Add CRD adoption hook

helm/kyverno-policy-operator/templates/_helpers.tpl

@@ -40,3 +40,17 @@ helm.sh/chart: {{ include "chart" . | quote }}
 {{- define "kyverno-policy-operator.CRDInstallSelector" -}}
 {{- printf "%s" "crd-install-hook" -}}
 {{- end -}}
+
+{{- define "kyverno-policy-operator.crdAdoption" -}}
+{{- printf "%s-%s" ( include "resource.default.name" . ) "crd-adoption-hook" | replace "+" "_" | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kyverno-policy-operator.crdAdoptionAnnotations" -}}
+"helm.sh/hook": "post-upgrade"
+"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+{{- end -}}
+
+{{/* Create a label which can be used to select any orphaned crd-adoption hook resources */}}
+{{- define "kyverno-policy-operator.crdAdoptionSelector" -}}
+{{- printf "%s" "crd-adoption-hook" -}}
+{{- end -}}

helm/kyverno-policy-operator/templates/crd-adoption/crd-job.yaml

@@ -0,0 +1,59 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "kyverno-policy-operator.crdAdoption" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-1"
+    {{- include "kyverno-policy-operator.crdAdoptionAnnotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdAdoption" . | quote }}
+    {{- include "labels.selector" . | nindent 4 }}
+    role: {{ include "kyverno-policy-operator.crdAdoptionSelector" . | quote }}
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdAdoption" . | quote }}
+        {{- include "labels.selector" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "kyverno-policy-operator.crdAdoption" . }}
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+      tolerations:
+      - key: node-role.kubernetes.io/control-plane
+        effect: NoSchedule
+      containers:
+      - name: kubectl
+        image: "{{ default .Values.image.registry (include "global.imageRegistry" . ) }}/giantswarm/docker-kubectl:{{ .Values.crds.image.tag }}"
+        command:
+        - sh
+        - -c
+        - |
+          set -o errexit ; set -o xtrace ; set -o nounset
+
+          # piping stderr to stdout means kubectl's errors are surfaced
+          # in the pod's logs.
+          kubectl label crd policyexceptions.policy.giantswarm.io "app.kubernetes.io/managed-by=Helm"
+          kubectl annotate crd policyexceptions.policy.giantswarm.io "meta.helm.sh/release-name=policy-meta-operator"
+          kubectl annotate crd policyexceptions.policy.giantswarm.io "meta.helm.sh/release-namespace=policy-system"
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          privileged: false
+          runAsNonRoot: true
+          runAsUser: 65534
+          runAsGroup: 65534
+          capabilities:
+            drop:
+            - ALL
+        resources: {{- toYaml .Values.crds.resources | nindent 10 }}
+      restartPolicy: Never
+  backoffLimit: 4

helm/kyverno-policy-operator/templates/crd-adoption/crd-np.yaml

@@ -0,0 +1,26 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "kyverno-policy-operator.crdAdoption" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-7"
+    {{- include "kyverno-policy-operator.crdAdoptionAnnotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdAdoption" . | quote }}
+    {{- include "labels.selector" . | nindent 4 }}
+    role: {{ include "kyverno-policy-operator.crdAdoptionSelector" . | quote }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdAdoption" . | quote }}
+      {{- include "labels.selector" . | nindent 6 }}
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "443"
+        - ports:
+            - port: "6443"

helm/kyverno-policy-operator/templates/crd-adoption/crd-rbac.yaml

@@ -0,0 +1,50 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kyverno-policy-operator.crdAdoption" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-3"
+    {{- include "kyverno-policy-operator.crdAdoptionAnnotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdAdoption" . | quote }}
+    {{- include "labels.selector" . | nindent 4 }}
+    role: {{ include "kyverno-policy-operator.crdAdoptionSelector" . | quote }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kyverno-policy-operator.crdAdoption" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-2"
+    {{- include "kyverno-policy-operator.crdAdoptionAnnotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdAdoption" . | quote }}
+    {{- include "labels.common" . | nindent 4 }}
+    role: {{ include "kyverno-policy-operator.crdAdoptionSelector" . | quote }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kyverno-policy-operator.crdAdoption" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kyverno-policy-operator.crdAdoption" . }}
+    namespace: {{ .Release.Namespace | quote }}

helm/kyverno-policy-operator/templates/crd-adoption/crd-serviceaccount.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kyverno-policy-operator.crdAdoption" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-4"
+    {{- include "kyverno-policy-operator.crdAdoptionAnnotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdAdoption" . | quote }}
+    {{- include "labels.selector" . | nindent 4 }}
+    role: {{ include "kyverno-policy-operator.crdAdoptionSelector" . | quote }}