X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=helm%2Finfrastructure%2Fsubcharts%2Fkong%2Ftemplates%2Fadmission-webhook.yaml;h=979f1c0ab45be60b6407603978aff593c49fa108;hb=75c0de3cae4b58e001f7ec715f13f82ded10e678;hp=8e37eeb5b450f8d1e21d02344567f43ba0f609a6;hpb=7a43fbd4642448783aaf708d07ca883bf9bc5afd;p=ric-plt%2Fric-dep.git diff --git a/helm/infrastructure/subcharts/kong/templates/admission-webhook.yaml b/helm/infrastructure/subcharts/kong/templates/admission-webhook.yaml old mode 100755 new mode 100644 index 8e37eeb..979f1c0 --- a/helm/infrastructure/subcharts/kong/templates/admission-webhook.yaml +++ b/helm/infrastructure/subcharts/kong/templates/admission-webhook.yaml @@ -1,7 +1,28 @@ -{{- if .Values.ingressController.admissionWebhook.enabled }} -{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) .Release.Namespace }} +{{- if (and .Values.ingressController.admissionWebhook.enabled .Values.ingressController.enabled) }} +{{- $certCert := "" -}} +{{- $certKey := "" -}} +{{- $caCert := "" -}} +{{- $caKey := "" -}} +{{- if not .Values.ingressController.admissionWebhook.certificate.provided }} +{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) ( include "kong.namespace" . ) -}} {{- $ca := genCA "kong-admission-ca" 3650 -}} -{{- $cert := genSignedCert $cn nil nil 3650 $ca -}} +{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}} +{{- $certCert = $cert.Cert -}} +{{- $certKey = $cert.Key -}} +{{- $caCert = $ca.Cert -}} +{{- $caKey = $ca.Key -}} + +{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-ca-keypair" (include "kong.fullname" .))) -}} +{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-keypair" (include "kong.fullname" .))) -}} +{{- if $certSecret }} +{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}} +{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}} +{{- end }} +{{- if $caSecret }} +{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}} +{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}} +{{- end }} +{{- end }} kind: ValidatingWebhookConfiguration {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 @@ -10,10 +31,30 @@ apiVersion: admissionregistration.k8s.io/v1beta1 {{- end }} metadata: name: {{ template "kong.fullname" . }}-validations + namespace: {{ template "kong.namespace" . }} labels: {{- include "kong.metaLabels" . | nindent 4 }} + {{- if .Values.ingressController.admissionWebhook.annotations }} + annotations: + {{- range $key, $value := .Values.ingressController.admissionWebhook.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} webhooks: - name: validations.kong.konghq.com + {{- with .Values.ingressController.admissionWebhook.namespaceSelector }} + namespaceSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ingressController.admissionWebhook.timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }} sideEffects: None admissionReviewVersions: ["v1beta1"] @@ -28,18 +69,73 @@ webhooks: resources: - kongconsumers - kongplugins +{{- if (semverCompare ">= 2.0.4" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - kongclusterplugins +{{- end }} +{{- if (semverCompare ">= 2.8.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - kongingresses +{{- end }} + - apiGroups: + - '' + apiVersions: + - 'v1' + operations: +{{- if (semverCompare ">= 2.12.1" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - CREATE +{{- end }} + - UPDATE + resources: + - secrets +{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - services +{{- end }} +{{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - apiGroups: + - networking.k8s.io + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - 'v1alpha2' + - 'v1beta1' +{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - 'v1' +{{- end }} + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes +{{- end }} clientConfig: - caBundle: {{ b64enc $ca.Cert }} + {{- if not .Values.ingressController.admissionWebhook.certificate.provided }} + caBundle: {{ b64enc $caCert }} + {{- else }} + {{- if .Values.ingressController.admissionWebhook.certificate.caBundle }} + caBundle: {{ b64enc .Values.ingressController.admissionWebhook.certificate.caBundle }} + {{- end }} + {{- end }} service: name: {{ template "kong.service.validationWebhook" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ template "kong.namespace" . }} --- apiVersion: v1 kind: Service metadata: name: {{ template "kong.service.validationWebhook" . }} + namespace: {{ template "kong.namespace" . }} labels: {{- include "kong.metaLabels" . | nindent 4 }} + {{- if .Values.ingressController.admissionWebhook.service.labels }} + {{- toYaml .Values.ingressController.admissionWebhook.service.labels | nindent 4 }} + {{- end }} spec: ports: - name: webhook @@ -49,15 +145,30 @@ spec: selector: {{- include "kong.metaLabels" . | nindent 4 }} app.kubernetes.io/component: app +{{- if not .Values.ingressController.admissionWebhook.certificate.provided }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kong.fullname" . }}-validation-webhook-ca-keypair + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ b64enc $caCert }} + tls.key: {{ b64enc $caKey }} --- apiVersion: v1 kind: Secret metadata: name: {{ template "kong.fullname" . }}-validation-webhook-keypair + namespace: {{ template "kong.namespace" . }} labels: {{- include "kong.metaLabels" . | nindent 4 }} type: kubernetes.io/tls data: - tls.crt: {{ b64enc $cert.Cert }} - tls.key: {{ b64enc $cert.Key }} -{{ end }} + tls.crt: {{ b64enc $certCert }} + tls.key: {{ b64enc $certKey }} +{{- end }} +{{- end }}