{{- if .Values.webhookConfiguration.enabled }} apiVersion: v1 kind: List metadata: name: {{ .Values.webhookConfiguration.name }} labels: {{- include "akri.labels" . | nindent 4 }} items: - apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.webhookConfiguration.name }} namespace: {{ .Release.Namespace }} labels: {{- include "akri.labels" . | nindent 8 }} app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }} app.kubernetes.io/component: admission-webhook - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ .Values.webhookConfiguration.name }} namespace: {{ .Release.Namespace }} labels: {{- include "akri.labels" . | nindent 8 }} app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }} app.kubernetes.io/component: admission-webhook rules: - apiGroups: [""] resources: ["pods"] verbs: ["get"] - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ .Values.webhookConfiguration.name }} namespace: {{ .Release.Namespace }} labels: {{- include "akri.labels" . | nindent 8 }} app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }} app.kubernetes.io/component: admission-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ .Values.webhookConfiguration.name }} subjects: - kind: ServiceAccount name: {{ .Values.webhookConfiguration.name }} namespace: {{ .Release.Namespace }} - apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Values.webhookConfiguration.name }} labels: {{- include "akri.labels" . | nindent 8 }} app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }} app.kubernetes.io/component: admission-webhook spec: replicas: 1 selector: matchLabels: {{- include "akri.selectorLabels" . | nindent 10 }} app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }} template: metadata: labels: {{- include "akri.labels" . | nindent 12 }} app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }} app.kubernetes.io/component: admission-webhook spec: {{- if .Values.rbac.enabled }} serviceAccountName: {{ .Values.webhookConfiguration.name }} {{- end }} containers: - name: webhook {{- if .Values.useDevelopmentContainers }} {{- if .Values.useLatestContainers }} image: {{ printf "%s:latest-dev" .Values.webhookConfiguration.image.repository | quote }} {{- else }} image: {{ printf "%s:%s" .Values.webhookConfiguration.image.repository (default (printf "v%s-dev" .Chart.AppVersion) .Values.webhookConfiguration.image.tag) | quote }} {{- end }} {{- else }} {{- if .Values.useLatestContainers }} image: {{ printf "%s:latest" .Values.webhookConfiguration.image.repository | quote }} {{- else }} image: {{ printf "%s:%s" .Values.webhookConfiguration.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.webhookConfiguration.image.tag) | quote }} {{- end }} {{- end }} imagePullPolicy: {{ .Values.webhookConfiguration.image.pullPolicy }} resources: requests: memory: {{ .Values.webhookConfiguration.resources.memoryRequest }} cpu: {{ .Values.webhookConfiguration.resources.cpuRequest }} limits: memory: {{ .Values.webhookConfiguration.resources.memoryLimit }} cpu: {{ .Values.webhookConfiguration.resources.cpuLimit }} args: - --tls-crt-file=/secrets/tls.crt - --tls-key-file=/secrets/tls.key - --port=8443 volumeMounts: - name: secrets mountPath: /secrets readOnly: true volumes: - name: secrets secret: secretName: {{ .Values.webhookConfiguration.name }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 12 }} {{- end }} {{- if .Values.webhookConfiguration.allowOnControlPlane }} tolerations: {{- /* Allow this pod to run on the master. */}} - key: node-role.kubernetes.io/master effect: NoSchedule {{- end }} nodeSelector: {{- if .Values.webhookConfiguration.nodeSelectors }} {{- toYaml .Values.webhookConfiguration.nodeSelectors | nindent 8 }} {{- end }} "kubernetes.io/os": linux {{- if .Values.webhookConfiguration.onlyOnControlPlane }} node-role.kubernetes.io/master: "" {{- end }} - apiVersion: v1 kind: Service metadata: name: {{ .Values.webhookConfiguration.name }} labels: {{- include "akri.labels" . | nindent 8 }} app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }} app.kubernetes.io/component: admission-webhook spec: selector: {{- include "akri.selectorLabels" . | nindent 8 }} app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }} ports: - name: http port: 443 targetPort: 8443 - apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: {{ .Values.webhookConfiguration.name }} labels: {{- include "akri.labels" . | nindent 8 }} app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }} app.kubernetes.io/component: admission-webhook webhooks: - name: {{ .Values.webhookConfiguration.name }}.{{ .Release.Namespace }}.svc clientConfig: service: name: {{ .Values.webhookConfiguration.name }} namespace: {{ .Release.Namespace }} port: 443 path: "/validate" {{- if .Values.webhookConfiguration.caBundle }} caBundle: {{ .Values.webhookConfiguration.caBundle }} {{- end }} rules: - operations: - "CREATE" - "UPDATE" apiGroups: - {{ .Values.crds.group }} apiVersions: - {{ .Values.crds.version }} resources: - "configurations" scope: "*" admissionReviewVersions: - v1 - v1beta1 sideEffects: None {{- end }}