From 4dd47c341f3e3f681c6873e89ee82019c449867b Mon Sep 17 00:00:00 2001
From: Francesco Ilario <filario@redhat.com>
Date: Fri, 16 May 2025 11:23:44 +0200
Subject: [PATCH] disable non required kyverno Jobs

This change disables in staging some jobs that are
not required in our setup:
* remove-configmap: https://github.com/kyverno/kyverno/blob/main/charts/kyverno/templates/hooks/post-delete-configmap.yaml
* scale-to-zero: https://github.com/kyverno/kyverno/blob/main/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml
* clean-reports: https://github.com/kyverno/kyverno/blob/main/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml

Signed-off-by: Francesco Ilario <filario@redhat.com>
---
 .../kyverno/development/kustomization.yaml    | 48 -------------------
 .../development/kyverno-helm-values.yaml      |  2 +
 .../stone-stage-p01/kustomization.yaml        | 48 -------------------
 .../stone-stage-p01/kyverno-helm-values.yaml  |  3 ++
 .../staging/stone-stg-rh01/kustomization.yaml | 48 -------------------
 .../stone-stg-rh01/kyverno-helm-values.yaml   |  3 ++
 6 files changed, 8 insertions(+), 144 deletions(-)

diff --git a/components/kyverno/development/kustomization.yaml b/components/kyverno/development/kustomization.yaml
index 54d92f50a38..31467805a37 100644
--- a/components/kyverno/development/kustomization.yaml
+++ b/components/kyverno/development/kustomization.yaml
@@ -10,24 +10,6 @@ replacements:
   # enforce serviceAccountName is used instead of serviceAccount in Jobs
   # TODO: these replacements can be removed when bumping to kyverno:1.14
   # https://github.com/kyverno/kyverno/pull/12158
-  - source:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-clean-reports
-      namespace: konflux-kyverno
-      fieldPath: spec.template.spec.serviceAccount
-    targets:
-      - select:
-          group: batch
-          version: v1
-          kind: Job
-          namespace: konflux-kyverno
-          name: konflux-kyverno-clean-reports
-        fieldPaths:
-          - spec.template.spec.serviceAccountName
-        options:
-          create: true
   - source:
       group: batch
       version: v1
@@ -46,42 +28,12 @@ replacements:
           - spec.template.spec.serviceAccountName
         options:
           create: true
-  - source:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-remove-configmap
-      namespace: konflux-kyverno
-      fieldPath: spec.template.spec.serviceAccount
-    targets:
-      - select:
-          group: batch
-          version: v1
-          kind: Job
-          namespace: konflux-kyverno
-          name: konflux-kyverno-remove-configmap
-        fieldPaths:
-          - spec.template.spec.serviceAccountName
-        options:
-          create: true
 
 # set resources to jobs
 patches:
-  - path: job_resources.yaml
-    target:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-clean-reports
   - path: job_resources.yaml
     target:
       group: batch
       version: v1
       kind: Job
       name: konflux-kyverno-migrate-resources
-  - path: job_resources.yaml
-    target:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-remove-configmap
diff --git a/components/kyverno/development/kyverno-helm-values.yaml b/components/kyverno/development/kyverno-helm-values.yaml
index 52426d2866b..8c9392db12b 100644
--- a/components/kyverno/development/kyverno-helm-values.yaml
+++ b/components/kyverno/development/kyverno-helm-values.yaml
@@ -3,6 +3,7 @@ fullnameOverride: konflux-kyverno
 namespaceOverride: konflux-kyverno
 config:
   updateRequestThreshold: 2000
+  preserve: false
 admissionController:
   replicas: 1
   initContainer:
@@ -61,6 +62,7 @@ reportsController:
       drop:
       - "ALL"
 policyReportsCleanup:
+  enabled: false
   securityContext:
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: true
diff --git a/components/kyverno/staging/stone-stage-p01/kustomization.yaml b/components/kyverno/staging/stone-stage-p01/kustomization.yaml
index 54d92f50a38..31467805a37 100644
--- a/components/kyverno/staging/stone-stage-p01/kustomization.yaml
+++ b/components/kyverno/staging/stone-stage-p01/kustomization.yaml
@@ -10,24 +10,6 @@ replacements:
   # enforce serviceAccountName is used instead of serviceAccount in Jobs
   # TODO: these replacements can be removed when bumping to kyverno:1.14
   # https://github.com/kyverno/kyverno/pull/12158
-  - source:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-clean-reports
-      namespace: konflux-kyverno
-      fieldPath: spec.template.spec.serviceAccount
-    targets:
-      - select:
-          group: batch
-          version: v1
-          kind: Job
-          namespace: konflux-kyverno
-          name: konflux-kyverno-clean-reports
-        fieldPaths:
-          - spec.template.spec.serviceAccountName
-        options:
-          create: true
   - source:
       group: batch
       version: v1
@@ -46,42 +28,12 @@ replacements:
           - spec.template.spec.serviceAccountName
         options:
           create: true
-  - source:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-remove-configmap
-      namespace: konflux-kyverno
-      fieldPath: spec.template.spec.serviceAccount
-    targets:
-      - select:
-          group: batch
-          version: v1
-          kind: Job
-          namespace: konflux-kyverno
-          name: konflux-kyverno-remove-configmap
-        fieldPaths:
-          - spec.template.spec.serviceAccountName
-        options:
-          create: true
 
 # set resources to jobs
 patches:
-  - path: job_resources.yaml
-    target:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-clean-reports
   - path: job_resources.yaml
     target:
       group: batch
       version: v1
       kind: Job
       name: konflux-kyverno-migrate-resources
-  - path: job_resources.yaml
-    target:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-remove-configmap
diff --git a/components/kyverno/staging/stone-stage-p01/kyverno-helm-values.yaml b/components/kyverno/staging/stone-stage-p01/kyverno-helm-values.yaml
index 368e9b6ec45..32409e9ebc9 100644
--- a/components/kyverno/staging/stone-stage-p01/kyverno-helm-values.yaml
+++ b/components/kyverno/staging/stone-stage-p01/kyverno-helm-values.yaml
@@ -1,5 +1,7 @@
 fullnameOverride: konflux-kyverno
 namespaceOverride: konflux-kyverno
+config:
+  preserve: false
 admissionController:
   replicas: 3
   initContainer:
@@ -66,6 +68,7 @@ reportsController:
       drop:
       - "ALL"
 policyReportsCleanup:
+  enabled: false
   image:
     registry: mirror.gcr.io
   securityContext:
diff --git a/components/kyverno/staging/stone-stg-rh01/kustomization.yaml b/components/kyverno/staging/stone-stg-rh01/kustomization.yaml
index 54d92f50a38..31467805a37 100644
--- a/components/kyverno/staging/stone-stg-rh01/kustomization.yaml
+++ b/components/kyverno/staging/stone-stg-rh01/kustomization.yaml
@@ -10,24 +10,6 @@ replacements:
   # enforce serviceAccountName is used instead of serviceAccount in Jobs
   # TODO: these replacements can be removed when bumping to kyverno:1.14
   # https://github.com/kyverno/kyverno/pull/12158
-  - source:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-clean-reports
-      namespace: konflux-kyverno
-      fieldPath: spec.template.spec.serviceAccount
-    targets:
-      - select:
-          group: batch
-          version: v1
-          kind: Job
-          namespace: konflux-kyverno
-          name: konflux-kyverno-clean-reports
-        fieldPaths:
-          - spec.template.spec.serviceAccountName
-        options:
-          create: true
   - source:
       group: batch
       version: v1
@@ -46,42 +28,12 @@ replacements:
           - spec.template.spec.serviceAccountName
         options:
           create: true
-  - source:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-remove-configmap
-      namespace: konflux-kyverno
-      fieldPath: spec.template.spec.serviceAccount
-    targets:
-      - select:
-          group: batch
-          version: v1
-          kind: Job
-          namespace: konflux-kyverno
-          name: konflux-kyverno-remove-configmap
-        fieldPaths:
-          - spec.template.spec.serviceAccountName
-        options:
-          create: true
 
 # set resources to jobs
 patches:
-  - path: job_resources.yaml
-    target:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-clean-reports
   - path: job_resources.yaml
     target:
       group: batch
       version: v1
       kind: Job
       name: konflux-kyverno-migrate-resources
-  - path: job_resources.yaml
-    target:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-remove-configmap
diff --git a/components/kyverno/staging/stone-stg-rh01/kyverno-helm-values.yaml b/components/kyverno/staging/stone-stg-rh01/kyverno-helm-values.yaml
index 368e9b6ec45..32409e9ebc9 100644
--- a/components/kyverno/staging/stone-stg-rh01/kyverno-helm-values.yaml
+++ b/components/kyverno/staging/stone-stg-rh01/kyverno-helm-values.yaml
@@ -1,5 +1,7 @@
 fullnameOverride: konflux-kyverno
 namespaceOverride: konflux-kyverno
+config:
+  preserve: false
 admissionController:
   replicas: 3
   initContainer:
@@ -66,6 +68,7 @@ reportsController:
       drop:
       - "ALL"
 policyReportsCleanup:
+  enabled: false
   image:
     registry: mirror.gcr.io
   securityContext: