{{- $tlsCrt := "" }} {{- $tlsKey := "" }} {{- $caCrt := "" }} {{- if .Values.certificate.generate }} {{- $ca := genCA "svc-cat-ca" 3650 }} {{- $svcName := include "vault-secrets-webhook.fullname" . }} {{- $cn := printf "%s.%s.svc" $svcName .Release.Namespace }} {{- $altName1 := printf "%s.cluster.local" $cn }} {{- $altName2 := printf "%s" $cn }} {{- $server := genSignedCert $cn nil (concat (list $altName1 $altName2) .Values.certificate.extraAltNames) 365 $ca }} {{- $tlsCrt = b64enc $server.Cert }} {{- $tlsKey = b64enc $server.Key }} {{- $caCrt = b64enc $ca.Cert }} {{- else if .Values.certificate.useCertManager }} {{/* Create a new Certificate with cert-manager. */}} {{/* all clientConfig.caBundle will be overridden by cert-manager */}} {{- else if .Values.certificate.servingCertificate }} {{/* Use an already externally defined Certificate by cert-manager. */}} {{/* all clientConfig.caBundle will be overridden by cert-manager */}} {{- else }} {{- $tlsCrt = required "Value certificate.server.tls.crt is required when certificate.generate is false" .Values.certificate.server.tls.crt }} {{- $tlsKey = required "Value certificate.server.tls.key is required when certificate.generate is false" .Values.certificate.server.tls.key }} {{- $caCrt = required "Value certificate.ca.crt is required when certificate.generate is false" .Values.certificate.ca.crt }} {{- end }} {{- $secretsNamespaceSelector := default dict }} {{- $secretsObjectSelector := default dict }} {{- $configmapsNamespaceSelector := default dict }} {{- $configmapsObjectSelector := default dict }} {{- $podsNamespaceSelector := default dict }} {{- $podsObjectSelector := default dict }} {{- $crNamespaceSelector := default dict }} {{- $crObjectSelector := default dict }} {{- if .Values.secrets.namespaceSelector }} {{- $secretsNamespaceSelector = .Values.secrets.namespaceSelector }} {{- else }} {{- $secretsNamespaceSelector = .Values.namespaceSelector }} {{- end }} {{- if .Values.secrets.objectSelector }} {{- $secretsObjectSelector = .Values.secrets.objectSelector }} {{- else }} {{- $secretsObjectSelector = .Values.objectSelector }} {{- end }} {{- if .Values.configMaps.namespaceSelector }} {{- $configmapsNamespaceSelector = .Values.configMaps.namespaceSelector }} {{- else }} {{- $configmapsNamespaceSelector = .Values.namespaceSelector }} {{- end }} {{- if .Values.configMaps.objectSelector }} {{- $configmapsObjectSelector = .Values.configMaps.objectSelector }} {{- else }} {{- $configmapsObjectSelector = .Values.objectSelector }} {{- end }} {{- if .Values.pods.namespaceSelector }} {{- $podsNamespaceSelector = .Values.pods.namespaceSelector }} {{- else }} {{- $podsNamespaceSelector = .Values.namespaceSelector }} {{- end }} {{- if .Values.pods.objectSelector }} {{- $podsObjectSelector = .Values.pods.objectSelector }} {{- else }} {{- $podsObjectSelector = .Values.objectSelector }} {{- end }} {{- if .Values.customResources.namespaceSelector }} {{- $crNamespaceSelector = .Values.customResources.namespaceSelector }} {{- else }} {{- $crNamespaceSelector = .Values.namespaceSelector }} {{- end }} {{- if .Values.customResources.objectSelector }} {{- $crObjectSelector = .Values.customResources.objectSelector }} {{- else }} {{- $crObjectSelector = .Values.objectSelector }} {{- end }} {{- if $tlsCrt }} apiVersion: v1 kind: Secret metadata: name: {{ include "vault-secrets-webhook.servingCertificate" . }} namespace: {{ .Release.Namespace }} data: tls.crt: {{ $tlsCrt }} tls.key: {{ $tlsKey }} ca.crt: {{ $caCrt }} {{- end }} --- {{- if semverCompare ">=1.16-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} apiVersion: admissionregistration.k8s.io/v1 {{- else }} apiVersion: admissionregistration.k8s.io/v1beta1 {{- end }} kind: MutatingWebhookConfiguration metadata: name: {{ template "vault-secrets-webhook.fullname" . }} namespace: {{ .Release.Namespace }} {{- if .Values.certificate.useCertManager }} annotations: cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "vault-secrets-webhook.servingCertificate" . }}" {{- else if .Values.certificate.servingCertificate }} annotations: cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ .Values.certificate.servingCertificate }}" {{- end }} webhooks: - name: pods.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com {{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} {{- with .Values.reinvocationPolicy }} reinvocationPolicy: {{ . }} {{- end }} admissionReviewVersions: ["v1beta1"] {{- if .Values.timeoutSeconds }} timeoutSeconds: {{ .Values.timeoutSeconds }} {{- end }} {{- end }} clientConfig: {{- if .Values.webhookClientConfig.useUrl }} url: {{ .Values.webhookClientConfig.url }} {{- else }} service: namespace: {{ .Release.Namespace }} name: {{ template "vault-secrets-webhook.fullname" . }} path: /pods {{- end }} caBundle: {{ $caCrt }} rules: - operations: - CREATE apiGroups: - "*" apiVersions: - "*" resources: - pods failurePolicy: {{ .Values.podsFailurePolicy }} namespaceSelector: {{- if $podsNamespaceSelector.matchLabels }} matchLabels: {{ toYaml $podsNamespaceSelector.matchLabels | indent 6 }} {{- end }} matchExpressions: {{- if $podsNamespaceSelector.matchExpressions }} {{ toYaml $podsNamespaceSelector.matchExpressions | indent 4 }} {{- end }} - key: name operator: NotIn values: - {{ .Release.Namespace }} {{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} objectSelector: {{- if $podsObjectSelector.matchLabels }} matchLabels: {{ toYaml $podsObjectSelector.matchLabels | indent 6 }} {{- end }} matchExpressions: {{- if $podsObjectSelector.matchExpressions }} {{ toYaml $podsObjectSelector.matchExpressions | indent 4 }} {{- end }} - key: security.banzaicloud.io/mutate operator: NotIn values: - skip {{- end }} {{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} sideEffects: {{ .Values.apiSideEffectValue }} {{- end }} {{- if .Values.secretsMutation }} - name: secrets.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com {{- with .Values.reinvocationPolicy }} reinvocationPolicy: {{ . }} {{- end }} {{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} admissionReviewVersions: ["v1beta1"] {{- if .Values.timeoutSeconds }} timeoutSeconds: {{ .Values.timeoutSeconds }} {{- end }} {{- end }} clientConfig: {{- if .Values.webhookClientConfig.useUrl }} url: {{ .Values.webhookClientConfig.url }} {{- else }} service: namespace: {{ .Release.Namespace }} name: {{ template "vault-secrets-webhook.fullname" . }} path: /secrets {{- end }} caBundle: {{ $caCrt }} rules: - operations: - CREATE - UPDATE apiGroups: - "*" apiVersions: - "*" resources: - secrets failurePolicy: {{ .Values.secretsFailurePolicy }} namespaceSelector: {{- if $secretsNamespaceSelector.matchLabels }} matchLabels: {{ toYaml $secretsNamespaceSelector.matchLabels | indent 6 }} {{- end }} matchExpressions: {{- if $secretsNamespaceSelector.matchExpressions }} {{ toYaml $secretsNamespaceSelector.matchExpressions | indent 4 }} {{- end }} - key: name operator: NotIn values: - {{ .Release.Namespace }} {{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} objectSelector: {{- if $secretsObjectSelector.matchLabels }} matchLabels: {{ toYaml $secretsObjectSelector.matchLabels | indent 6 }} {{- end }} matchExpressions: {{- if $secretsObjectSelector.matchExpressions }} {{ toYaml $secretsObjectSelector.matchExpressions | indent 4 }} {{- end }} - key: owner operator: NotIn values: - helm - key: security.banzaicloud.io/mutate operator: NotIn values: - skip {{- end }} {{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} sideEffects: {{ .Values.apiSideEffectValue }} {{- end }} {{- end }} {{- if .Values.configMapMutation }} - name: configmaps.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com {{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} admissionReviewVersions: ["v1beta1"] {{- with .Values.reinvocationPolicy }} reinvocationPolicy: {{ . }} {{- end }} {{- if .Values.timeoutSeconds }} timeoutSeconds: {{ .Values.timeoutSeconds }} {{- end }} {{- end }} clientConfig: {{- if .Values.webhookClientConfig.useUrl }} url: {{ .Values.webhookClientConfig.url }} {{- else }} service: namespace: {{ .Release.Namespace }} name: {{ template "vault-secrets-webhook.fullname" . }} path: /configmaps {{- end }} caBundle: {{ $caCrt }} rules: - operations: - CREATE - UPDATE apiGroups: - "*" apiVersions: - "*" resources: - configmaps failurePolicy: {{ .Values.configmapFailurePolicy | default .Values.configMapFailurePolicy }} namespaceSelector: {{- if $configmapsNamespaceSelector.matchLabels }} matchLabels: {{ toYaml $configmapsNamespaceSelector.matchLabels | indent 6 }} {{- end }} matchExpressions: {{- if $configmapsNamespaceSelector.matchExpressions }} {{ toYaml $configmapsNamespaceSelector.matchExpressions | indent 4 }} {{- end }} - key: name operator: NotIn values: - {{ .Release.Namespace }} {{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} objectSelector: {{- if $configmapsObjectSelector.matchLabels }} matchLabels: {{ toYaml $configmapsObjectSelector.matchLabels | indent 6 }} {{- end }} matchExpressions: {{- if $configmapsObjectSelector.matchExpressions }} {{ toYaml $configmapsObjectSelector.matchExpressions | indent 4 }} {{- end }} - key: owner operator: NotIn values: - helm - key: security.banzaicloud.io/mutate operator: NotIn values: - skip {{- end }} {{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} sideEffects: {{ .Values.apiSideEffectValue }} {{- end }} {{- end }} {{- if .Values.customResourceMutations }} - name: objects.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com {{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} admissionReviewVersions: ["v1beta1"] {{- if .Values.timeoutSeconds }} timeoutSeconds: {{ .Values.timeoutSeconds }} {{- end }} {{- end }} clientConfig: {{- if .Values.webhookClientConfig.useUrl }} url: {{ .Values.webhookClientConfig.url }} {{- else }} service: namespace: {{ .Release.Namespace }} name: {{ template "vault-secrets-webhook.fullname" . }} path: /objects {{- end }} caBundle: {{ $caCrt }} rules: - operations: - CREATE - UPDATE apiGroups: - "*" apiVersions: - "*" resources: {{ toYaml .Values.customResourceMutations | indent 6 }} failurePolicy: {{ .Values.customResourcesFailurePolicy }} namespaceSelector: {{- if $crNamespaceSelector.matchLabels }} matchLabels: {{ toYaml $crNamespaceSelector.matchLabels | indent 6 }} {{- end }} matchExpressions: {{- if $crNamespaceSelector.matchExpressions }} {{ toYaml $crNamespaceSelector.matchExpressions | indent 4 }} {{- end }} - key: name operator: NotIn values: - {{ .Release.Namespace }} {{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} objectSelector: {{- if $crObjectSelector.matchLabels }} matchLabels: {{ toYaml $crObjectSelector.matchLabels | indent 6 }} {{- end }} matchExpressions: {{- if $crObjectSelector.matchExpressions }} {{ toYaml $crObjectSelector.matchExpressions | indent 4 }} {{- end }} - key: security.banzaicloud.io/mutate operator: NotIn values: - skip {{- end }} {{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} sideEffects: {{ .Values.apiSideEffectValue }} {{- end }} {{- end }}