use wiz-admission-controller-enforcer.name as AC enforcer deployment name

Author: nitzanzuler

wiz-admission-controller/templates/NOTES.txt

@@ -1,6 +1,6 @@
 For uninstalling the wiz admission controller you need to delete helm hooks resources manually:
-1. Delete validating webhook configuration - kubectl delete validatingwebhookconfiguration {{ printf "%s-%s" (include "wiz-admission-controller.fullname" . ) "misconfigurations" }}
-2. Delete mutating webhook configuration - kubectl delete mutatingwebhookconfiguration {{ printf "%s-%s" (include "wiz-admission-controller.fullname" . ) "image-integrity" }}
+1. Delete validating webhook configuration - kubectl delete validatingwebhookconfiguration {{ printf "%s-%s" (include "wiz-admission-controller-enforcer.name" . ) "misconfigurations" }}
+2. Delete mutating webhook configuration - kubectl delete mutatingwebhookconfiguration {{ printf "%s-%s" (include "wiz-admission-controller-enforcer.name" . ) "image-integrity" }}
 
 {{- if not .Values.webhook.secret.name }}
 3. Delete certificates secret - kubectl delete -n {{ .Release.Namespace }} secret  {{ include "wiz-admission-controller.secretServerCert" . | trim }}

wiz-admission-controller/templates/_helpers.tpl

@@ -26,6 +26,9 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{- define "wiz-admission-controller-enforcer.name" -}}
+{{- printf "%s" (include "wiz-admission-controller.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
 
 {{- define "wiz-kubernetes-audit-log-collector.name" -}}
 {{- if .Values.kubernetesAuditLogsWebhook.nameOverride }}
@@ -273,7 +276,7 @@ scaleDown:
 {{- define "autoUpdate.deployments" -}}
 {{- $list := list -}}
 {{- if eq (include "wiz-admission-controller.isEnforcerEnabled" . | trim | lower) "true" }}
-{{- $list = append $list (include "wiz-admission-controller.fullname" . ) -}}
+{{- $list = append $list (include "wiz-admission-controller-enforcer.name" . ) -}}
 {{- end -}}
 {{- if .Values.kubernetesAuditLogsWebhook.enabled -}}
 {{- $list = append $list (include "wiz-kubernetes-audit-log-collector.name" . ) -}}

wiz-admission-controller/templates/certmanager.yaml

@@ -17,8 +17,8 @@ spec:
     organizations:
     - wizselfsigned
   dnsNames:
-  - {{ printf "%s.%s" (include "wiz-admission-controller.fullname" .) .Release.Namespace | quote }}
-  - {{ printf "%s.%s.svc" (include "wiz-admission-controller.fullname" .) .Release.Namespace | quote }}
+  - {{ printf "%s.%s" (include "wiz-admission-controller-enforcer.name" .) .Release.Namespace | quote }}
+  - {{ printf "%s.%s.svc" (include "wiz-admission-controller-enforcer.name" .) .Release.Namespace | quote }}
   - {{ printf "%s.%s" ( include "wiz-kubernetes-audit-log-collector.name" .) .Release.Namespace }}
   - {{ printf "%s.%s.svc" ( include "wiz-kubernetes-audit-log-collector.name" .) .Release.Namespace }}
   duration: "87600h0m0s" # AC doesn't currently detect changes to the certificate and must be restarted after renewal

wiz-admission-controller/templates/cronjobmanager.yaml

@@ -47,7 +47,7 @@ spec:
           {{- end }}
           terminationGracePeriodSeconds: {{ .Values.global.podTerminationGracePeriodSeconds }}
           containers:
-            - name: {{ .Chart.Name }}
+            - name: {{ .Chart.Name }}-manager
               securityContext:
                 {{- if hasKey .Values.global "lowPrivilegeSecurityPolicy" }}
                 {{- toYaml .Values.global.lowPrivilegeSecurityPolicy | nindent 16 }}

wiz-admission-controller/templates/deploymentenforcement.yaml

@@ -2,7 +2,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "wiz-admission-controller.fullname" . }}
+  name: {{ include "wiz-admission-controller-enforcer.name" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "wiz-admission-controller-enforcement.labels" . | nindent 4 }}

wiz-admission-controller/templates/hpa.yaml

@@ -10,7 +10,7 @@ spec:
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: {{ include "wiz-admission-controller.fullname" . }}
+    name: {{ include "wiz-admission-controller-enforcer.name" . }}
   minReplicas: {{ .Values.hpa.minReplicas }}
   maxReplicas: {{ .Values.hpa.maxReplicas }}
   metrics:

wiz-admission-controller/templates/opawebhook.yaml

@@ -2,7 +2,7 @@
 {{- $tlsCrt := .Values.tlsCertificate.tlsCertificate -}}
 {{- $tlsKey := .Values.tlsCertificate.tlsKey -}}
 {{- if .Values.tlsCertificate.create -}}
-{{- $altNames := list ( printf "%s.%s" (include "wiz-admission-controller.fullname" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "wiz-admission-controller.fullname" .) .Release.Namespace ) ( printf "%s.%s" ( include "wiz-kubernetes-audit-log-collector.name" .) .Release.Namespace ) ( printf "%s.%s.svc" ( include "wiz-kubernetes-audit-log-collector.name" .) .Release.Namespace ) -}}
+{{- $altNames := list ( printf "%s.%s" (include "wiz-admission-controller-enforcer.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "wiz-admission-controller-enforcer.name" .) .Release.Namespace ) ( printf "%s.%s" ( include "wiz-kubernetes-audit-log-collector.name" .) .Release.Namespace ) ( printf "%s.%s.svc" ( include "wiz-kubernetes-audit-log-collector.name" .) .Release.Namespace ) -}}
 {{- $ca := genCA "wiz-admission-controller-ca" 3650 -}}
 {{- $cert := genSignedCert ( include "wiz-admission-controller.fullname" . ) nil $altNames 3650 $ca -}}
 {{- $tlsCrt = $cert.Cert | b64enc -}}
@@ -12,7 +12,7 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: {{ printf "%s-%s" (include "wiz-admission-controller.fullname" . ) "misconfigurations" }}
+  name: {{ printf "%s-%s" (include "wiz-admission-controller-enforcer.name" . ) "misconfigurations" }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "wiz-admission-controller.labels" . | nindent 4 }}
@@ -28,7 +28,7 @@ webhooks:
   clientConfig:
     service:
       namespace: {{ .Release.Namespace }}
-      name: {{ include "wiz-admission-controller.fullname" . }}
+      name: {{ include "wiz-admission-controller-enforcer.name" . }}
       path: /opa-validator
       port: {{ .Values.service.port }}
 {{- if not $useCertManagerCerts }}
@@ -67,7 +67,7 @@ webhooks:
   clientConfig:
     service:
       namespace: {{ .Release.Namespace }}
-      name: {{ include "wiz-admission-controller.fullname" . }}
+      name: {{ include "wiz-admission-controller-enforcer.name" . }}
       path: /image-integrity-validator
       port: {{ .Values.service.port }}
 {{- if not $useCertManagerCerts }}
@@ -90,7 +90,7 @@ webhooks:
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: {{ printf "%s-%s" (include "wiz-admission-controller.fullname" . ) "kubernetes-audit-logs" }}
+  name: {{ printf "%s-%s" (include "wiz-admission-controller-enforcer.name" . ) "kubernetes-audit-logs" }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "wiz-admission-controller.labels" . | nindent 4 }}
@@ -145,7 +145,7 @@ webhooks:
   clientConfig:
     service:
       namespace: {{ .Release.Namespace }}
-      name: {{ include "wiz-admission-controller.fullname" . }}
+      name: {{ include "wiz-admission-controller-enforcer.name" . }}
       path: /dumper
       port: {{ .Values.service.port }}
 {{- if not $useCertManagerCerts }}

wiz-admission-controller/templates/pod-disruption-budget.yaml

@@ -16,7 +16,7 @@ spec:
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
-  name: {{ include "wiz-admission-controller.fullname" . }}
+  name: {{ include "wiz-admission-controller-enforcer.name" . }}
 spec:
   minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
   maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}

wiz-admission-controller/templates/service.yaml

@@ -3,7 +3,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "wiz-admission-controller.fullname" . }}
+  name: {{ include "wiz-admission-controller-enforcer.name" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "wiz-admission-controller-enforcement.labels" . | nindent 4 }}