Skip to content

Commit

Permalink
Helm chart minor release (#487)
Browse files Browse the repository at this point in the history 
Co-authored-by: Kubewarden bot <[email protected]>
  • Loading branch information
@github-actions @chimera-kube-bot
github-actions[bot] and chimera-kube-bot authored Jul 24, 2024
1 parent 3831a21 commit 1809ff5
Show file tree
Hide file tree
Showing 8 changed files with 179 additions and 30 deletions.
8 changes: 4 additions & 4 deletions charts/kubewarden-controller/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,9 @@ maintainers:
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 2.2.1
version: 2.3.0-rc1
# This is the version of Kubewarden stack
appVersion: v1.14.0
appVersion: v1.15.0-rc1
annotations:
# required ones:
catalog.cattle.io/certified: rancher # Any application we are adding as a helm chart
Expand All @@ -35,14 +35,14 @@ annotations:
catalog.cattle.io/display-name: Kubewarden # Only for Charts with custom UI
catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation
# optional ones:
catalog.cattle.io/auto-install: kubewarden-crds=1.6.0
catalog.cattle.io/auto-install: kubewarden-crds=1.7.0-rc1
catalog.cattle.io/provides-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart.
# The following two will create a UI warning if the request is not available in cluster
# Assume the most standard setup for your chart. These can be strings with amounts, ie 64Mi or 2Gi are both valid.
catalog.cattle.io/requests-cpu: "250m"
catalog.cattle.io/requests-memory: "50Mi"
catalog.cattle.io/rancher-version: ">= 2.6.0-0 <= 2.9.100-0" # Chart will only be available for users in the specified Rancher version(s), here its 2.5.0-2.5.99. This _must_ use build metadata or it won't work correctly for future RC's.
catalog.cattle.io/upstream-version: 2.2.1
catalog.cattle.io/upstream-version: 2.3.0-rc1
# Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template`
# See the Cluster Tools section to learn more about when to set this value to `cluster-tool`.
catalog.cattle.io/type: cluster-tool
Expand Down
4 changes: 2 additions & 2 deletions charts/kubewarden-controller/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ image:
# controller image to be used
repository: "kubewarden/kubewarden-controller"
# image tag
tag: v1.14.0
tag: v1.15.0-rc1
pullPolicy: IfNotPresent
preDeleteJob:
image:
Expand Down Expand Up @@ -205,7 +205,7 @@ auditScanner:
# The registry is defined in the common.cattle.systemDefaultRegistry value
# kubectl image to be used in the pre-delete helm hook
repository: "kubewarden/audit-scanner"
tag: v1.14.0
tag: v1.15.0-rc1
pullPolicy: IfNotPresent
cronJob:
schedule: "*/60 * * * *" # every 60 minutes
Expand Down
6 changes: 3 additions & 3 deletions charts/kubewarden-crds/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@ keywords:
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.6.0
version: 1.7.0-rc1
# This is the version of Kubewarden stack
appVersion: v1.14.0
appVersion: v1.15.0-rc1
annotations:
# required ones:
catalog.cattle.io/certified: rancher # Any application we are adding as a helm chart
Expand All @@ -33,7 +33,7 @@ annotations:
catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation
# optional ones:
catalog.cattle.io/hidden: "true" # Hide specific charts. Only use on CRD charts.
catalog.cattle.io/upstream-version: 1.6.0
catalog.cattle.io/upstream-version: 1.7.0-rc1
# Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template`
# See the Cluster Tools section to learn more about when to set this value to `cluster-tool`.
catalog.cattle.io/type: cluster-tool
62 changes: 58 additions & 4 deletions charts/kubewarden-crds/templates/admissionpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ spec:
metadata:
type: object
spec:
description: AdmissionPolicySpec defines the desired state of AdmissionPolicy
description: AdmissionPolicySpec defines the desired state of AdmissionPolicy.
properties:
backgroundAudit:
default: true
Expand All @@ -92,6 +92,60 @@ spec:
fail and the API request to be rejected.
The default behaviour is "Fail"
type: string
matchConditions:
description: |-
MatchConditions is a list of conditions that must be met for a request to be
validated. Match conditions filter requests that have already been matched by
the rules, namespaceSelector, and objectSelector. An empty list of
matchConditions matches all requests. There are a maximum of 64 match
conditions allowed. If a parameter object is provided, it can be accessed via
the `params` handle in the same manner as validation expressions. The exact
matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
is evaluated. 3. If any matchCondition evaluates to an error (but none are
FALSE): - If failurePolicy=Fail, reject the request - If
failurePolicy=Ignore, the policy is skipped
Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
items:
description: MatchCondition represents a condition which must by
fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required.
type: string
name:
description: |-
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes. A good name should be descriptive of
the associated expression.
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
Required.
type: string
required:
- expression
- name
type: object
type: array
matchPolicy:
description: |-
matchPolicy defines how the "rules" list is used to match incoming requests.
Expand Down Expand Up @@ -310,7 +364,7 @@ spec:
type: object
status:
description: PolicyStatus defines the observed state of ClusterAdmissionPolicy
and AdmissionPolicy
and AdmissionPolicy.
properties:
conditions:
description: |-
Expand Down Expand Up @@ -461,7 +515,7 @@ spec:
metadata:
type: object
spec:
description: AdmissionPolicySpec defines the desired state of AdmissionPolicy
description: AdmissionPolicySpec defines the desired state of AdmissionPolicy.
properties:
failurePolicy:
description: |-
Expand Down Expand Up @@ -689,7 +743,7 @@ spec:
type: object
status:
description: PolicyStatus defines the observed state of ClusterAdmissionPolicy
and AdmissionPolicy
and AdmissionPolicy.
properties:
conditions:
description: |-
Expand Down
64 changes: 59 additions & 5 deletions charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ spec:
metadata:
type: object
spec:
description: ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy
description: ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy.
properties:
backgroundAudit:
default: true
Expand All @@ -89,7 +89,7 @@ spec:
Access to these resources is done using the `ServiceAccount` of the PolicyServer
the policy is assigned to.
items:
description: ContextAwareResource identifies a Kubernetes resource
description: ContextAwareResource identifies a Kubernetes resource.
properties:
apiVersion:
description: apiVersion of the resource (v1 for core group,
Expand All @@ -113,6 +113,60 @@ spec:
fail and the API request to be rejected.
The default behaviour is "Fail"
type: string
matchConditions:
description: |-
MatchConditions is a list of conditions that must be met for a request to be
validated. Match conditions filter requests that have already been matched by
the rules, namespaceSelector, and objectSelector. An empty list of
matchConditions matches all requests. There are a maximum of 64 match
conditions allowed. If a parameter object is provided, it can be accessed via
the `params` handle in the same manner as validation expressions. The exact
matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
is evaluated. 3. If any matchCondition evaluates to an error (but none are
FALSE): - If failurePolicy=Fail, reject the request - If
failurePolicy=Ignore, the policy is skipped
Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
items:
description: MatchCondition represents a condition which must by
fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required.
type: string
name:
description: |-
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes. A good name should be descriptive of
the associated expression.
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
Required.
type: string
required:
- expression
- name
type: object
type: array
matchPolicy:
description: |-
matchPolicy defines how the "rules" list is used to match incoming requests.
Expand Down Expand Up @@ -422,7 +476,7 @@ spec:
type: object
status:
description: PolicyStatus defines the observed state of ClusterAdmissionPolicy
and AdmissionPolicy
and AdmissionPolicy.
properties:
conditions:
description: |-
Expand Down Expand Up @@ -574,7 +628,7 @@ spec:
metadata:
type: object
spec:
description: ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy
description: ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy.
properties:
failurePolicy:
description: |-
Expand Down Expand Up @@ -893,7 +947,7 @@ spec:
type: object
status:
description: PolicyStatus defines the observed state of ClusterAdmissionPolicy
and AdmissionPolicy
and AdmissionPolicy.
properties:
conditions:
description: |-
Expand Down
54 changes: 48 additions & 6 deletions charts/kubewarden-crds/templates/policyservers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ spec:
name: v1
schema:
openAPIV3Schema:
description: PolicyServer is the Schema for the policyservers API
description: PolicyServer is the Schema for the policyservers API.
properties:
apiVersion:
description: |-
Expand All @@ -45,7 +45,7 @@ spec:
metadata:
type: object
spec:
description: PolicyServerSpec defines the desired state of PolicyServer
description: PolicyServerSpec defines the desired state of PolicyServer.
properties:
affinity:
description: Affinity rules for the associated Policy Server pods.
Expand Down Expand Up @@ -1579,6 +1579,48 @@ spec:
`sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden
documentation in the reference section.
type: object
tolerations:
description: |-
Tolerations describes the policy server pod's tolerations. It can be
user to ensure that the policy server pod is not scheduled onto a
node with a taint.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
verificationConfig:
description: |-
Name of VerificationConfig configmap in the same namespace, containing
Expand All @@ -1590,7 +1632,7 @@ spec:
- replicas
type: object
status:
description: PolicyServerStatus defines the observed state of PolicyServer
description: PolicyServerStatus defines the observed state of PolicyServer.
properties:
conditions:
description: |-
Expand Down Expand Up @@ -1690,7 +1732,7 @@ spec:
name: v1alpha2
schema:
openAPIV3Schema:
description: PolicyServer is the Schema for the policyservers API
description: PolicyServer is the Schema for the policyservers API.
properties:
apiVersion:
description: |-
Expand All @@ -1710,7 +1752,7 @@ spec:
metadata:
type: object
spec:
description: PolicyServerSpec defines the desired state of PolicyServer
description: PolicyServerSpec defines the desired state of PolicyServer.
properties:
annotations:
additionalProperties:
Expand Down Expand Up @@ -1893,7 +1935,7 @@ spec:
- replicas
type: object
status:
description: PolicyServerStatus defines the observed state of PolicyServer
description: PolicyServerStatus defines the observed state of PolicyServer.
properties:
conditions:
description: |-
Expand Down
Loading

0 comments on commit 1809ff5

Please sign in to comment.