feat: set default values for kyverno if activated via env var (#229)

rdksap · n3rdc4ptn · web-flow · commit f5f3d03d7a96 · 2025-11-20T15:50:40.000+01:00
* feat: set default values for kyverno if activated via env var

On-behalf-of: Radek Schekalla (SAP) &lt;radek.schekalla@sap.com&gt;
Signed-off-by: Radek Schekalla (SAP) &lt;radek.schekalla@sap.com&gt;

* feat: add env to helm chart deployment tempalte and values

On-behalf-of: Radek Schekalla (SAP) &lt;radek.schekalla@sap.com&gt;
Signed-off-by: Radek Schekalla (SAP) &lt;radek.schekalla@sap.com&gt;

* Update internal/controller/core/cloudorchestrator/controller.go

Co-authored-by: Moritz Marby &lt;moritz.marby@minest.de&gt;

* Update internal/controller/core/cloudorchestrator/controller.go

Co-authored-by: Moritz Marby &lt;moritz.marby@minest.de&gt;

---------

Signed-off-by: Radek Schekalla (SAP) &lt;radek.schekalla@sap.com&gt;
Co-authored-by: Moritz Marby &lt;moritz.marby@minest.de&gt;
diff --git a/charts/mcp-operator/templates/deployment.yaml b/charts/mcp-operator/templates/deployment.yaml
@@ -91,6 +91,10 @@ spec:
         {{- if .Values.apiserver.worker.intervalTime }}
         - --apiserver-worker-interval={{ .Values.apiserver.worker.intervalTime }}
         {{- end }}
+        env:
+        {{- with .Values.managedcontrolplane.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         ports:
         {{- if not .Values.webhooks.disabled }}
           - name: webhooks-https
diff --git a/charts/mcp-operator/values.yaml b/charts/mcp-operator/values.yaml
@@ -54,6 +54,9 @@ webhooks:
 managedcontrolplane:
   disabled: false
 
+  # Extra environment variables to add to the init container.
+  extraEnv: [ ]
+
 apiserver:
   disabled: false
   # architecture:
diff --git a/internal/controller/core/cloudorchestrator/controller.go b/internal/controller/core/cloudorchestrator/controller.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"os"
 	"strings"
 	"time"
 
@@ -42,6 +43,43 @@ import (
 const (
 	defaultNamespace string = "openmcp-system" // TODO make this configurable
 	ControllerName   string = "CloudOrchestrator"
+
+	envEnableKyvernoDefaultValues string = "ENABLE_KYVERNO_DEFAULT_VALUES"
+	kyvernoDefaultValues          string = `{
+  "config": {
+    "excludeGroups": [
+      "system:nodes"
+    ],
+    "preserve": false,
+    "resourceFilters": [
+      "[*/*,kyverno,*]",
+      "[*/*,istio-system,*]",
+      "[*/*,kyma-system,*]",
+      "[*/*,kube-system,*]",
+      "[*/*,kube-public,*]",
+      
+    ],
+    "updateRequestThreshold": 5000,
+    "webhooks": {
+      "namespaceSelector": {
+        "matchExpressions": [
+          {
+            "key": "kubernetes.io/metadata.name",
+            "operator": "NotIn",
+            "values": [
+              "kube-system",
+              "kyverno",
+              "istio-system",
+              "kube-public",
+              "kyma-system",
+              
+            ]
+          }
+        ]
+      }
+    }
+  }
+}`
 )
 
 var (
@@ -367,8 +405,14 @@ func convertToControlPlaneSpec(coSpec *openmcpv1alpha1.CloudOrchestratorSpec, ap
 	}
 
 	if coSpec.Kyverno != nil {
+		var values *apiextensionsv1.JSON
+		if os.Getenv(envEnableKyvernoDefaultValues) == "true" {
+			values = &apiextensionsv1.JSON{Raw: []byte(kyvernoDefaultValues)}
+		}
+
 		controlPlaneSpec.Kyverno = &corev1beta1.KyvernoConfig{
 			Version: coSpec.Kyverno.Version,
+			Values:  values,
 		}
 	}
 
