Update Gatekeeper to 3.6.0
New IB Image available.
Make sure to pull in upstream chart updates with kpt (if applicable)
Definition of Done:
-
Image versions updated in
chart/values.yaml - Chart version bumped (match upstream chart, reset to bb.0 if the upstream version changes)
- Changelog entry added, note the update to image, any additional updates
- Clean install tested and validated working (see things to test)
- Upgrade tested and validated working (install newest tagged release, upgrade to your branch, then run through things to test)
- Pipeline passing on package MR
- Package MR merged and new release tagged
- BB MR opened, pipeline passing
- BB MR merged (no checkbox, BB MR should auto-close this)
Things to test:
- Validate all pods come up and healthy
- Validate constraints are created and log violations
- ???
/cc @toladipupo @michaelmcleroy feel free to update issue to better reflect process/testing.
Activity
added to epic &84 (closed)
added gatekeeper + 1 deleted label
changed iteration to Big Bang Iterations Sep 7, 2021 - Sep 20, 2021
assigned to @olelink
added statusdoing label
Updated Chart to 3.6.0 for appVersion and version. Added v3.6.0 to values. Ran
kpt pkg update chart@v3.6.0 --strategy alpha-git-patchThis create merge conflicts where it tried to reset registries to github. I kept the original changes that had registry1. However, after these changes, gatekeeper does not work. Build helper container will not start
@olelink if you're referring to the pipeline...that's unrelated to your changes. It's unfortunately a function of our inconsistent runners. In general a retry will work (I just retried and it's running now). We have some backlog issues to work some of these pipeline inconsistencies.
In the meantime if you run into that, retry the job.
Edited by Micah Nagel-
Thanks @micah.nagel but something went wrong with my kpt command as I created a new branch and ran the same command and the number of changes from main are different. The new branch passed
added statusreview label and removed statusdoing label
added statusdoing label and removed statusreview label
added priority6 label
removed statusdoing label
-
There is a bug in the upstream helm charts (bug report created in github) that doesn't support using a pullSecret for a private image of crdRelease. crdRelease is newly added in this version of gatekeeper. I started a workaround to apply the secret manually. This included adding to helpers.tpl and creating a secret in the upgrade-crds-hook.yaml. So far this has been unsuccessful. During testing, I have since moved the secret out of the upgrade-crds-hook.yaml and moved it into its own secret.yaml file. Running helm template, you can see the secret should deploy, however, it never does. If you kubectl apply the secret output from the template, it works. My current theory is that gatekeeper is somehow managing secrets created in the namespace during deployment and it is blocking it from being created.
The branch that has the work completed so far is bb-747-retry and there is a pull request for it here: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/merge_requests/101
As I do not have AWS access and can't test changes atm, I'm dropping this back in unassigned. If you are looking to do this task and have any questions, please let me know.
unassigned @olelink
assigned to @olelink
added statusdoing label
added teamcore/security label
changed milestone to %1.18.0
changed iteration to Big Bang Iterations Sep 21, 2021 - Oct 4, 2021
added statusreview label and removed statusdoing label
mentioned in merge request !941 (merged)
mentioned in commit e2852b4f
closed with merge request !941 (merged)
removed statusreview label