Merge pull request #162 from prachidamle/gatekeeper_chart

charts/rancher-gatekeeper-operator/v0.1.0/.helmignore

+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

charts/rancher-gatekeeper-operator/v0.1.0/Chart.yaml

+apiVersion: v1
+description: A Helm chart for Gatekeeper
+name: rancher-gatekeeper-operator
+keywords:
+  - open policy agent
+version: v0.1.0
+home: https://github.com/open-policy-agent/gatekeeper
+sources:
+  - https://github.com/open-policy-agent/gatekeeper.git
+appVersion: v3.1.0-beta.7

charts/rancher-gatekeeper-operator/v0.1.0/generate_helm_template.sh

+#!/bin/bash
+scriptdir="$(dirname "$0")"
+cd "$scriptdir"
+cp ./../../deploy/gatekeeper.yaml ${PWD}/helm-modifications/_temp.yaml
+kustomize build helm-modifications -o templates/gatekeeper.yaml
+sed -i -E "s/HELMSUBST_DEPLOYMENT_CONTAINER_RESOURCES/\
+\n{{ toYaml .Values.resources | indent 10 }}/" templates/gatekeeper.yaml
+sed -i -E "s/HELMSUBST_DEPLOYMENT_POD_SCHEDULING/\
+\n{{ toYaml .Values.nodeSelector | indent 8 }}\
+\n      affinity:\
+\n{{ toYaml .Values.affinity | indent 8 }}\
+\n      tolerations:\
+\n{{ toYaml .Values.tolerations | indent 8 }}/" templates/gatekeeper.yaml
+sed -i "s/HELMSUBST_DEPLOYMENT_REPLICAS/{{ .Values.replicas }}/g" templates/gatekeeper.yaml
+rm ./helm-modifications/_temp.yaml
+echo "Helm template created under '$PWD/templates'"

charts/rancher-gatekeeper-operator/v0.1.0/questions.yaml

+rancher_min_version: 2.4.0-rc1
\ No newline at end of file

charts/rancher-gatekeeper-operator/v0.1.0/templates/_helpers.tpl

+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "gatekeeper-operator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "gatekeeper-operator.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gatekeeper-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "gatekeeper-operator.labels" -}}
+app.kubernetes.io/name: {{ include "gatekeeper-operator.name" . }}
+helm.sh/chart: {{ include "gatekeeper-operator.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}

charts/rancher-gatekeeper-operator/v0.1.0/templates/allowedrepos.yaml

+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sallowedrepos
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAllowedRepos
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          properties:
+            repos:
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sallowedrepos
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.initContainers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
\ No newline at end of file

charts/rancher-gatekeeper-operator/v0.1.0/templates/requiredlabels.yaml

+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          properties:
+            message:
+              type: string
+            labels:
+              type: array
+              items:
+                type: object
+                properties:
+                  key:
+                    type: string
+                  allowedRegex:
+                    type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8srequiredlabels
+
+        get_message(parameters, _default) = msg {
+          not parameters.message
+          msg := _default
+        }
+
+        get_message(parameters, _default) = msg {
+          msg := parameters.message
+        }
+
+        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
+          provided := {label | input.review.object.metadata.labels[label]}
+          required := {label | label := input.parameters.labels[_].key}
+          missing := required - provided
+          count(missing) > 0
+          def_msg := sprintf("you must provide labels: %v", [missing])
+          msg := get_message(input.parameters, def_msg)
+        }
+
+        violation[{"msg": msg}] {
+          value := input.review.object.metadata.labels[key]
+          expected := input.parameters.labels[_]
+          expected.key == key
+          # do not match if allowedRegex is not defined, or is an empty string
+          expected.allowedRegex != ""
+          not re_match(expected.allowedRegex, value)
+          def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
+          msg := get_message(input.parameters, def_msg)
+        }
\ No newline at end of file

charts/rancher-gatekeeper-operator/v0.1.0/values.yaml

+replicas: 1
+auditInterval: 60
+constraintViolationsLimit: 20
+auditFromCache: false
+image:
+  repository: rancher/opa-gatekeeper
+  tag: v3.1.0-beta.7
+  pullPolicy: IfNotPresent
+nodeSelector: {"beta.kubernetes.io/os": "linux"}
+tolerations: []
+resources:
+  limits:
+    cpu: 1000m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 256Mi
+global:
+  systemDefaultRegistry: ""
\ No newline at end of file