From f37e0e05adf7c1ae8d1e537035fb1c228be6831b Mon Sep 17 00:00:00 2001 From: Laszlo Uveges Date: Tue, 19 Nov 2024 12:31:53 +0100 Subject: [PATCH] Bump app-operator to v7.0.0, chart-operator to v4.0.0 and remove PSP support --- helm/cluster-apps-operator/templates/psp.yaml | 35 ------------------- .../cluster-apps-operator/templates/rbac.yaml | 33 ----------------- helm/cluster-apps-operator/values.schema.json | 13 ------- helm/cluster-apps-operator/values.yaml | 8 ++--- .../resource/clustersecret/vsphere_test.go | 8 ----- 5 files changed, 2 insertions(+), 95 deletions(-) delete mode 100644 helm/cluster-apps-operator/templates/psp.yaml diff --git a/helm/cluster-apps-operator/templates/psp.yaml b/helm/cluster-apps-operator/templates/psp.yaml deleted file mode 100644 index b773bafb..00000000 --- a/helm/cluster-apps-operator/templates/psp.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if not (((.Values.global).podSecurityStandards).enforced) }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "resource.psp.name" . }} - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' - labels: - {{- include "labels.common" . | nindent 4 }} -spec: - privileged: false - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'secret' - - 'configMap' - allowPrivilegeEscalation: false - hostNetwork: false - hostIPC: false - hostPID: false -{{- end }} diff --git a/helm/cluster-apps-operator/templates/rbac.yaml b/helm/cluster-apps-operator/templates/rbac.yaml index bc0949fd..4b56ca32 100644 --- a/helm/cluster-apps-operator/templates/rbac.yaml +++ b/helm/cluster-apps-operator/templates/rbac.yaml @@ -129,36 +129,3 @@ roleRef: kind: ClusterRole name: {{ include "resource.default.name" . }} apiGroup: rbac.authorization.k8s.io ---- -{{- if not (((.Values.global).podSecurityStandards).enforced) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "resource.psp.name" . }} - labels: - {{- include "labels.common" . | nindent 4 }} -rules: - - apiGroups: - - extensions - resources: - - podsecuritypolicies - verbs: - - use - resourceNames: - - {{ include "resource.psp.name" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "resource.psp.name" . }} - labels: - {{- include "labels.common" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ include "resource.default.name" . }} - namespace: {{ include "resource.default.namespace" . }} -roleRef: - kind: ClusterRole - name: {{ include "resource.psp.name" . }} - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/helm/cluster-apps-operator/values.schema.json b/helm/cluster-apps-operator/values.schema.json index cb8d3649..c8bbb398 100644 --- a/helm/cluster-apps-operator/values.schema.json +++ b/helm/cluster-apps-operator/values.schema.json @@ -65,19 +65,6 @@ } } }, - "global": { - "type": "object", - "properties": { - "podSecurityStandards": { - "type": "object", - "properties": { - "enforced": { - "type": "boolean" - } - } - } - } - }, "image": { "type": "object", "properties": { diff --git a/helm/cluster-apps-operator/values.yaml b/helm/cluster-apps-operator/values.yaml index 7cd0a25b..b1fa5ca0 100644 --- a/helm/cluster-apps-operator/values.yaml +++ b/helm/cluster-apps-operator/values.yaml @@ -2,13 +2,13 @@ appOperator: catalog: control-plane-catalog # used by renovate # repo: giantswarm/app-operator - version: 6.11.0 + version: 7.0.0 chartOperator: catalog: default # used by renovate # repo: giantswarm/chart-operator - version: 3.3.0 + version: 4.0.0 baseDomain: "" @@ -84,7 +84,3 @@ serviceMonitor: interval: "60s" # -- (duration) Prometheus scrape timeout. scrapeTimeout: "45s" - -global: - podSecurityStandards: - enforced: false diff --git a/service/controller/resource/clustersecret/vsphere_test.go b/service/controller/resource/clustersecret/vsphere_test.go index af1be5e1..042354e4 100644 --- a/service/controller/resource/clustersecret/vsphere_test.go +++ b/service/controller/resource/clustersecret/vsphere_test.go @@ -100,8 +100,6 @@ func getValuesProxyEnabled() string { global: release: version: 1.2.3 - podSecurityStandards: - enforced: true connectivity: baseDomain: test.example.io proxy: @@ -119,8 +117,6 @@ func getValuesProxyDisabled() string { global: release: version: 1.2.3 - podSecurityStandards: - enforced: true connectivity: baseDomain: test.example.io proxy: @@ -135,8 +131,6 @@ func getValuesProxyNotDefined() string { global: release: version: 1.2.3 - podSecurityStandards: - enforced: true connectivity: baseDomain: test.example.io availabilityZoneUsageLimit: 3 @@ -149,8 +143,6 @@ func getValuesProxyEmpty() string { global: release: version: 1.2.3 - podSecurityStandards: - enforced: true connectivity: baseDomain: test.example.io proxy: