Skip to content
  • Jack Henschel's avatar
    Update OPA to 0.36.1 and MGMT to 3.2.1 · 2da0a5e3
    Jack Henschel authored
    Since we are upgrading from the chart from 1.x to 3.x, several aspects
    have changed:
    
    1) admissionController configuration has been moved into its own
    section
    2) RBAC rules can no longer be injected into the chart, so we need to
    provision the ClusterRole and ClusterRoleBinding ourselves. Then, we
    attach it the the ServiceAccount created by the Helm chart
    3) Probes are no longer configurable (not necessary due to 4)
    4) Enable OPA decision logs instead of HTTP logs
    5) Between admission.k8s.io/v1beta1 and v1 there are two changes we
    need to respect in our "default-system-main" rule: we need to return
    the UID send in the request and for the patches need to specify the
    patchType (in our case JSON).
    
    The new version of the MGMT chart also includes the fix submitted by
    Alex to make cert-manager certs duration configurable:
    https://github.com/open-policy-agent/kube-mgmt/pull/120
    
    https://github.com/open-policy-agent/opa/releases/tag/v0.36.1
    
    Required for OKD 4.9 upgrade, since Kubernetes 1.22 removed several beta APIs.
    2da0a5e3