config/helm/appmesh-controller/templates/webhook.yaml

{{ $tls := fromYaml ( include "appmesh-controller.gen-certs" . ) }} {{ $fullName := ( include "appmesh-controller.fullname" . ) }} {{ $webhookConfig := .Files.Get "webhookconfig.yaml" | fromYaml }} --- {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 {{- else }} apiVersion: admissionregistration.k8s.io/v1beta1 {{- end }} kind: MutatingWebhookConfiguration metadata: {{- if $.Values.enableCertManager }} annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "appmesh-controller.fullname" . }}-serving-cert {{- end }} name: {{ template "appmesh-controller.fullname" . }}-mutating-webhook-configuration labels: {{ include "appmesh-controller.labels" . | indent 4 }} webhooks: {{- range $res := $webhookConfig.customResources }} - clientConfig: service: name: {{ $fullName }}-webhook-service namespace: {{ $.Release.Namespace }} path: /mutate-appmesh-k8s-aws-v1beta2-{{ $res.name }} caBundle: {{ if not $.Values.enableCertManager -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }} failurePolicy: Fail name: m{{ $res.name }}.appmesh.k8s.aws rules: - apiGroups: - appmesh.k8s.aws apiVersions: - v1beta2 operations: - CREATE - UPDATE resources: - {{ $res.resource }} sideEffects: None admissionReviewVersions: - v1beta1 {{- end }} - clientConfig: caBundle: {{ if not $.Values.enableCertManager -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }} service: name: {{ $fullName }}-webhook-service namespace: {{ $.Release.Namespace }} path: /mutate-v1-pod failurePolicy: Fail name: mpod.appmesh.k8s.aws namespaceSelector: matchExpressions: - key: appmesh.k8s.aws/sidecarInjectorWebhook operator: In values: - enabled - disabled rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE resources: - pods sideEffects: None admissionReviewVersions: - v1beta1 --- {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 {{- else }} apiVersion: admissionregistration.k8s.io/v1beta1 {{- end }} kind: ValidatingWebhookConfiguration metadata: {{- if $.Values.enableCertManager }} annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "appmesh-controller.fullname" . }}-serving-cert {{- end }} name: {{ template "appmesh-controller.fullname" . }}-validating-webhook-configuration labels: {{ include "appmesh-controller.labels" . | indent 4 }} webhooks: {{- range $res := $webhookConfig.customResources }} - clientConfig: service: name: {{ $fullName }}-webhook-service namespace: {{ $.Release.Namespace }} path: /validate-appmesh-k8s-aws-v1beta2-{{ $res.name }} caBundle: {{ if not $.Values.enableCertManager -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }} failurePolicy: Fail name: v{{ $res.name }}.appmesh.k8s.aws rules: - apiGroups: - appmesh.k8s.aws apiVersions: - v1beta2 operations: - CREATE - UPDATE resources: - {{ $res.resource }} sideEffects: None admissionReviewVersions: - v1beta1 {{- end }} --- {{- if not $.Values.enableCertManager }} apiVersion: v1 kind: Secret metadata: name: {{ template "appmesh-controller.fullname" . }}-webhook-server-cert namespace: {{ .Release.Namespace }} labels: {{ include "appmesh-controller.labels" . | indent 4 }} type: kubernetes.io/tls data: ca.crt: {{ $tls.caCert }} tls.crt: {{ $tls.clientCert }} tls.key: {{ $tls.clientKey }} {{- else }} {{- if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} apiVersion: cert-manager.io/v1 {{- else }} apiVersion: cert-manager.io/v1alpha2 {{- end }} kind: Certificate metadata: name: {{ template "appmesh-controller.fullname" . }}-serving-cert namespace: {{ .Release.Namespace }} labels: {{ include "appmesh-controller.labels" . | indent 4 }} spec: dnsNames: - {{ template "appmesh-controller.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc - {{ template "appmesh-controller.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local issuerRef: kind: Issuer name: {{ template "appmesh-controller.fullname" . }}-selfsigned-issuer secretName: {{ template "appmesh-controller.fullname" . }}-webhook-server-cert --- {{- if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} apiVersion: cert-manager.io/v1 {{- else }} apiVersion: cert-manager.io/v1alpha2 {{- end }} kind: Issuer metadata: name: {{ template "appmesh-controller.fullname" . }}-selfsigned-issuer namespace: {{ .Release.Namespace }} labels: {{ include "appmesh-controller.labels" . | indent 4 }} spec: selfSigned: {} {{- end }}

config/helm/appmesh-controller/templates/webhook.yaml (157 lines of code) (raw):