jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
c7413eae10
charts/vault-secrets-webhook/templates/apiservice-webhook.yaml

368 lines
12 KiB
YAML
Raw Blame History

{{- $tlsCrt := "" }}
{{- $tlsKey := "" }}
{{- $caCrt := "" }}
{{- if .Values.certificate.generate }}
{{- $ca := genCA "svc-cat-ca" 3650 }}
{{- $svcName := include "vault-secrets-webhook.fullname" . }}
{{- $cn := printf "%s.%s.svc" $svcName .Release.Namespace }}
{{- $altName1 := printf "%s.cluster.local" $cn }}
{{- $altName2 := printf "%s" $cn }}
{{- $server := genSignedCert $cn nil (concat (list $altName1 $altName2) .Values.certificate.extraAltNames) 365 $ca }}
{{- $tlsCrt = b64enc $server.Cert }}
{{- $tlsKey = b64enc $server.Key }}
{{- $caCrt = b64enc $ca.Cert }}
{{- else if .Values.certificate.useCertManager }}
{{/* Create a new Certificate with cert-manager. */}}
{{/* all clientConfig.caBundle will be overridden by cert-manager */}}
{{- else if .Values.certificate.servingCertificate }}
{{/* Use an already externally defined Certificate by cert-manager. */}}
{{/* all clientConfig.caBundle will be overridden by cert-manager */}}
{{- else }}
{{- $tlsCrt = required "Value certificate.server.tls.crt is required when certificate.generate is false" .Values.certificate.server.tls.crt }}
{{- $tlsKey = required "Value certificate.server.tls.key is required when certificate.generate is false" .Values.certificate.server.tls.key }}
{{- $caCrt = required "Value certificate.ca.crt is required when certificate.generate is false" .Values.certificate.ca.crt }}
{{- end }}
{{- $secretsNamespaceSelector := default dict }}
{{- $secretsObjectSelector := default dict }}
{{- $configmapsNamespaceSelector := default dict }}
{{- $configmapsObjectSelector := default dict }}
{{- $podsNamespaceSelector := default dict }}
{{- $podsObjectSelector := default dict }}
{{- $crNamespaceSelector := default dict }}
{{- $crObjectSelector := default dict }}
{{- if .Values.secrets.namespaceSelector }}
{{- $secretsNamespaceSelector = .Values.secrets.namespaceSelector }}
{{- else }}
{{- $secretsNamespaceSelector = .Values.namespaceSelector }}
{{- end }}
{{- if .Values.secrets.objectSelector }}
{{- $secretsObjectSelector = .Values.secrets.objectSelector }}
{{- else }}
{{- $secretsObjectSelector = .Values.objectSelector }}
{{- end }}
{{- if .Values.configMaps.namespaceSelector }}
{{- $configmapsNamespaceSelector = .Values.configMaps.namespaceSelector }}
{{- else }}
{{- $configmapsNamespaceSelector = .Values.namespaceSelector }}
{{- end }}
{{- if .Values.configMaps.objectSelector }}
{{- $configmapsObjectSelector = .Values.configMaps.objectSelector }}
{{- else }}
{{- $configmapsObjectSelector = .Values.objectSelector }}
{{- end }}
{{- if .Values.pods.namespaceSelector }}
{{- $podsNamespaceSelector = .Values.pods.namespaceSelector }}
{{- else }}
{{- $podsNamespaceSelector = .Values.namespaceSelector }}
{{- end }}
{{- if .Values.pods.objectSelector }}
{{- $podsObjectSelector = .Values.pods.objectSelector }}
{{- else }}
{{- $podsObjectSelector = .Values.objectSelector }}
{{- end }}
{{- if .Values.customResources.namespaceSelector }}
{{- $crNamespaceSelector = .Values.customResources.namespaceSelector }}
{{- else }}
{{- $crNamespaceSelector = .Values.namespaceSelector }}
{{- end }}
{{- if .Values.customResources.objectSelector }}
{{- $crObjectSelector = .Values.customResources.objectSelector }}
{{- else }}
{{- $crObjectSelector = .Values.objectSelector }}
{{- end }}
{{- if $tlsCrt }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "vault-secrets-webhook.servingCertificate" . }}
namespace: {{ .Release.Namespace }}
data:
tls.crt: {{ $tlsCrt }}
tls.key: {{ $tlsKey }}
ca.crt: {{ $caCrt }}
{{- end }}
---
{{- if semverCompare ">=1.16-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }}
kind: MutatingWebhookConfiguration
metadata:
name: {{ template "vault-secrets-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- if .Values.certificate.useCertManager }}
annotations:
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "vault-secrets-webhook.servingCertificate" . }}"
{{- else if .Values.certificate.servingCertificate }}
annotations:
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ .Values.certificate.servingCertificate }}"
{{- end }}
webhooks:
- name: pods.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com
{{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
{{- with .Values.reinvocationPolicy }}
reinvocationPolicy: {{ . }}
{{- end }}
admissionReviewVersions: ["v1beta1"]
{{- if .Values.timeoutSeconds }}
timeoutSeconds: {{ .Values.timeoutSeconds }}
{{- end }}
{{- end }}
clientConfig:
{{- if .Values.webhookClientConfig.useUrl }}
url: {{ .Values.webhookClientConfig.url }}
{{- else }}
service:
namespace: {{ .Release.Namespace }}
name: {{ template "vault-secrets-webhook.fullname" . }}
path: /pods
{{- end }}
caBundle: {{ $caCrt }}
rules:
- operations:
- CREATE
apiGroups:
- "*"
apiVersions:
- "*"
resources:
- pods
failurePolicy: {{ .Values.podsFailurePolicy }}
namespaceSelector:
{{- if $podsNamespaceSelector.matchLabels }}
matchLabels:
{{ toYaml $podsNamespaceSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $podsNamespaceSelector.matchExpressions }}
{{ toYaml $podsNamespaceSelector.matchExpressions | indent 4 }}
{{- end }}
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
{{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
objectSelector:
{{- if $podsObjectSelector.matchLabels }}
matchLabels:
{{ toYaml $podsObjectSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $podsObjectSelector.matchExpressions }}
{{ toYaml $podsObjectSelector.matchExpressions | indent 4 }}
{{- end }}
- key: security.banzaicloud.io/mutate
operator: NotIn
values:
- skip
{{- end }}
{{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
sideEffects: {{ .Values.apiSideEffectValue }}
{{- end }}
{{- if .Values.secretsMutation }}
- name: secrets.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com
{{- with .Values.reinvocationPolicy }}
reinvocationPolicy: {{ . }}
{{- end }}
{{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
admissionReviewVersions: ["v1beta1"]
{{- if .Values.timeoutSeconds }}
timeoutSeconds: {{ .Values.timeoutSeconds }}
{{- end }}
{{- end }}
clientConfig:
{{- if .Values.webhookClientConfig.useUrl }}
url: {{ .Values.webhookClientConfig.url }}
{{- else }}
service:
namespace: {{ .Release.Namespace }}
name: {{ template "vault-secrets-webhook.fullname" . }}
path: /secrets
{{- end }}
caBundle: {{ $caCrt }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- "*"
apiVersions:
- "*"
resources:
- secrets
failurePolicy: {{ .Values.secretsFailurePolicy }}
namespaceSelector:
{{- if $secretsNamespaceSelector.matchLabels }}
matchLabels:
{{ toYaml $secretsNamespaceSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $secretsNamespaceSelector.matchExpressions }}
{{ toYaml $secretsNamespaceSelector.matchExpressions | indent 4 }}
{{- end }}
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
{{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
objectSelector:
{{- if $secretsObjectSelector.matchLabels }}
matchLabels:
{{ toYaml $secretsObjectSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $secretsObjectSelector.matchExpressions }}
{{ toYaml $secretsObjectSelector.matchExpressions | indent 4 }}
{{- end }}
- key: owner
operator: NotIn
values:
- helm
- key: security.banzaicloud.io/mutate
operator: NotIn
values:
- skip
{{- end }}
{{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
sideEffects: {{ .Values.apiSideEffectValue }}
{{- end }}
{{- end }}
{{- if .Values.configMapMutation }}
- name: configmaps.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com
{{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
admissionReviewVersions: ["v1beta1"]
{{- with .Values.reinvocationPolicy }}
reinvocationPolicy: {{ . }}
{{- end }}
{{- if .Values.timeoutSeconds }}
timeoutSeconds: {{ .Values.timeoutSeconds }}
{{- end }}
{{- end }}
clientConfig:
{{- if .Values.webhookClientConfig.useUrl }}
url: {{ .Values.webhookClientConfig.url }}
{{- else }}
service:
namespace: {{ .Release.Namespace }}
name: {{ template "vault-secrets-webhook.fullname" . }}
path: /configmaps
{{- end }}
caBundle: {{ $caCrt }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- "*"
apiVersions:
- "*"
resources:
- configmaps
failurePolicy: {{ .Values.configmapFailurePolicy | default .Values.configMapFailurePolicy }}
namespaceSelector:
{{- if $configmapsNamespaceSelector.matchLabels }}
matchLabels:
{{ toYaml $configmapsNamespaceSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $configmapsNamespaceSelector.matchExpressions }}
{{ toYaml $configmapsNamespaceSelector.matchExpressions | indent 4 }}
{{- end }}
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
{{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
objectSelector:
{{- if $configmapsObjectSelector.matchLabels }}
matchLabels:
{{ toYaml $configmapsObjectSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $configmapsObjectSelector.matchExpressions }}
{{ toYaml $configmapsObjectSelector.matchExpressions | indent 4 }}
{{- end }}
- key: owner
operator: NotIn
values:
- helm
- key: security.banzaicloud.io/mutate
operator: NotIn
values:
- skip
{{- end }}
{{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
sideEffects: {{ .Values.apiSideEffectValue }}
{{- end }}
{{- end }}
{{- if .Values.customResourceMutations }}
- name: objects.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com
{{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
admissionReviewVersions: ["v1beta1"]
{{- if .Values.timeoutSeconds }}
timeoutSeconds: {{ .Values.timeoutSeconds }}
{{- end }}
{{- end }}
clientConfig:
{{- if .Values.webhookClientConfig.useUrl }}
url: {{ .Values.webhookClientConfig.url }}
{{- else }}
service:
namespace: {{ .Release.Namespace }}
name: {{ template "vault-secrets-webhook.fullname" . }}
path: /objects
{{- end }}
caBundle: {{ $caCrt }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- "*"
apiVersions:
- "*"
resources:
{{ toYaml .Values.customResourceMutations | indent 6 }}
failurePolicy: {{ .Values.customResourcesFailurePolicy }}
namespaceSelector:
{{- if $crNamespaceSelector.matchLabels }}
matchLabels:
{{ toYaml $crNamespaceSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $crNamespaceSelector.matchExpressions }}
{{ toYaml $crNamespaceSelector.matchExpressions | indent 4 }}
{{- end }}
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
{{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
objectSelector:
{{- if $crObjectSelector.matchLabels }}
matchLabels:
{{ toYaml $crObjectSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $crObjectSelector.matchExpressions }}
{{ toYaml $crObjectSelector.matchExpressions | indent 4 }}
{{- end }}
- key: security.banzaicloud.io/mutate
operator: NotIn
values:
- skip
{{- end }}
{{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
sideEffects: {{ .Values.apiSideEffectValue }}
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink