Update charts with latest changes (#607)

circleci-wiz · web-flow · commit d015a2c66e12 · 2025-04-08T13:28:37.000Z
diff --git a/wiz-admission-controller/Chart.yaml b/wiz-admission-controller/Chart.yaml
@@ -5,12 +5,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.9.5
+version: 3.10.0-preview.4
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.8"
+appVersion: "2.9"
 dependencies:
   - name: wiz-common
     version: "0.1.8"
diff --git a/wiz-admission-controller/templates/_helpers.tpl b/wiz-admission-controller/templates/_helpers.tpl
@@ -50,6 +50,16 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{- define "wiz-admission-controller-uninstall.name" -}}
+{{- if .Values.wizUninstallJob.nameOverride }}
+{{- .Values.wizUninstallJob.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $suffix := "-uninstall" -}}
+{{- $maxLength := int (sub 63 (len $suffix)) -}}
+{{- printf "%s%s" (include "wiz-admission-controller.fullname" . | trunc $maxLength | trimSuffix "-") $suffix -}}
+{{- end }}
+{{- end }}
+
 {{- define "wiz-admission-controller.wiz-hpa-enforcer.name" -}}
 {{- $suffix := "-hpa" -}}
 {{- $maxLength := int (sub 63 (len $suffix)) -}}
@@ -120,6 +130,14 @@ Wiz manager selector labels
 app.kubernetes.io/name: {{ include "wiz-admission-controller-manager.name" . }}
 {{- end }}
 
+{{/*
+Wiz uninstall selector labels
+*/}}
+{{- define "wiz-admission-controller-uninstall.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "wiz-admission-controller-uninstall.name" . }}
+{{- end }}
+
+
 {{- define "wiz-admission-controller-enforcement.labels" -}}
 {{ include "wiz-admission-controller.labels" . }}
 {{ include "wiz-admission-controller-enforcement.selectorLabels" . }}
@@ -135,6 +153,11 @@ app.kubernetes.io/name: {{ include "wiz-admission-controller-manager.name" . }}
 {{ include "wiz-admission-controller-manager.selectorLabels" . }}
 {{- end }}
 
+{{- define "wiz-admission-controller-uninstall.labels" -}}
+{{ include "wiz-admission-controller.labels" . }}
+{{ include "wiz-admission-controller-uninstall.selectorLabels" . }}
+{{- end }}
+
 {{/*
 Wiz Horizontal Pod Autoscaler labels
 */}}
diff --git a/wiz-admission-controller/templates/jobuninstall.yaml b/wiz-admission-controller/templates/jobuninstall.yaml
@@ -0,0 +1,123 @@
+{{ if .Values.wizUninstallJob.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "wiz-admission-controller-uninstall.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    wiz.io/component: "admission-controller-uninstall"
+    {{- include "wiz-admission-controller-uninstall.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    rollme.proxyHash: {{ include "wiz-admission-controller.proxyHash" . }}
+    rollme.wizApiTokenHash: {{ include "wiz-admission-controller.wizApiTokenHash" . }}
+    {{- with (.Values.wizUninstallJob.jobAnnotations) }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.wizUninstallJob.useJobTTL }}
+  ttlSecondsAfterFinished: 60
+  {{- end }}
+  manualSelector: true
+  selector:
+    matchLabels:
+      {{- include "wiz-admission-controller-uninstall.selectorLabels" . | nindent 6 }}
+  activeDeadlineSeconds: {{ .Values.wizUninstallJob.timeoutSeconds }}
+  backoffLimit: 1
+  template:
+    metadata:
+      {{- if (or .Values.global.podAnnotations .Values.podAnnotations .Values.wizUninstallJob.podAnnotations)}}
+      annotations:
+        {{- with .Values.global.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.wizUninstallJob.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      labels:
+        wiz.io/component: "admission-controller-uninstall"
+      {{- include "wiz-admission-controller-uninstall.labels" . | nindent 8 }}
+      {{- with .Values.global.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.wizUninstallJob.podAdditionalSpec }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      restartPolicy: "Never"
+      securityContext:
+        {{- if hasKey .Values.global "lowPrivilegePodSecurityPolicy" }}
+          {{- toYaml .Values.global.lowPrivilegePodSecurityPolicy | nindent 8 }}
+        {{- else }}
+          {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      volumes:
+        {{- include "wiz-admission-controller.spec.common.volumes" . | trim | nindent 8 }}
+        {{- with .Values.customVolumes }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.global.customVolumes }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-uninstall
+          securityContext:
+             {{- if hasKey .Values.global "lowPrivilegeSecurityPolicy" }}
+             {{- toYaml .Values.global.lowPrivilegeSecurityPolicy | nindent 14 }}
+             {{- else }}
+             {{- toYaml .Values.securityContext | nindent 14 }}
+             {{- end }}
+          image: {{ include "wiz-admission-controller.image" . }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+          - "/usr/bin/wiz-admission-controller"
+          - "uninstall"
+          {{- include "wiz-admission-controller.spec.common.commandArgs" . | trim | nindent 10 }}
+          env:
+          {{- include "wiz-admission-controller.spec.common.envVars" . | trim | nindent 10 }}
+          resources:
+            {{- include "wiz-admission-controller.resources" . | trim | nindent 12 }}
+          volumeMounts:
+            {{- include "wiz-admission-controller.spec.common.volumeMounts" . | trim | nindent 14 }}
+            {{- if or .Values.customVolumeMounts .Values.global.customVolumeMounts }}
+            {{- with .Values.customVolumeMounts }}
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+            {{- with .Values.global.customVolumeMounts }}
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+            {{- end }}
+      {{- with (coalesce .Values.global.nodeSelector .Values.nodeSelector) }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with (coalesce .Values.global.affinity .Values.affinity) }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if (or .Values.global.tolerations .Values.tolerations) }}
+      tolerations:
+        {{- with .Values.global.tolerations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.tolerations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+{{- end }}
+
diff --git a/wiz-admission-controller/values.yaml b/wiz-admission-controller/values.yaml
@@ -498,6 +498,21 @@ wizManager:
     # If empty, a name is generated using the nameOverride
     name: ""
 
+wizUninstallJob:
+  enabled: true # Should the uninstall job be deployed.
+  nameOverride: "" # Override the uninstall job name.
+  timeoutSeconds: 300 # The timeout for the uninstall job in seconds.
+  # Toggle the TTL (Time to Live) mechanism for automatic cleanup of finished Jobs.
+  # Set to `true` to enable Kubernetes to automatically delete Jobs after they complete or fail, based on the `ttlSecondsAfterFinished` field.
+  # Set to `false` if using Argo CD to manage Job lifecycle with deletion hooks, as TTL-based cleanup can cause Application to appear OutOfSync.
+  # See: https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/#sync-status-with-jobsworkflows-with-time-to-live-ttl
+  useJobTTL: true
+  jobAnnotations: {}
+  podAnnotations: {}
+  podAdditionalSpec: {}
+
+
+
 # Global values to override chart values.
 global:
   nameOverride: "" # Override the release’s name.
