From 8392122561954715029f3ae778fbe1a6119721c1 Mon Sep 17 00:00:00 2001
From: Jaydip Gabani <gabanijaydip@gmail.com>
Date: Fri, 8 May 2026 17:12:33 +0000
Subject: [PATCH 1/3] add gatekeeper as optional component

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
---
 recipes/checks/gatekeeper/health-check.yaml | 80 +++++++++++++++++++++
 recipes/components/gatekeeper/values.yaml   | 66 +++++++++++++++++
 recipes/registry.yaml                       | 23 ++++++
 3 files changed, 169 insertions(+)
 create mode 100644 recipes/checks/gatekeeper/health-check.yaml
 create mode 100644 recipes/components/gatekeeper/values.yaml

diff --git a/recipes/checks/gatekeeper/health-check.yaml b/recipes/checks/gatekeeper/health-check.yaml
new file mode 100644
index 000000000..57941001f
--- /dev/null
+++ b/recipes/checks/gatekeeper/health-check.yaml
@@ -0,0 +1,80 @@
+# Copyright (c) 2026, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Gatekeeper Health Check
+#
+# Validates that gatekeeper-controller-manager and gatekeeper-audit are
+# running and healthy in the gatekeeper-system namespace. Guards against
+# vacuous pass on empty namespace by asserting both Deployments exist with
+# at least one available replica, then asserts no pods are stuck in
+# Pending, Failed, or Unknown phases.
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: gatekeeper-health-check
+spec:
+  timeouts:
+    assert: 5m
+  steps:
+    - name: validate-controller-manager-deployment
+      try:
+        - assert:
+            resource:
+              apiVersion: apps/v1
+              kind: Deployment
+              metadata:
+                name: gatekeeper-controller-manager
+                namespace: gatekeeper-system
+              status:
+                (availableReplicas > `0`): true
+    - name: validate-audit-deployment
+      try:
+        - assert:
+            resource:
+              apiVersion: apps/v1
+              kind: Deployment
+              metadata:
+                name: gatekeeper-audit
+                namespace: gatekeeper-system
+              status:
+                (availableReplicas > `0`): true
+    - name: validate-all-pods-healthy
+      try:
+        # Assert no pods are in unhealthy phases.
+        # Pods must be Running (long-lived) or Succeeded (completed jobs).
+        # This catches Pending (init containers, scheduling), Failed, and Unknown.
+        - error:
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                namespace: gatekeeper-system
+              status:
+                phase: Pending
+        - error:
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                namespace: gatekeeper-system
+              status:
+                phase: Failed
+        - error:
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                namespace: gatekeeper-system
+              status:
+                phase: Unknown
diff --git a/recipes/components/gatekeeper/values.yaml b/recipes/components/gatekeeper/values.yaml
new file mode 100644
index 000000000..037277335
--- /dev/null
+++ b/recipes/components/gatekeeper/values.yaml
@@ -0,0 +1,66 @@
+# Copyright (c) 2026, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Gatekeeper Helm values
+# Base configuration for the open-policy-agent/gatekeeper admission controller.
+#
+# This is an OPTIONAL component — it is not referenced by recipes/overlays/base.yaml.
+# Recipes opt in either via spec.mixins (recipes/mixins/platform-gatekeeper.yaml)
+# or by adding gatekeeper directly to spec.componentRefs.
+
+# Namespace and naming. The chart defaults already match these, but pinning
+# them here makes the bundle output deterministic.
+namespace: gatekeeper-system
+
+# Replicas. The top-level `replicas` field in the upstream chart governs
+# controller-manager replica count; 3 is appropriate for an admission
+# webhook on the request path. Audit replicas are pinned to 1 (default).
+replicas: 3
+
+# Resources — conservative caps. These match the upstream chart defaults
+# at v3.22.x and are pinned to make the bundle reproducible.
+controllerManager:
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 1000m
+      memory: 512Mi
+
+audit:
+  replicas: 1
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 1000m
+      memory: 512Mi
+
+# Disable PodDisruptionBudgets in single-node / kind environments by default.
+# Production overlays can re-enable via --set gatekeeper:disableMutation=false.
+podDisruptionBudget:
+  enabled: false
+
+# Mutating admission is gated behind a chart flag. Leave disabled by default
+# so the component installs as a validating-only admission controller.
+disableMutation: true
+
+# Audit interval (seconds). 60s is the upstream default and is suitable for
+# both small and large clusters.
+auditInterval: 60
+
+# Constraint violations limit per Constraint resource. Upstream default.
+constraintViolationsLimit: 20
diff --git a/recipes/registry.yaml b/recipes/registry.yaml
index c86f5826c..d9f430c0a 100644
--- a/recipes/registry.yaml
+++ b/recipes/registry.yaml
@@ -520,3 +520,26 @@ components:
           - acceleratedNodeSelector
         tolerationPaths:
           - acceleratedTolerations
+
+  - name: gatekeeper
+    displayName: Gatekeeper
+    valueOverrideKeys:
+      - gatekeeper
+    healthCheck:
+      assertFile: checks/gatekeeper/health-check.yaml
+    helm:
+      defaultRepository: https://open-policy-agent.github.io/gatekeeper/charts
+      defaultChart: gatekeeper/gatekeeper
+      defaultVersion: 3.22.2
+      defaultNamespace: gatekeeper-system
+    nodeScheduling:
+      # Gatekeeper is an admission controller — it has no GPU-bound workload,
+      # so only system-tier paths are wired. Both long-running deployments
+      # (controller-manager, audit) accept the same selectors/tolerations.
+      system:
+        nodeSelectorPaths:
+          - controllerManager.nodeSelector
+          - audit.nodeSelector
+        tolerationPaths:
+          - controllerManager.tolerations
+          - audit.tolerations

From fe30672df9ad5cc9ab7e98c3df1fe20ebe5f0cc5 Mon Sep 17 00:00:00 2001
From: Jaydip Gabani <gabanijaydip@gmail.com>
Date: Fri, 8 May 2026 20:22:53 +0000
Subject: [PATCH 2/3] update comment to accurately describe variable

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
---
 recipes/components/gatekeeper/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes/components/gatekeeper/values.yaml b/recipes/components/gatekeeper/values.yaml
index 037277335..8058ff3b0 100644
--- a/recipes/components/gatekeeper/values.yaml
+++ b/recipes/components/gatekeeper/values.yaml
@@ -50,7 +50,7 @@ audit:
       memory: 512Mi
 
 # Disable PodDisruptionBudgets in single-node / kind environments by default.
-# Production overlays can re-enable via --set gatekeeper:disableMutation=false.
+# Production overlays can re-enable via --set gatekeeper:podDisruptionBudget.enabled=true.
 podDisruptionBudget:
   enabled: false
 

From c45a9e1323cd9c505fbd5a8bcbed77de9687e95d Mon Sep 17 00:00:00 2001
From: Jaydip Gabani <gabanijaydip@gmail.com>
Date: Wed, 13 May 2026 00:48:05 +0000
Subject: [PATCH 3/3] remove pdb variable

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
---
 recipes/components/gatekeeper/values.yaml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/recipes/components/gatekeeper/values.yaml b/recipes/components/gatekeeper/values.yaml
index 8058ff3b0..515d490a1 100644
--- a/recipes/components/gatekeeper/values.yaml
+++ b/recipes/components/gatekeeper/values.yaml
@@ -49,11 +49,6 @@ audit:
       cpu: 1000m
       memory: 512Mi
 
-# Disable PodDisruptionBudgets in single-node / kind environments by default.
-# Production overlays can re-enable via --set gatekeeper:podDisruptionBudget.enabled=true.
-podDisruptionBudget:
-  enabled: false
-
 # Mutating admission is gated behind a chart flag. Leave disabled by default
 # so the component installs as a validating-only admission controller.
 disableMutation: true