Expose the deployment strategy values for the policy controller

shearn89 · shearn89 · commit 30f3e6edd48f · 2024-05-07T14:22:37.000+01:00
Prior to this change, the policy controller webhook was not able to have its deployment strategy modified. If you only deployed a single replica, it could not perform a rolling update due to the default `maxSurge: 25%` being rounded down to 0. This change exposes those values, so that the `maxSurge` can be updated and a single instance can be rolled. Fixes #748. Signed-off-by: Alex Shearn <alex.shearn@kraken.tech>
diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md
@@ -40,7 +40,7 @@ The Helm chart for Policy  Controller
 | webhook.failurePolicy | string | `"Fail"` |  |
 | webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
 | webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` |  |
-| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` | `"v0.8.2"` |
+| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` |  |
 | webhook.name | string | `"webhook"` |  |
 | webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` |  |
 | webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` |  |
@@ -71,118 +71,3 @@ The Helm chart for Policy  Controller
 | webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` |  |
 | webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` |  |
 
-
-### Deploy `policy-controller` Helm Chart
-
-Install `policy-controller` using Helm:
-
-```shell
-helm repo add sigstore https://sigstore.github.io/helm-charts
-helm repo update
-kubectl create namespace cosign-system
-helm install policy-controller -n cosign-system sigstore/policy-controller --devel
-```
-
-The `policy-controller` enforce images matching the defined list of `ClusterImagePolicy` for the labeled namespaces.
-
-Note that, by default, the `policy-controller` offers a configurable behavior defining whether to allow, deny or warn whenever an image does not match a policy in a specific namespace. This behavior can be configured using the `config-policy-controller` ConfigMap created under the release namespace, and by adding an entry with the property `no-match-policy` and its value `warn|allow|deny`.
-By default, any image that does not match a policy is rejected whenever `no-match-policy` is not configured in the ConfigMap.
-
-As supported in previous versions, you could create your own key pair:
-
-```shell
-export COSIGN_PASSWORD=<my_cosign_password>
-cosign generate-key-pair
-```
-
-This command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures:
-
-```shell
-kubectl create secret generic mysecret -n \
-cosign-system --from-file=cosign.pub=./cosign.pub
-```
-
-**IMPORTANT:** The `cosign.secretKeyRef` flag is not supported anymore. Finally, you could reuse your secret `mysecret` by creating a `ClusterImagePolicy` that sets it as listed authorities, as shown below.
-
-```yaml
-apiVersion: policy.sigstore.dev/v1alpha1
-kind: ClusterImagePolicy
-metadata:
-  name: cip-key-secret
-spec:
-  images:
-  - glob: "**your-desired-value**"
-  authorities:
-  - key:
-      secretRef:
-        name: mysecret
-```
-#### Configuring Custom Certificate Authorities (CA)
-
-The `policy-controller` can be configured to use custom CAs to communicate to container registries, for example, when you have a private registry with a self-signed TLS certificate.
-
-To configure `policy-controller` to use custom CAs, follow these steps:
-
-1. Make sure the `policy-controller` namespace exists:
-
-    ```shell
-    kubectl create namespace cosign-system
-    ```
-
-2. Create a bundle file with all the root and intermediate certificates and name it `ca-bundle.crt`.
-
-3. Create a `ConfigMap` from the bundle:
-    ```shell
-    kubectl -n cosign-system create cm ca-bundle-config \
-      --from-file=ca-bundle.crt="ca-bundle.crt"
-    ```
-
-4. Install the `policy-controller`:
-
-    ```shell
-    helm install -n cosign-system \
-      --set webhook.registryCaBundle.name=ca-bundle-config \
-      --set webhook.registryCaBundle.key=ca-bundle.crt \
-      policy-controller sigstore/policy-controller
-    ```
-
-### Enabling Admission control
-
-To enable the `policy admission webhook` to check for signed images, you will need to add the following label in each namespace that you would want the webhook triggered:
-
-Label: `policy.sigstore.dev/include: "true"`
-
-```yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    policy.sigstore.dev/include: "true"
-    kubernetes.io/metadata.name: my-namespace
-  name: my-namespace
-spec:
-  finalizers:
-  - kubernetes
-```
-
-### Testing the webhook
-
-1. Using Unsigned Images:
-Creating a deployment referencing images that are not signed will yield the following error and no resources will be created:
-
-    ```shell
-    kubectl apply -f my-deployment.yaml
-    Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image
-    ```
-
-2. Using Signed Images: Assuming a signed `nginx` image with a tag `signed` exists on a registry, the resource will be successfully created.
-
-   ```shell
-   kubectl run pod1-signed  --image=< REGISTRY_USER >/nginx:signed -n testns
-   pod/pod1-signed created
-   ```
-
-
-## More info
-
-You can find more information about the policy-controller in [here](https://docs.sigstore.dev/policy-controller/overview/).
diff --git a/charts/policy-controller/templates/webhook/deployment_webhook.yaml b/charts/policy-controller/templates/webhook/deployment_webhook.yaml
@@ -12,6 +12,13 @@ spec:
     matchLabels:
       {{- include "policy-controller.selectorLabels" . | nindent 6 }}
       control-plane: {{ template "policy-controller.fullname" . }}-webhook
+
+{{- if .Values.deployment.strategy }}
+  strategy:
+{{ toYaml .Values.deployment.strategy | trim | indent 4 }}
+    {{ if eq .Values.deployment.strategy.type "Recreate" }}rollingUpdate: null{{ end }}
+{{- end }}
+
   template:
     metadata:
       labels:
