Merge branch 'master' into dependabot/go_modules/github.com/docker/do…

…cker-26.1.4incompatible

.github/workflows/codeql.yaml

@@ -25,12 +25,12 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac
+        uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
         with:
           languages: go
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac
+        uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac
+        uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a

.github/workflows/scorecards.yml

@@ -41,7 +41,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -71,6 +71,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           sarif_file: results.sarif

.github/workflows/test-gator.yaml

@@ -33,7 +33,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.26.3", "1.27.1", "1.28.0", "1.29.0"]
+        KUBERNETES_VERSION: ["1.27.13", "1.28.9", "1.29.4", "1.30.0"]
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0

.github/workflows/upgrade.yaml

@@ -68,15 +68,12 @@ jobs:
       - name: Upgrade Helm version
         run: |
           make docker-buildx \
-            IMG=gatekeeper-e2e:latest \
-            GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
+            IMG=gatekeeper-e2e:latest
 
           make docker-buildx-crds \
-            CRD_IMG=gatekeeper-crds:latest \
-            GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
+            CRD_IMG=gatekeeper-crds:latest 
 
-          make e2e-build-load-externaldata-image \
-            GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
+          make e2e-build-load-externaldata-image
 
           kind load docker-image --name kind \
             gatekeeper-e2e:latest \

.github/workflows/workflow.yaml

@@ -33,7 +33,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.26.3", "1.27.1", "1.28.0", "1.29.0"]
+        KUBERNETES_VERSION: ["1.27.13", "1.28.9", "1.29.4", "1.30.0"]
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0

Makefile

@@ -20,7 +20,7 @@ VERSION := v3.17.0-beta.0
 
 KIND_VERSION ?= 0.17.0
 # note: k8s version pinned since KIND image availability lags k8s releases
-KUBERNETES_VERSION ?= 1.28.0
+KUBERNETES_VERSION ?= 1.30.0
 KUSTOMIZE_VERSION ?= 3.8.9
 BATS_VERSION ?= 1.8.2
 ORAS_VERSION ?= 0.16.0

build/tooling/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.22-bookworm@sha256:6c2780255bb7b881e904e303be0d7a079054160b2ce1efde446693c0850a39ad
+FROM golang:1.22-bookworm@sha256:af9b40f2b1851be993763b85288f8434af87b5678af04355b1e33ff530b5765f
 
 RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/[email protected]
 RUN GO111MODULE=on go install k8s.io/code-generator/cmd/[email protected]

cmd/build/helmify/kustomize-for-helm.yaml

@@ -145,6 +145,7 @@ spec:
         HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_IMAGE_PULL_SECRETS: ""
       hostNetwork: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HOST_NETWORK
       dnsPolicy: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_DNS_POLICY
+      serviceAccountName: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_SERVICE_ACCOUNT_NAME
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -223,6 +224,7 @@ spec:
         HELMSUBST_DEPLOYMENT_AUDIT_IMAGE_PULL_SECRETS: ""
       hostNetwork: HELMSUBST_DEPLOYMENT_AUDIT_HOST_NETWORK
       dnsPolicy: HELMSUBST_DEPLOYMENT_AUDIT_DNS_POLICY
+      serviceAccountName: HELMSUBST_DEPLOYMENT_AUDIT_SERVICE_ACCOUNT_NAME
 ---
 apiVersion: v1
 kind: Secret

cmd/build/helmify/main.go

@@ -22,8 +22,9 @@ var kindRegex = regexp.MustCompile(`(?m)^kind:[\s]+([\S]+)[\s]*$`)
 var nameRegex = regexp.MustCompile(`(?m)^  name:[\s]+([\S]+)[\s]*$`)
 
 const (
-	DeploymentKind = "Deployment"
-	end            = "{{- end }}"
+	DeploymentKind     = "Deployment"
+	ServiceAccountKind = "ServiceAccount"
+	end                = "{{- end }}"
 )
 
 func isRbacKind(str string) bool {
@@ -153,6 +154,10 @@ func (ks *kindSet) Write() error {
 				obj = "{{- if .Values.rbac.create }}\n" + obj + end + "\n"
 			}
 
+			if name == "gatekeeper-admin" && kind == ServiceAccountKind {
+				obj = "{{- if .Values.serviceAccount.gatekeeperAdmin.create }}\n" + obj + end + "\n"
+			}
+
 			if name == "gatekeeper-controller-manager" && kind == "PodDisruptionBudget" {
 				obj = strings.Replace(obj, "apiVersion: policy/v1", "{{- $v1 := .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" -}}\n{{- $v1beta1 := .Capabilities.APIVersions.Has \"policy/v1beta1/PodDisruptionBudget\" -}}\napiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}", 1)
 			}

cmd/build/helmify/replacements.go

@@ -23,6 +23,10 @@ var replacements = map[string]string{
 
 	"HELMSUBST_DEPLOYMENT_AUDIT_DNS_POLICY": `{{ .Values.audit.dnsPolicy }}`,
 
+	"HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_SERVICE_ACCOUNT_NAME": `{{ .Values.controllerManager.serviceAccount.name }}`,
+
+	"HELMSUBST_DEPLOYMENT_AUDIT_SERVICE_ACCOUNT_NAME": `{{ .Values.audit.serviceAccount.name }}`,
+
 	"HELMSUBST_DEPLOYMENT_AUDIT_HEALTH_PORT": `{{ .Values.audit.healthPort }}`,
 
 	"HELMSUBST_DEPLOYMENT_AUDIT_METRICS_PORT": `{{ .Values.audit.metricsPort }}`,

cmd/build/helmify/static/templates/namespace-post-install.yaml

@@ -32,7 +32,7 @@ spec:
       imagePullSecrets:
       {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
-      serviceAccount: gatekeeper-update-namespace-label
+      serviceAccount: {{ .Values.postInstall.labelNamespace.serviceAccount.name }}
       {{- if .Values.postInstall.probeWebhook.enabled }}
       volumes:
       {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
@@ -90,10 +90,11 @@ spec:
         {{- toYaml .tolerations | nindent 8 }}
       {{- end }}
 ---
+{{- if .Values.postInstall.labelNamespace.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: gatekeeper-update-namespace-label
+  name: {{ .Values.postInstall.labelNamespace.serviceAccount.name }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "gatekeeper.commonLabels" . | nindent 4 }}
@@ -103,6 +104,7 @@ metadata:
     "helm.sh/hook": post-install
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+{{- end }}
 ---
 {{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
@@ -155,7 +157,7 @@ roleRef:
   name: gatekeeper-update-namespace-label
 subjects:
   - kind: ServiceAccount
-    name: gatekeeper-update-namespace-label
+    name: {{ .Values.postInstall.labelNamespace.serviceAccount.name }}
     namespace: {{ .Release.Namespace | quote }}
 {{- end }}
 {{- end }}

cmd/build/helmify/static/templates/namespace-post-upgrade.yaml

@@ -27,7 +27,7 @@ spec:
       imagePullSecrets:
       {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
-      serviceAccount: gatekeeper-update-namespace-label-post-upgrade
+      serviceAccount: {{ .Values.postUpgrade.labelNamespace.serviceAccount.name }}
       {{- if .Values.postUpgrade.labelNamespace.priorityClassName }}
       priorityClassName: {{ .Values.postUpgrade.labelNamespace.priorityClassName }}
       {{- end }}
@@ -82,10 +82,11 @@ spec:
         {{- toYaml .nodeSelector | nindent 8 }}
       {{- end }}
 ---
+{{- if .Values.postUpgrade.labelNamespace.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: gatekeeper-update-namespace-label-post-upgrade
+  name: {{ .Values.postUpgrade.labelNamespace.serviceAccount.name }}
   labels:
     {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
@@ -94,6 +95,7 @@ metadata:
     "helm.sh/hook": post-upgrade
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+{{- end }}
 ---
 {{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
@@ -143,7 +145,7 @@ roleRef:
   name: gatekeeper-update-namespace-label-post-upgrade
 subjects:
   - kind: ServiceAccount
-    name: gatekeeper-update-namespace-label-post-upgrade
+    name: {{ .Values.postUpgrade.labelNamespace.serviceAccount.name }}
     namespace: {{ .Release.Namespace | quote }}
 {{- end }}
 {{- end }}

cmd/build/helmify/static/templates/upgrade-crds-hook.yaml

@@ -36,27 +36,29 @@ metadata:
     helm.sh/hook-weight: "1"
 subjects:
   - kind: ServiceAccount
-    name: gatekeeper-admin-upgrade-crds
+    name: {{ .Values.upgradeCRDs.serviceAccount.name }}
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
   name: gatekeeper-admin-upgrade-crds
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
 ---
+{{- if .Values.upgradeCRDs.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
     {{- include "gatekeeper.commonLabels" . | nindent 4 }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
-  name: gatekeeper-admin-upgrade-crds
+  name: {{ .Values.upgradeCRDs.serviceAccount.name }}
   namespace: '{{ .Release.Namespace }}'
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
     helm.sh/hook-weight: "1"
+{{- end }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -82,7 +84,7 @@ spec:
         {{- include "gatekeeper.mandatoryLabels" . | nindent 8 }}
         {{- include "gatekeeper.commonLabels" . | nindent 8 }}
     spec:
-      serviceAccountName: gatekeeper-admin-upgrade-crds
+      serviceAccountName: {{ .Values.upgradeCRDs.serviceAccount.name }}
       restartPolicy: Never
       {{- if .Values.image.pullSecrets }}
       imagePullSecrets:

cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml

@@ -26,7 +26,7 @@ spec:
       imagePullSecrets:
       {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
-      serviceAccount: gatekeeper-delete-webhook-configs
+      serviceAccount: {{ .Values.preUninstall.deleteWebhookConfigurations.serviceAccount.name }}
       {{- if .Values.preUninstall.deleteWebhookConfigurations.priorityClassName }}
       priorityClassName: {{ .Values.preUninstall.deleteWebhookConfigurations.priorityClassName }}
       {{- end }}
@@ -59,10 +59,11 @@ spec:
         {{- toYaml .tolerations | nindent 8 }}
       {{- end }}
 ---
+{{- if .Values.preUninstall.deleteWebhookConfigurations.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: gatekeeper-delete-webhook-configs
+  name: {{ .Values.preUninstall.deleteWebhookConfigurations.serviceAccount.name }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "gatekeeper.commonLabels" . | nindent 4 }}
@@ -72,6 +73,7 @@ metadata:
     "helm.sh/hook": pre-delete
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+{{- end }}
 ---
 {{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
@@ -131,7 +133,7 @@ roleRef:
   name: gatekeeper-delete-webhook-configs
 subjects:
   - kind: ServiceAccount
-    name: gatekeeper-delete-webhook-configs
+    name: {{ .Values.preUninstall.deleteWebhookConfigurations.name }}
     namespace: {{ .Release.Namespace | quote }}
 {{- end }}
 {{- end }}

cmd/build/helmify/static/values.yaml

@@ -60,6 +60,9 @@ preInstall:
       tag: v3.17.0-beta.0
 postUpgrade:
   labelNamespace:
+    serviceAccount:
+      name: gatekeeper-update-namespace-label-post-upgrade
+      create: true
     enabled: false
     image:
       repository: openpolicyagent/gatekeeper-crds
@@ -90,6 +93,9 @@ postUpgrade:
     runAsUser: 1000
 postInstall:
   labelNamespace:
+    serviceAccount:
+      name: gatekeeper-update-namespace-label
+      create: true
     enabled: true
     extraRules: []
     image:
@@ -131,6 +137,9 @@ postInstall:
     runAsUser: 1000
 preUninstall:
   deleteWebhookConfigurations:
+    serviceAccount:
+      name: gatekeeper-delete-webhook-configs
+      create: true
     extraRules: []
     enabled: false
     image:
@@ -159,6 +168,8 @@ podCountLimit: "100"
 secretAnnotations: {}
 enableRuntimeDefaultSeccompProfile: true
 controllerManager:
+  serviceAccount:
+    name: gatekeeper-admin
   exemptNamespaces: []
   exemptNamespacePrefixes: []
   hostNetwork: false
@@ -215,6 +226,8 @@ controllerManager:
       #   - ipBlock:
       #       cidr: 0.0.0.0/0
 audit:
+  serviceAccount:
+    name: gatekeeper-admin
   enablePubsub: false
   connection: audit-connection
   channel: audit-channel
@@ -272,6 +285,9 @@ disabledBuiltins: ["{http.send}"]
 psp:
   enabled: false
 upgradeCRDs:
+  serviceAccount:
+    create: true
+    name: gatekeeper-admin-upgrade-crds
   enabled: true
   extraRules: []
   priorityClassName: ""
@@ -280,3 +296,6 @@ rbac:
 externalCertInjection:
   enabled: false
   secretName: gatekeeper-webhook-server-cert
+serviceAccount:
+  gatekeeperAdmin:
+    create: true

manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-serviceaccount.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.serviceAccount.gatekeeperAdmin.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -9,3 +10,4 @@ metadata:
     release: '{{ .Release.Name }}'
   name: gatekeeper-admin
   namespace: '{{ .Release.Namespace }}'
+{{- end }}

manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml

@@ -155,7 +155,7 @@ spec:
       {{- end }}
       securityContext:
         {{- toYaml .Values.audit.podSecurityContext | nindent 8 }}
-      serviceAccountName: gatekeeper-admin
+      serviceAccountName: {{ .Values.audit.serviceAccount.name }}
       terminationGracePeriodSeconds: 60
       tolerations:
         {{- toYaml .Values.audit.tolerations | nindent 8 }}

manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml

@@ -168,7 +168,7 @@ spec:
       {{- end }}
       securityContext:
         {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }}
-      serviceAccountName: gatekeeper-admin
+      serviceAccountName: {{ .Values.controllerManager.serviceAccount.name }}
       terminationGracePeriodSeconds: 60
       tolerations:
         {{- toYaml .Values.controllerManager.tolerations | nindent 8 }}