recipe: add gatekeeper as optional component

recipes/checks/gatekeeper/health-check.yaml

@@ -0,0 +1,80 @@
+# Copyright (c) 2026, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Gatekeeper Health Check
+#
+# Validates that gatekeeper-controller-manager and gatekeeper-audit are
+# running and healthy in the gatekeeper-system namespace. Guards against
+# vacuous pass on empty namespace by asserting both Deployments exist with
+# at least one available replica, then asserts no pods are stuck in
+# Pending, Failed, or Unknown phases.
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: gatekeeper-health-check
+spec:
+  timeouts:
+    assert: 5m
+  steps:
+    - name: validate-controller-manager-deployment
+      try:
+        - assert:
+            resource:
+              apiVersion: apps/v1
+              kind: Deployment
+              metadata:
+                name: gatekeeper-controller-manager
+                namespace: gatekeeper-system
+              status:
+                (availableReplicas > `0`): true
+    - name: validate-audit-deployment
+      try:
+        - assert:
+            resource:
+              apiVersion: apps/v1
+              kind: Deployment
+              metadata:
+                name: gatekeeper-audit
+                namespace: gatekeeper-system
+              status:
+                (availableReplicas > `0`): true
+    - name: validate-all-pods-healthy
+      try:
+        # Assert no pods are in unhealthy phases.
+        # Pods must be Running (long-lived) or Succeeded (completed jobs).
+        # This catches Pending (init containers, scheduling), Failed, and Unknown.
+        - error:
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                namespace: gatekeeper-system
+              status:
+                phase: Pending
+        - error:
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                namespace: gatekeeper-system
+              status:
+                phase: Failed
+        - error:
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                namespace: gatekeeper-system
+              status:
+                phase: Unknown

recipes/components/gatekeeper/values.yaml

@@ -0,0 +1,61 @@
+# Copyright (c) 2026, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Gatekeeper Helm values
+# Base configuration for the open-policy-agent/gatekeeper admission controller.
+#
+# This is an OPTIONAL component — it is not referenced by recipes/overlays/base.yaml.
+# Recipes opt in either via spec.mixins (recipes/mixins/platform-gatekeeper.yaml)
+# or by adding gatekeeper directly to spec.componentRefs.
+
+# Namespace and naming. The chart defaults already match these, but pinning
+# them here makes the bundle output deterministic.
+namespace: gatekeeper-system
+
+# Replicas. The top-level `replicas` field in the upstream chart governs
+# controller-manager replica count; 3 is appropriate for an admission
+# webhook on the request path. Audit replicas are pinned to 1 (default).
+replicas: 3
+
+# Resources — conservative caps. These match the upstream chart defaults
+# at v3.22.x and are pinned to make the bundle reproducible.
+controllerManager:
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 1000m
+      memory: 512Mi
+
+audit:
+  replicas: 1
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 1000m
+      memory: 512Mi
+
+# Mutating admission is gated behind a chart flag. Leave disabled by default
+# so the component installs as a validating-only admission controller.
+disableMutation: true
+
+# Audit interval (seconds). 60s is the upstream default and is suitable for
+# both small and large clusters.
+auditInterval: 60
+
+# Constraint violations limit per Constraint resource. Upstream default.
+constraintViolationsLimit: 20

recipes/registry.yaml

@@ -520,3 +520,26 @@ components:
           - acceleratedNodeSelector
         tolerationPaths:
           - acceleratedTolerations
+
+  - name: gatekeeper
+    displayName: Gatekeeper
+    valueOverrideKeys:
+      - gatekeeper
+    healthCheck:
+      assertFile: checks/gatekeeper/health-check.yaml
+    helm:
+      defaultRepository: https://open-policy-agent.github.io/gatekeeper/charts
+      defaultChart: gatekeeper/gatekeeper
+      defaultVersion: 3.22.2
+      defaultNamespace: gatekeeper-system
+    nodeScheduling:
+      # Gatekeeper is an admission controller — it has no GPU-bound workload,
+      # so only system-tier paths are wired. Both long-running deployments
+      # (controller-manager, audit) accept the same selectors/tolerations.
+      system:
+        nodeSelectorPaths:
+          - controllerManager.nodeSelector
+          - audit.nodeSelector
+        tolerationPaths:
+          - controllerManager.tolerations
+          - audit.tolerations