From ffed19e838b8b50fcd983caa8ebb0f35f243dd4f Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Tue, 12 Nov 2024 10:50:38 +0100 Subject: [PATCH 1/5] chore: complete validatingwebhookconfiguration The validating webhook configuration is missing some fields, which are automatically completed by k8s. Those missing fields can sometimes mess up gitops operators, which strictly check which fields are present or not Signed-off-by: Bruno Bressi --- Dockerfile | 2 ++ chart/Chart.yaml | 14 +++++++------- chart/templates/admission.yaml | 3 +++ 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 139073fd..d5d536a7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,6 @@ # build stage +ARG HTTP_PROXY +ARG HTTPS_PROXY FROM golang:1.23 AS build-env WORKDIR /app COPY . /app diff --git a/chart/Chart.yaml b/chart/Chart.yaml index d076a526..3ddca801 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -2,12 +2,12 @@ apiVersion: v2 name: cosignwebhook description: A Helm chart for Cosign Webhook Admission Controller type: application -version: 4.1.0 +version: 4.1.1 appVersion: "4.3.0" maintainers: - - name: eumel8 - email: f.kloeker@telekom.de - url: https://www.telekom.com - - name: puffitos - email: bruno.bressi@telekom.de - url: https://www.telekom.com +- name: eumel8 + email: f.kloeker@telekom.de + url: https://www.telekom.com +- name: puffitos + email: bruno.bressi@telekom.de + url: https://www.telekom.com diff --git a/chart/templates/admission.yaml b/chart/templates/admission.yaml index aa556438..324aab23 100644 --- a/chart/templates/admission.yaml +++ b/chart/templates/admission.yaml @@ -26,16 +26,19 @@ webhooks: - key: kubernetes.io/metadata.name operator: NotIn values: [{{ .Release.Namespace | default "default" }}{{- if .Values.admission.exclude }},{{ .Values.admission.exclude }}{{- end }}] + objectSelector: {} clientConfig: service: name: {{ include "cosignwebhook.fullname" . }} namespace: {{ .Release.Namespace | default "default" }} path: "/validate" + port: 443 caBundle: {{ $ca.Cert | b64enc }} rules: - operations: ["CREATE","UPDATE"] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] + scope: "*" failurePolicy: {{ .Values.admission.failurePolicy }} sideEffects: {{ .Values.admission.sideEffects }} From 9cf001f069f69d62be86ef658b319fe0c06a1277 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Tue, 12 Nov 2024 15:30:08 +0100 Subject: [PATCH 2/5] chore: added more fields & default values Signed-off-by: Bruno Bressi --- Makefile | 13 +++++++++++++ chart/Chart.yaml | 2 +- chart/templates/admission.yaml | 3 ++- chart/values.yaml | 3 +++ 4 files changed, 19 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index eb6a832d..bf8a1694 100644 --- a/Makefile +++ b/Makefile @@ -74,3 +74,16 @@ e2e-cleanup: @k3d cluster delete cosign-tests || echo "Deleting cosign tests k3d cluster failed. Continuing..." @rm -f cosign.pub cosign.key second.pub second.key || echo "Removing files failed. Continuing..." @echo "Done." + +############# +### CHART ### +############# + +.PHONY: chart-lint chart +chart-lint: + @echo "Linting chart..." + @helm lint chart + +chart: + @echo "Packaging chart..." + @helm package chart diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 3ddca801..1b42e80e 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: cosignwebhook description: A Helm chart for Cosign Webhook Admission Controller type: application -version: 4.1.1 +version: 4.1.1-rc1 appVersion: "4.3.0" maintainers: - name: eumel8 diff --git a/chart/templates/admission.yaml b/chart/templates/admission.yaml index 324aab23..20818d0f 100644 --- a/chart/templates/admission.yaml +++ b/chart/templates/admission.yaml @@ -21,12 +21,12 @@ webhooks: - admissionReviewVersions: - v1 name: {{ .Values.admission.webhook.name }} + matchPolicy: {{ .Values.admission.matchPolicy }} namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: NotIn values: [{{ .Release.Namespace | default "default" }}{{- if .Values.admission.exclude }},{{ .Values.admission.exclude }}{{- end }}] - objectSelector: {} clientConfig: service: name: {{ include "cosignwebhook.fullname" . }} @@ -42,3 +42,4 @@ webhooks: scope: "*" failurePolicy: {{ .Values.admission.failurePolicy }} sideEffects: {{ .Values.admission.sideEffects }} + timeoutSeconds: {{ .Values.admission.timeoutSeconds }} diff --git a/chart/values.yaml b/chart/values.yaml index d181ffa5..a51ab235 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -25,6 +25,9 @@ admission: name: webhook.example.com # list of excluded namespaces, comma-separated # exclude: default, kube-system, cattle-system + exclude: "" + matchPolicy: Equivalent + timeoutSeconds: 10 podAnnotations: {} From 5ed761b681a1a0f051e6189436b7b41fdfd61b43 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Tue, 12 Nov 2024 15:30:32 +0100 Subject: [PATCH 3/5] fix: readded objectSelector in the correct place Signed-off-by: Bruno Bressi --- chart/Chart.yaml | 2 +- chart/templates/admission.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 1b42e80e..7bd80846 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: cosignwebhook description: A Helm chart for Cosign Webhook Admission Controller type: application -version: 4.1.1-rc1 +version: 4.1.1-rc2 appVersion: "4.3.0" maintainers: - name: eumel8 diff --git a/chart/templates/admission.yaml b/chart/templates/admission.yaml index 20818d0f..b054ef32 100644 --- a/chart/templates/admission.yaml +++ b/chart/templates/admission.yaml @@ -40,6 +40,7 @@ webhooks: apiVersions: ["v1"] resources: ["pods"] scope: "*" + objectSelector: {} failurePolicy: {{ .Values.admission.failurePolicy }} sideEffects: {{ .Values.admission.sideEffects }} timeoutSeconds: {{ .Values.admission.timeoutSeconds }} From 5f4b83365f41e6531da26a6547820e31fa522051 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Tue, 12 Nov 2024 15:35:04 +0100 Subject: [PATCH 4/5] chore: bumped to stable Signed-off-by: Bruno Bressi --- chart/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 7bd80846..3ddca801 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: cosignwebhook description: A Helm chart for Cosign Webhook Admission Controller type: application -version: 4.1.1-rc2 +version: 4.1.1 appVersion: "4.3.0" maintainers: - name: eumel8 From 9ba40a6d1b5b4e53c6c70c87fc83fb5fa5971902 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Tue, 12 Nov 2024 15:36:02 +0100 Subject: [PATCH 5/5] chore: removed unneeded docker variables Signed-off-by: Bruno Bressi --- Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index d5d536a7..4130f64e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,3 @@ -# build stage -ARG HTTP_PROXY -ARG HTTPS_PROXY FROM golang:1.23 AS build-env WORKDIR /app COPY . /app