-controller/templates/policy-webhook/clusterrolebindings_policy_webhook.yaml b/charts/policy-controller/templates/policy-webhook/clusterrolebindings_policy_webhook.yaml deleted file mode 100644 index 064d7bcd..00000000 --- a/charts/policy-controller/templates/policy-webhook/clusterrolebindings_policy_webhook.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "policy-controller.fullname" . }}-policy-webhook - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "policy-controller.fullname" . }}-policy-webhook -subjects: -- kind: ServiceAccount - name: {{ include "policywebhook.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} diff --git a/charts/policy-controller/templates/policy-webhook/configmap.yaml b/charts/policy-controller/templates/policy-webhook/configmap.yaml deleted file mode 100644 index e16d674f..00000000 --- a/charts/policy-controller/templates/policy-webhook/configmap.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook - name: {{ template "policy-controller.fullname" . }}-policy-webhook-logging - namespace: {{ .Release.Namespace }} -data: - zap-logger-config: |- - { - "level": "info", - "development": false, - "outputPaths": ["stdout"], - "errorOutputPaths": ["stderr"], - "encoding": "json", - "encoderConfig": { - "timeKey": "ts", - "levelKey": "level", - "nameKey": "logger", - "callerKey": "caller", - "messageKey": "msg", - "stacktraceKey": "stacktrace", - "lineEnding": "", - "levelEncoder": "", - "timeEncoder": "iso8601", - "durationEncoder": "", - "callerEncoder": "" - } - } - # Log level overrides - # Changes are be picked up immediately. - loglevel.controller: "info" - loglevel.webhook: "info" -{{- if .Values.serviceMonitor.enabled }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook - name: {{ template "policy-controller.fullname" . }}-policy-webhook-observability - namespace: {{ .Release.Namespace }} -data: - metrics.backend-destination: prometheus - metrics.request-metrics-backend-destination: prometheus -{{- end }} diff --git a/charts/policy-controller/templates/policy-webhook/deployment_policy_webhook.yaml b/charts/policy-controller/templates/policy-webhook/deployment_policy_webhook.yaml deleted file mode 100644 index ec753e12..00000000 --- a/charts/policy-controller/templates/policy-webhook/deployment_policy_webhook.yaml +++ /dev/null @@ -1,147 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "policy-controller.fullname" . }}-policy-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook -spec: - replicas: {{ .Values.policywebhook.replicaCount }} - selector: - matchLabels: - {{- include "policy-controller.selectorLabels" . | nindent 6 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook - template: - metadata: - labels: - {{- include "policy-controller.selectorLabels" . | nindent 8 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook - spec: - nodeSelector: - {{- toYaml .Values.commonNodeSelector | nindent 8 }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} - tolerations: - {{- toYaml .Values.commonTolerations | nindent 8 }} - serviceAccountName: {{ include "policywebhook.serviceAccountName" . }} - # To avoid node becoming SPOF, spread our replicas to different nodes. - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook - topologyKey: kubernetes.io/hostname - weight: 100 - containers: - - name: policy-webhook - # This is the Go import path for the binary that is containerized - # and substituted here. - image: "{{ template "policy-controller.image" .Values.policywebhook.image }}" - imagePullPolicy: "{{ .Values.policywebhook.image.pullPolicy }}" - args: - {{- if semverCompare ">= 1.8-0" .Chart.AppVersion }} - - -mutating-webhook-name={{ required "A valid policywebhook.webhookNames.defaulting is required" .Values.policywebhook.webhookNames.defaulting }} - - -validating-webhook-name={{ required "A valid policywebhook.webhookNames.validating is required" .Values.policywebhook.webhookNames.validating }} - {{- end }} - {{- range $key, $value := .Values.policywebhook.extraArgs }} - - -{{ $key }}={{ $value }} - {{- end }} - resources: - {{- with .Values.policywebhook.resources }} - {{- toYaml . | nindent 10 }} - {{- end }} - env: -{{- if .Values.policywebhook.env }} -{{- range $key, $value := .Values.policywebhook.env }} - - name: "{{ $key }}" - value: "{{ $value }}" -{{- end }} -{{- end }} - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: {{ template "policy-controller.fullname" . }}-policy-webhook-logging - - name: CONFIG_OBSERVABILITY_NAME - value: {{ template "policy-controller.fullname" . }}-policy-webhook-observability - - name: METRICS_DOMAIN - value: sigstore.dev/policy - - name: WEBHOOK_NAME - value: policy-webhook - ports: - - containerPort: 8443 - name: https - protocol: TCP - - containerPort: 9090 - name: metrics - protocol: TCP -{{- if .Values.policywebhook.podSecurityContext.enabled }} - securityContext: - {{- with .Values.policywebhook.podSecurityContext }} - {{- omit . "enabled" | toYaml | nindent 10}} - {{- end }} -{{- end }} - volumeMounts: - # Failing to provide a writable $HOME can cause TUF client initialization to panic - - mountPath: /home/nonroot - name: writable-home-dir - {{- with .Values.policywebhook.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - readinessProbe: - failureThreshold: 6 - initialDelaySeconds: 30 - periodSeconds: 1 - httpGet: - scheme: HTTPS - port: 8443 - httpHeaders: - - name: k-kubelet-probe - value: "policy-webhook" - livenessProbe: - failureThreshold: 6 - initialDelaySeconds: 30 - periodSeconds: 1 - httpGet: - scheme: HTTPS - port: 8443 - httpHeaders: - - name: k-kubelet-probe - value: "policy-webhook" - # Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently - # high value that we respect whatever value it has configured for the lame duck grace period. - terminationGracePeriodSeconds: 300 - - {{- if .Values.policywebhook.securityContext.enabled }} - securityContext: - {{- with .Values.policywebhook.securityContext }} - {{- omit . "enabled" | toYaml | nindent 8}} - {{- end }} - {{- end }} - volumes: - - emptyDir: {} - name: writable-home-dir - {{- with .Values.policywebhook.volumes }} - {{- toYaml . | nindent 6 }} - {{- end }} diff --git a/charts/policy-controller/templates/policy-webhook/role_policy_webhook.yaml b/charts/policy-controller/templates/policy-webhook/role_policy_webhook.yaml deleted file mode 100644 index 8b518cdf..00000000 --- a/charts/policy-controller/templates/policy-webhook/role_policy_webhook.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "policy-controller.fullname" . }}-policy-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook -rules: - # Needed to watch and load configuration and secret data. - - apiGroups: [""] - resources: ["configmaps", "secrets"] - verbs: ["get", "list", "update", "watch"] - - # Needed for leader election - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - # This is needed to create / patch ConfigMap that is created by the reconciler - # to consolidate various CIP configuration into a policy ConfigMap. - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["config-image-policies"] - verbs: ["get", "list", "create", "update", "patch", "watch"] - - # This is needed to create / patch ConfigMap that is created by the reconciler - # to consolidate various TrustRoot configuration into SigstoreKeys ConfigMap. - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["config-sigstore-keys"] - verbs: ["get", "list", "create", "update", "patch", "watch"] - - - apiGroups: ["policy.sigstore.dev"] - resources: ["trustroots"] - verbs: ["get", "list"] \ No newline at end of file diff --git a/charts/policy-controller/templates/policy-webhook/rolebinding_policy_webhook.yaml b/charts/policy-controller/templates/policy-webhook/rolebinding_policy_webhook.yaml deleted file mode 100644 index a3c403cb..00000000 --- a/charts/policy-controller/templates/policy-webhook/rolebinding_policy_webhook.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "policy-controller.fullname" . }}-policy-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook -subjects: -- kind: ServiceAccount - name: {{ include "policywebhook.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: Role - name: {{ template "policy-controller.fullname" . }}-policy-webhook - apiGroup: rbac.authorization.k8s.io diff --git a/charts/policy-controller/templates/policy-webhook/sa_policy_webhook.yaml b/charts/policy-controller/templates/policy-webhook/sa_policy_webhook.yaml deleted file mode 100644 index 83d622d1..00000000 --- a/charts/policy-controller/templates/policy-webhook/sa_policy_webhook.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -{{- if .Values.policywebhook.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook - name: {{ include "policywebhook.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - {{- with .Values.policywebhook.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/policy-controller/templates/policy-webhook/secret_certs_policy_webhook.yaml b/charts/policy-controller/templates/policy-webhook/secret_certs_policy_webhook.yaml deleted file mode 100644 index 329d1007..00000000 --- a/charts/policy-controller/templates/policy-webhook/secret_certs_policy_webhook.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -kind: Secret -metadata: - annotations: - {{- if .Values.policywebhook.service.annotations }} - {{ toYaml .Values.policywebhook.service.annotations | nindent 4 }} - {{- end }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook - name: policy-webhook-certs - namespace: {{ .Release.Namespace }} -# The data is populated at install time. diff --git a/charts/policy-controller/templates/policy-webhook/service_policy_webhook.yaml b/charts/policy-controller/templates/policy-webhook/service_policy_webhook.yaml deleted file mode 100644 index 9767aace..00000000 --- a/charts/policy-controller/templates/policy-webhook/service_policy_webhook.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{- if .Values.policywebhook.service.annotations }} - {{ toYaml .Values.policywebhook.service.annotations | nindent 4 }} - {{- end }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook - name: policy-webhook - namespace: {{ .Release.Namespace }} -spec: - type: {{.Values.policywebhook.service.type}} - ports: - - name: https - port: {{ .Values.policywebhook.service.port }} - protocol: TCP - targetPort: https - {{- if and .Values.policywebhook.service.nodePort (eq "NodePort" .Values.policywebhook.service.type) }} - nodePort: {{ .Values.policywebhook.service.nodePort }} - {{- end }} - selector: - {{- include "policy-controller.selectorLabels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{- if .Values.policywebhook.service.annotations }} - {{ toYaml .Values.policywebhook.service.annotations | nindent 4 }} - {{- end }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook - name: {{ template "policy-controller.fullname" . }}-policy-webhook-metrics - namespace: {{ .Release.Namespace }} -spec: - type: ClusterIP - ports: - - name: metrics - port: 9090 - protocol: TCP - targetPort: metrics - selector: - {{- include "policy-controller.selectorLabels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-policy-webhook diff --git a/charts/policy-controller/templates/webhook/clusterrole_webhook.yaml b/charts/policy-controller/templates/webhook/clusterrole_webhook.yaml index 9ab6fc89..189272d5 100644 --- a/charts/policy-controller/templates/webhook/clusterrole_webhook.yaml +++ b/charts/policy-controller/templates/webhook/clusterrole_webhook.yaml @@ -8,7 +8,7 @@ metadata: rules: - apiGroups: [""] resources: ["events"] - verbs: ["create"] + verbs: ["create", "patch"] # Allow the reconciliation of exactly our validating webhook. - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] @@ -17,7 +17,10 @@ rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["get", "update", "delete"] - resourceNames: [{{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName | quote }}] + resourceNames: + - {{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName | quote }} + - {{ required "A valid webhook.webhookNames.defaulting is required" .Values.webhook.webhookNames.defaulting | quote }} + - {{ required "A valid webhook.webhookNames.validating is required" .Values.webhook.webhookNames.validating | quote }} - apiGroups: [""] resources: ["namespaces"] @@ -38,3 +41,21 @@ rules: - apiGroups: [""] resources: ["serviceaccounts", "secrets"] verbs: ["get"] + + # Allow reconciliation of the ClusterImagePolic CRDs. + - apiGroups: ["policy.sigstore.dev"] + resources: ["clusterimagepolicies", "clusterimagepolicies/status"] + verbs: ["get", "list", "update", "watch", "patch"] + + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "update"] + + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "update", "list"] + resourceNames: ["trustroots.policy.sigstore.dev"] + + - apiGroups: ["policy.sigstore.dev"] + resources: ["trustroots", "trustroots/status"] + verbs: ["get", "list", "update", "watch", "patch"] diff --git a/charts/policy-controller/templates/policy-webhook/config-sigstore-keys.yaml b/charts/policy-controller/templates/webhook/config-sigstore-keys.yaml similarity index 100% rename from charts/policy-controller/templates/policy-webhook/config-sigstore-keys.yaml rename to charts/policy-controller/templates/webhook/config-sigstore-keys.yaml diff --git a/charts/policy-controller/templates/policy-webhook/configmap-clusterimagepolicy.yaml b/charts/policy-controller/templates/webhook/configmap-clusterimagepolicy.yaml similarity index 100% rename from charts/policy-controller/templates/policy-webhook/configmap-clusterimagepolicy.yaml rename to charts/policy-controller/templates/webhook/configmap-clusterimagepolicy.yaml diff --git a/charts/policy-controller/templates/policy-webhook/configmap-policy-controller.yaml b/charts/policy-controller/templates/webhook/configmap-policy-controller.yaml similarity index 86% rename from charts/policy-controller/templates/policy-webhook/configmap-policy-controller.yaml rename to charts/policy-controller/templates/webhook/configmap-policy-controller.yaml index 377e593d..f6aaaaf6 100644 --- a/charts/policy-controller/templates/policy-webhook/configmap-policy-controller.yaml +++ b/charts/policy-controller/templates/webhook/configmap-policy-controller.yaml @@ -18,7 +18,7 @@ metadata: name: config-policy-controller namespace: {{ .Release.Namespace }} data: - {{- if not .Values.policywebhook.configData }} + {{- if not .Values.webhook.configData }} _example: | ################################ # # @@ -27,7 +27,7 @@ data: # # # no-match-policy: warn # ################################ - {{- else if .Values.policywebhook.configData }} -{{ toYaml .Values.policywebhook.configData | indent 4 }} + {{- else if .Values.webhook.configData }} +{{ toYaml .Values.webhook.configData | indent 4 }} {{- end }} diff --git a/charts/policy-controller/templates/webhook/deployment_webhook.yaml b/charts/policy-controller/templates/webhook/deployment_webhook.yaml index 4725bd76..5efbd851 100644 --- a/charts/policy-controller/templates/webhook/deployment_webhook.yaml +++ b/charts/policy-controller/templates/webhook/deployment_webhook.yaml @@ -69,6 +69,8 @@ spec: args: {{- if semverCompare ">= 1.8-0" .Chart.AppVersion }} - -webhook-name={{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName }} + - -mutating-webhook-name={{ required "A valid webhook.webhookNames.defaulting is required" .Values.webhook.webhookNames.defaulting }} + - -validating-webhook-name={{ required "A valid webhook.webhookNames.validating is required" .Values.webhook.webhookNames.validating }} {{- end }} {{- range $key, $value := .Values.webhook.extraArgs }} - -{{ $key }}={{ $value }} diff --git a/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml b/charts/policy-controller/templates/webhook/policy_webhook_configurations.yaml similarity index 67% rename from charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml rename to charts/policy-controller/templates/webhook/policy_webhook_configurations.yaml index 92e5697b..b8c7f0c6 100644 --- a/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml +++ b/charts/policy-controller/templates/webhook/policy_webhook_configurations.yaml @@ -16,31 +16,31 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: {{ required "A valid policywebhook.webhookNames.defaulting is required" .Values.policywebhook.webhookNames.defaulting }} + name: {{ required "A valid webhook.webhookNames.defaulting is required" .Values.webhook.webhookNames.defaulting }} webhooks: - admissionReviewVersions: - v1 clientConfig: service: - name: policy-webhook + name: webhook namespace: {{ .Release.Namespace }} failurePolicy: Fail matchPolicy: Equivalent - name: {{ required "A valid policywebhook.webhookNames.defaulting is required" .Values.policywebhook.webhookNames.defaulting }} + name: {{ required "A valid webhook.webhookNames.defaulting is required" .Values.webhook.webhookNames.defaulting }} sideEffects: None --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - name: {{ required "A valid policywebhook.webhookNames.validating is required" .Values.policywebhook.webhookNames.validating }} + name: {{ required "A valid webhook.webhookNames.validating is required" .Values.webhook.webhookNames.validating }} webhooks: - admissionReviewVersions: - v1 clientConfig: service: - name: policy-webhook + name: webhook namespace: {{ .Release.Namespace }} failurePolicy: Fail matchPolicy: Equivalent - name: {{ required "A valid policywebhook.webhookNames.validating is required" .Values.policywebhook.webhookNames.validating }} + name: {{ required "A valid webhook.webhookNames.validating is required" .Values.webhook.webhookNames.validating }} sideEffects: None diff --git a/charts/policy-controller/templates/webhook/role_webhook.yaml b/charts/policy-controller/templates/webhook/role_webhook.yaml index 9fa65db6..3f2d5164 100644 --- a/charts/policy-controller/templates/webhook/role_webhook.yaml +++ b/charts/policy-controller/templates/webhook/role_webhook.yaml @@ -16,3 +16,21 @@ rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + + # This is needed to create / patch ConfigMap that is created by the reconciler + # to consolidate various CIP configuration into a policy ConfigMap. + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["config-image-policies"] + verbs: ["get", "list", "create", "update", "patch", "watch"] + + # This is needed to create / patch ConfigMap that is created by the reconciler + # to consolidate various TrustRoot configuration into SigstoreKeys ConfigMap. + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["config-sigstore-keys"] + verbs: ["get", "list", "create", "update", "patch", "watch"] + + - apiGroups: ["policy.sigstore.dev"] + resources: ["trustroots"] + verbs: ["get", "list"] \ No newline at end of file diff --git a/charts/policy-controller/values.schema.json b/charts/policy-controller/values.schema.json index 245df077..53a222f9 100644 --- a/charts/policy-controller/values.schema.json +++ b/charts/policy-controller/values.schema.json @@ -25,18 +25,9 @@ "installCRDs": { "type": "boolean" }, - "policywebhook": { + "leasescleanup": { "type": "object", "properties": { - "configData": { - "type": "object" - }, - "env": { - "type": "object" - }, - "extraArgs": { - "type": "object" - }, "image": { "type": "object", "properties": { @@ -50,120 +41,6 @@ "type": "string" } } - }, - "podSecurityContext": { - "type": "object", - "properties": { - "allowPrivilegeEscalation": { - "type": "boolean" - }, - "capabilities": { - "type": "object", - "properties": { - "drop": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "enabled": { - "type": "boolean" - }, - "readOnlyRootFilesystem": { - "type": "boolean" - }, - "runAsNonRoot": { - "type": "boolean" - } - } - }, - "replicaCount": { - "type": "integer" - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - } - } - }, - "securityContext": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "runAsUser": { - "type": "integer" - } - } - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "port": { - "type": "integer" - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "create": { - "type": "boolean" - }, - "name": { - "type": "string" - } - } - }, - "volumeMounts": { - "type": "array" - }, - "volumes": { - "type": "array" - }, - "webhookNames": { - "type": "object", - "properties": { - "defaulting": { - "type": "string" - }, - "validating": { - "type": "string" - } - } } } }, @@ -178,6 +55,9 @@ "webhook": { "type": "object", "properties": { + "configData": { + "type": "object" + }, "env": { "type": "object" }, @@ -334,22 +214,14 @@ }, "volumes": { "type": "array" - } - } - }, - "leasescleanup": { - "type": "object", - "properties": { - "image": { + }, + "webhookNames": { "type": "object", "properties": { - "pullPolicy": { - "type": "string" - }, - "repository": { + "defaulting": { "type": "string" }, - "version": { + "validating": { "type": "string" } } diff --git a/charts/policy-controller/values.yaml b/charts/policy-controller/values.yaml index ff435d83..01529176 100644 --- a/charts/policy-controller/values.yaml +++ b/charts/policy-controller/values.yaml @@ -7,62 +7,21 @@ installCRDs: true imagePullSecrets: [] -policywebhook: - configData: {} - replicaCount: 1 - image: - repository: ghcr.io/sigstore/policy-controller/policy-webhook - # crane digest ghcr.io/sigstore/policy-controller/policy-webhook:v0.7.0 - version: sha256:3a3581032ff69991ddd9f19faf8acd059c8fb0ba8d3b0164a13b99a096880c84 - pullPolicy: IfNotPresent - env: {} - extraArgs: {} - resources: - limits: - cpu: 100m - memory: 256Mi - requests: - cpu: 100m - memory: 128Mi - serviceAccount: - annotations: {} - create: true - name: "" - securityContext: - enabled: false - runAsUser: 65532 - podSecurityContext: - enabled: true - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - service: - annotations: {} - type: ClusterIP - port: 443 - volumeMounts: [] - volumes: [] - webhookNames: - defaulting: "defaulting.clusterimagepolicy.sigstore.dev" - validating: "validating.clusterimagepolicy.sigstore.dev" - webhook: + configData: {} replicaCount: 1 name: webhook image: repository: ghcr.io/sigstore/policy-controller/policy-controller - # crane digest ghcr.io/sigstore/policy-controller/policy-controller:v0.7.0 - version: sha256:947693aa3a536992bc89f3c7ded8a7707b26cd4518972f293edd3e57e112438e + # crane digest ghcr.io/sigstore/policy-controller/policy-controller:v0.8.0 + version: sha256:e91bcd954394b414d3b80adfc2cefdae84dd7985fb938a895471eb34aac57744 pullPolicy: IfNotPresent env: {} extraArgs: {} resources: limits: - cpu: 100m - memory: 256Mi + cpu: 200m + memory: 512Mi requests: cpu: 100m memory: 128Mi @@ -97,6 +56,9 @@ webhook: operator: In values: ["true"] registryCaBundle: {} + webhookNames: + defaulting: "defaulting.clusterimagepolicy.sigstore.dev" + validating: "validating.clusterimagepolicy.sigstore.dev" leasescleanup: image: