Merge pull request #49 from jiaqiluo/backport-multiple-fixes

rancher · Sep 1, 2021 · ac500f4 · ac500f4
2 parents 61297a3 + 241c4db
commit ac500f4
Show file tree

Hide file tree

Showing 8 changed files with 126 additions and 3 deletions.
diff --git a/charts/rancher-webhook/templates/_helpers.tpl b/charts/rancher-webhook/templates/_helpers.tpl
@@ -4,4 +4,8 @@
 {{- else -}}
 {{- "" -}}
 {{- end -}}
-{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}
diff --git a/charts/rancher-webhook/templates/pre-delete-hook-cluster-role-binding.yaml b/charts/rancher-webhook/templates/pre-delete-hook-cluster-role-binding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook-pre-delete
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "2"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: rancher-webhook-pre-delete
+subjects:
+  - kind: ServiceAccount
+    name: rancher-webhook-pre-delete
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/rancher-webhook/templates/pre-delete-hook-cluster-role.yaml b/charts/rancher-webhook/templates/pre-delete-hook-cluster-role.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.preDelete.enabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: rancher-webhook-pre-delete
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+rules:
+  - apiGroups: [ "admissionregistration.k8s.io" ]
+    resources: [ "mutatingwebhookconfigurations" ]
+    verbs: [ "delete" ]
+    resourceNames: [ "rancher.cattle.io" ]
+  - apiGroups: [ "" ]
+    resources: [ "serviceaccounts" ]
+    verbs: [ "get" ]
+  - apiGroups: [ "policy" ]
+    resources: [ "podsecuritypolicies" ]
+    verbs: [ "use" ]
+    resourceNames: [ "rancher-webhook-pre-delete" ]
+{{- end }}
diff --git a/charts/rancher-webhook/templates/pre-delete-hook-job.yaml b/charts/rancher-webhook/templates/pre-delete-hook-job.yaml
@@ -0,0 +1,26 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rancher-webhook-pre-delete
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "3"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 3
+  template:
+    metadata:
+      name: rancher-webhook-pre-delete
+      labels: {{ include "rancher-webhook.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: rancher-webhook-pre-delete
+      restartPolicy: OnFailure
+      containers:
+        - name: rancher-webhook-pre-delete
+          image: "{{ include "system_default_registry" . }}{{ .Values.preDelete.image.repository }}:{{ .Values.preDelete.image.tag }}"
+          imagePullPolicy: IfNotPresent
+          command: [ "kubectl", "delete", "--ignore-not-found=true", "mutatingwebhookconfigurations", "rancher.cattle.io" ]
+{{- end }}
diff --git a/charts/rancher-webhook/templates/pre-delete-hook-psp.yaml b/charts/rancher-webhook/templates/pre-delete-hook-psp.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: rancher-webhook-pre-delete
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+spec:
+  privileged: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'secret'
+{{- end }}
diff --git a/charts/rancher-webhook/templates/pre-delete-hook-service-account.yaml b/charts/rancher-webhook/templates/pre-delete-hook-service-account.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-pre-delete
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+{{- end }}
diff --git a/charts/rancher-webhook/values.yaml b/charts/rancher-webhook/values.yaml
@@ -5,4 +5,10 @@ image:
 
 global:
   cattle:
-    systemDefaultRegistry: ""
+    systemDefaultRegistry: ""
+
+preDelete:
+  enabled: true
+  image:
+    repository: rancher/kubectl
+    tag: v1.20.2
diff --git a/scripts/package-helm b/scripts/package-helm
@@ -18,7 +18,7 @@ sed -i \
     build/charts/rancher-webhook/Chart.yaml
 
 sed -i \
-    -e 's/tag:.*/tag: '${HELM_TAG}'/' \
+    -e 's/tag: latest/tag: '${HELM_TAG}'/' \
     build/charts/rancher-webhook/values.yaml
 
 helm package -d ./dist/artifacts ./build/charts/rancher-webhook