open-policy-agent
diff --git a/‎Makefile‎
Lines changed: 2 additions & 2 deletions b/‎Makefile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎cmd/build/helmify/delete-ports.yaml‎
Lines changed: 5 additions & 0 deletions b/‎cmd/build/helmify/delete-ports.yaml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎cmd/build/helmify/kustomization.yaml‎
Lines changed: 1 addition & 1 deletion b/‎cmd/build/helmify/kustomization.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cmd/build/helmify/kustomize-for-helm.yaml‎
Lines changed: 6 additions & 3 deletions b/‎cmd/build/helmify/kustomize-for-helm.yaml‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎cmd/build/helmify/replacements.go‎
Lines changed: 3 additions & 3 deletions b/‎cmd/build/helmify/replacements.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎cmd/gator/test/test.go‎
Lines changed: 2 additions & 2 deletions b/‎cmd/gator/test/test.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎config/default/kustomization.yaml‎
Lines changed: 1 addition & 1 deletion b/‎config/default/kustomization.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎main.go‎
Lines changed: 14 additions & 6 deletions b/‎main.go‎
Lines changed: 14 additions & 6 deletions
@@ -31,7 +31,7 @@ KIND_VERSION ?= 0.29.0
 KIND_CLUSTER_FILE ?= ""
 # note: k8s version pinned since KIND image availability lags k8s releases
 KUBERNETES_VERSION ?= 1.33.0
-KUSTOMIZE_VERSION ?= 3.8.9
+KUSTOMIZE_VERSION ?= 5.6.0
 BATS_VERSION ?= 1.13.0
 ORAS_VERSION ?= 1.3.1
 BATS_TESTS_FILE ?= test/bats/test.bats
@@ -400,7 +400,7 @@ manifests: __controller-gen
 		/gatekeeper/config/default -o /gatekeeper/manifest_staging/deploy/gatekeeper.yaml
 	docker run --rm -v $(shell pwd):/gatekeeper \
 		registry.k8s.io/kustomize/kustomize:v${KUSTOMIZE_VERSION} build \
-		--load_restrictor LoadRestrictionsNone /gatekeeper/cmd/build/helmify | go run cmd/build/helmify/*.go
+		--load-restrictor LoadRestrictionsNone /gatekeeper/cmd/build/helmify | go run cmd/build/helmify/*.go
 
 # lint runs a dockerized golangci-lint, and should give consistent results
 # across systems.
 
@@ -10,10 +10,13 @@ spec:
         - name: manager
           ports:
             - containerPort: 8888
+              protocol: TCP
               $patch: delete
             - containerPort: 8443
+              protocol: TCP
               $patch: delete
             - containerPort: 9090
+              protocol: TCP
               $patch: delete
 ---
 kind: Deployment
@@ -28,6 +31,8 @@ spec:
         - name: manager
           ports:
             - containerPort: 8888
+              protocol: TCP
               $patch: delete
             - containerPort: 9090
+              protocol: TCP
               $patch: delete
@@ -4,7 +4,7 @@ commonLabels:
   chart: '{{ template "gatekeeper.name" . }}'
   release: "{{ .Release.Name }}"
   heritage: "{{ .Release.Service }}"
-bases:
+resources:
   - "../../../config/default"
 patchesStrategicMerge:
   - kustomize-for-helm.yaml
 
@@ -276,7 +276,8 @@ spec:
 apiVersion: v1
 kind: Secret
 metadata:
-  annotations: HELMSUBST_SECRET_ANNOTATIONS
+  annotations:
+    HELMSUBST_SECRET_ANNOTATIONS: ""
   name: gatekeeper-webhook-server-cert
   namespace: gatekeeper-system
 ---
@@ -286,7 +287,8 @@ metadata:
   labels:
     gatekeeper.sh/system: "yes"
   name: gatekeeper-mutating-webhook-configuration
-  annotations: HELMSUBST_MUTATING_WEBHOOK_ANNOTATIONS
+  annotations:
+    HELMSUBST_MUTATING_WEBHOOK_ANNOTATIONS: ""
 webhooks:
 - clientConfig:
     service:
@@ -315,7 +317,8 @@ metadata:
   labels:
     gatekeeper.sh/system: "yes"
   name: gatekeeper-validating-webhook-configuration
-  annotations: HELMSUBST_VALIDATING_WEBHOOK_ANNOTATIONS
+  annotations:
+    HELMSUBST_VALIDATING_WEBHOOK_ANNOTATIONS: ""
 webhooks:
 - clientConfig:
     service:
 
@@ -110,7 +110,7 @@ var replacements = map[string]string{
 
 	"- HELMSUBST_DEPLOYMENT_AUDIT_LOG_STATS_ADMISSION": `{{ if hasKey .Values "logStatsAudit" }}- --log-stats-audit={{ .Values.logStatsAudit }}{{- end }}`,
 
-	"HELMSUBST_SECRET_ANNOTATIONS": `{{- toYaml .Values.secretAnnotations | trim | nindent 4 }}`,
+	`HELMSUBST_SECRET_ANNOTATIONS: ""`: `{{- toYaml .Values.secretAnnotations | trim | nindent 4 }}`,
 
 	"- HELMSUBST_TLS_HEALTHCHECK_ENABLED_ARG": `{{ if .Values.enableTLSHealthcheck}}- --enable-tls-healthcheck{{- end }}`,
 
@@ -159,7 +159,7 @@ var replacements = map[string]string{
 
 	"HELMSUBST_MUTATING_WEBHOOK_REINVOCATION_POLICY": `{{ .Values.mutatingWebhookReinvocationPolicy }}`,
 
-	"HELMSUBST_MUTATING_WEBHOOK_ANNOTATIONS": `{{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }}`,
+	`HELMSUBST_MUTATING_WEBHOOK_ANNOTATIONS: ""`: `{{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }}`,
 
 	"- HELMSUBST_MUTATING_WEBHOOK_EXEMPT_NAMESPACE_LABELS": `
     {{- /* 1. Get mandatory exemption from helper */ -}}
@@ -216,7 +216,7 @@ var replacements = map[string]string{
 
 	"HELMSUBST_VALIDATING_WEBHOOK_FAILURE_POLICY": `{{ .Values.validatingWebhookFailurePolicy }}`,
 
-	"HELMSUBST_VALIDATING_WEBHOOK_ANNOTATIONS": `{{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }}`,
+	`HELMSUBST_VALIDATING_WEBHOOK_ANNOTATIONS: ""`: `{{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }}`,
 
 	"HELMSUBST_VALIDATING_WEBHOOK_MATCHEXPRESSION_METADATANAME": `key: kubernetes.io/metadata.name
       operator: NotIn
 
@@ -89,7 +89,7 @@ func run(_ *cobra.Command, _ []string) {
 		cmdutils.ErrFatalf("no input data identified")
 	}
 
-	var printBuf bytes.Buffer
+	printBuf := gator.NewPrintBuffer(gator.DefaultPrintBufferLimit)
 
 	var opts []gator.Opt
 	if flagIncludeTrace {
@@ -102,7 +102,7 @@ func run(_ *cobra.Command, _ []string) {
 		opts = append(opts, test.WithK8sCEL(flagGatherStats))
 	}
 	if flagVerbose {
-		opts = append(opts, gator.WithPrintHook(&printBuf))
+		opts = append(opts, gator.WithPrintHook(printBuf))
 	}
 
 	responses, err := test.Test(unstrucs, opts...)
 
@@ -12,7 +12,7 @@ namePrefix: gatekeeper-
 commonLabels:
   gatekeeper.sh/system: "yes"
 
-bases:
+resources:
 - ../crd
 - ../rbac
 - ../manager
 
@@ -305,14 +305,22 @@ func innerMain() int {
 		return 1
 	}
 
-	// only setup healthcheck when flag is set and available webhook count > 0
-	if len(webhooks) > 0 && *enableTLSHealthcheck {
-		tlsChecker := webhook.NewTLSChecker(*certDir, *port)
-		setupLog.Info("setting up TLS healthcheck probe")
-		if err := mgr.AddHealthzCheck("tls-check", tlsChecker); err != nil {
-			setupLog.Error(err, "unable to create tls health check")
+	if len(webhooks) > 0 {
+		tlsChecker := webhook.NewTLSChecker(*certDir, *host, *port)
+		setupLog.Info("setting up TLS readiness probe")
+		if err := mgr.AddReadyzCheck("tls-check", tlsChecker); err != nil {
+			setupLog.Error(err, "unable to create tls readiness check")
 			return 1
 		}
+
+		// only setup healthcheck when flag is set
+		if *enableTLSHealthcheck {
+			setupLog.Info("setting up TLS healthcheck probe")
+			if err := mgr.AddHealthzCheck("tls-check", tlsChecker); err != nil {
+				setupLog.Error(err, "unable to create tls health check")
+				return 1
+			}
+		}
 	}
 
 	// Setup controllers asynchronously, they will block for certificate generation if needed.
Original file line number	Diff line number	Diff line change
`@@ -89,7 +89,7 @@ func run(_ *cobra.Command, _ []string) {`
`89`	`89`	`cmdutils.ErrFatalf("no input data identified")`
`90`	`90`	`}`
`91`	`91`
`92`		`- var printBuf bytes.Buffer`
	`92`	`+ printBuf := gator.NewPrintBuffer(gator.DefaultPrintBufferLimit)`
`93`	`93`
`94`	`94`	`var opts []gator.Opt`
`95`	`95`	`if flagIncludeTrace {`
`@@ -102,7 +102,7 @@ func run(_ *cobra.Command, _ []string) {`
`102`	`102`	`opts = append(opts, test.WithK8sCEL(flagGatherStats))`
`103`	`103`	`}`
`104`	`104`	`if flagVerbose {`
`105`		`- opts = append(opts, gator.WithPrintHook(&printBuf))`
	`105`	`+ opts = append(opts, gator.WithPrintHook(printBuf))`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`responses, err := test.Test(unstrucs, opts...)`