feat: Add opt-in option for zarf init#4467
Conversation
✅ Deploy Preview for zarf-docs canceled.
|
Signed-off-by: Yuval Simon <yuval.simon@vastdata.com>
yuvalsimon
force-pushed
the
feature/mutate
branch
from
cfeb69a to
979296e
Compare
|
Hello @yuvalsimon, really appreciate you making this PR. This is definitely a workflow that I feel Zarf should support. I am curious about your use cases. Could you tell me situations where you tend to use agent-objects-mode=active. Do you tend to only want mutations on certain kinds of resources, for instance, you want to mutate pods, but not Flux Git Repositories? Or is it the case where you want one package mutated in a namespace, but not the other? From the issue I see that you have kyverno adding this label. I think for the best user experience, we would want these labels to be automatically added to namespaces Helm post-renderer in AdoptZarfManagedLabels. This way any Zarf deployments automatically opt into mutation. Something similar could be done for pods and argo / flux resources. Do you have use cases, where you would not want this behavior? |
3 participants
Description
This PR adds flags
--agent-namespaces-mode=[active|passive]and--agent-objects-mode=[active|passive]tozarf initcommand. By default, both are set to active. When using either of them to passive, MutatingWebhookConfiguration will be deployed with rules that enforce namespaces/objects to be labeled withzarf.dev/agent: mutate, or else the images won't be mutated. An exception that was added is zarf namespace, there effectively modes are always active (which enables us deploy there Gitea for instance)examples:
zarf.dev/agent: mutatethen like current zarf behaviour on this whole namespace. Otherwise no images are mutated at all. If the pod is labeled withzarf.dev/agent: ignore, then it won't be mutated neither.zarf.dev/agent: mutatethen image is mutated pod. Otherwise no mutation is applied.zarf.dev/agent: mutatethen image mutation occurs.Related Issue
Relates to #4419
Checklist before merging