feat(gatekeeper): upgrade to 3.5.1

Package Owner Merge Request

Package Changes

• Upgrades OPA Gatekeeper to 3.5.1
• Adds upgrade option to Helm Release to force CRD and Constraint upgrades
• Adds exceptions overrides for packages (moving from OPA to Big Bang)
• Moves restricted taint constraint to "Deny"

Releases

• https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/releases/3.5.1-bb.1
• https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/releases/3.5.1-bb.0

Merge Requests

• https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/merge_requests/62
• https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/merge_requests/69

Additional Details

Default constraint exceptions will not be moved to Big Bang for the following reasons:

• Big Bang can control the exceptions based on whether the package needing the exception is enabled
• OPA Gatekeeper has no knowledge of namespaces, containers, etc. in Big Bang
• All of the exceptions and justifications will be located in one place

Known issues or expected conflicts?

During testing, we had some intermittent problems getting the CRDs to update. The options added to HelmRelease have fixed that so far. But, since it was intermittent, it may be that we were just lucky.

• Closes https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/issues/46
• Closes https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/issues/43