-{{- if .Values.ingressController.admissionWebhook.enabled }}
-{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) .Release.Namespace }}
+{{- if (and .Values.ingressController.admissionWebhook.enabled .Values.ingressController.enabled) }}
+{{- $certCert := "" -}}
+{{- $certKey := "" -}}
+{{- $caCert := "" -}}
+{{- $caKey := "" -}}
+{{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
+{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) ( include "kong.namespace" . ) -}}
{{- $ca := genCA "kong-admission-ca" 3650 -}}
-{{- $cert := genSignedCert $cn nil nil 3650 $ca -}}
+{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
+{{- $certCert = $cert.Cert -}}
+{{- $certKey = $cert.Key -}}
+{{- $caCert = $ca.Cert -}}
+{{- $caKey = $ca.Key -}}
+
+{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-ca-keypair" (include "kong.fullname" .))) -}}
+{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-keypair" (include "kong.fullname" .))) -}}
+{{- if $certSecret }}
+{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
+{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
+{{- end }}
+{{- if $caSecret }}
+{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}}
+{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}}
+{{- end }}
+{{- end }}
kind: ValidatingWebhookConfiguration
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- end }}
metadata:
name: {{ template "kong.fullname" . }}-validations
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
+ {{- if .Values.ingressController.admissionWebhook.annotations }}
+ annotations:
+ {{- range $key, $value := .Values.ingressController.admissionWebhook.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
webhooks:
- name: validations.kong.konghq.com
+ {{- with .Values.ingressController.admissionWebhook.namespaceSelector }}
+ namespaceSelector:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.ingressController.admissionWebhook.timeoutSeconds }}
+ timeoutSeconds: {{ . }}
+ {{- end }}
+ objectSelector:
+ matchExpressions:
+ - key: owner
+ operator: NotIn
+ values:
+ - helm
failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }}
sideEffects: None
admissionReviewVersions: ["v1beta1"]
resources:
- kongconsumers
- kongplugins
+{{- if (semverCompare ">= 2.0.4" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - kongclusterplugins
+{{- end }}
+{{- if (semverCompare ">= 2.8.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - kongingresses
+{{- end }}
+ - apiGroups:
+ - ''
+ apiVersions:
+ - 'v1'
+ operations:
+{{- if (semverCompare ">= 2.12.1" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - CREATE
+{{- end }}
+ - UPDATE
+ resources:
+ - secrets
+{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - services
+{{- end }}
+{{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - apiGroups:
+ - networking.k8s.io
+ apiVersions:
+ - 'v1'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - ingresses
+ - apiGroups:
+ - gateway.networking.k8s.io
+ apiVersions:
+ - 'v1alpha2'
+ - 'v1beta1'
+{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+ - 'v1'
+{{- end }}
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gateways
+ - httproutes
+{{- end }}
clientConfig:
- caBundle: {{ b64enc $ca.Cert }}
+ {{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
+ caBundle: {{ b64enc $caCert }}
+ {{- else }}
+ {{- if .Values.ingressController.admissionWebhook.certificate.caBundle }}
+ caBundle: {{ b64enc .Values.ingressController.admissionWebhook.certificate.caBundle }}
+ {{- end }}
+ {{- end }}
service:
name: {{ template "kong.service.validationWebhook" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kong.namespace" . }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ template "kong.service.validationWebhook" . }}
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
+ {{- if .Values.ingressController.admissionWebhook.service.labels }}
+ {{- toYaml .Values.ingressController.admissionWebhook.service.labels | nindent 4 }}
+ {{- end }}
spec:
ports:
- name: webhook
selector:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: app
+{{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "kong.fullname" . }}-validation-webhook-ca-keypair
+ namespace: {{ template "kong.namespace" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ b64enc $caCert }}
+ tls.key: {{ b64enc $caKey }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kong.fullname" . }}-validation-webhook-keypair
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
- tls.crt: {{ b64enc $cert.Cert }}
- tls.key: {{ b64enc $cert.Key }}
-{{ end }}
+ tls.crt: {{ b64enc $certCert }}
+ tls.key: {{ b64enc $certKey }}
+{{- end }}
+{{- end }}