Factory/akri-chart/templates/webhook-configuration.yaml

{{- if .Values.webhookConfiguration.enabled }}
apiVersion: v1
kind: List
metadata:
  name: {{ .Values.webhookConfiguration.name }}
  labels: {{- include "akri.labels" . | nindent 4 }}
items:
  - apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: {{ .Values.webhookConfiguration.name }}
      namespace: {{ .Release.Namespace }}
      labels: {{- include "akri.labels" . | nindent 8 }}
        app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
        app.kubernetes.io/component: admission-webhook
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: {{ .Values.webhookConfiguration.name }}
      namespace: {{ .Release.Namespace }}
      labels: {{- include "akri.labels" . | nindent 8 }}
        app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
        app.kubernetes.io/component: admission-webhook
    rules:
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["get"]
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: {{ .Values.webhookConfiguration.name }}
      namespace: {{ .Release.Namespace }}
      labels: {{- include "akri.labels" . | nindent 8 }}
        app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
        app.kubernetes.io/component: admission-webhook
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: {{ .Values.webhookConfiguration.name }}
    subjects:
    - kind: ServiceAccount
      name: {{ .Values.webhookConfiguration.name }}
      namespace: {{ .Release.Namespace }}
  - apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: {{ .Values.webhookConfiguration.name }}
      labels: {{- include "akri.labels" . | nindent 8 }}
        app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
        app.kubernetes.io/component: admission-webhook
    spec:
      replicas: 1
      selector:
        matchLabels: {{- include "akri.selectorLabels" . | nindent 10 }}
          app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
      template:
        metadata:
          labels: {{- include "akri.labels" . | nindent 12 }}
            app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
            app.kubernetes.io/component: admission-webhook
        spec:
          {{- if .Values.rbac.enabled }}
          serviceAccountName: {{ .Values.webhookConfiguration.name }}
          {{- end }}
          containers:
          - name: webhook
            {{- if .Values.useDevelopmentContainers }}
            {{- if .Values.useLatestContainers }}
            image: {{ printf "%s:latest-dev" .Values.webhookConfiguration.image.repository | quote }}
            {{- else }}
            image: {{ printf "%s:%s" .Values.webhookConfiguration.image.repository (default (printf "v%s-dev" .Chart.AppVersion) .Values.webhookConfiguration.image.tag) | quote }}
            {{- end }}
            {{- else }}
            {{- if .Values.useLatestContainers }}
            image: {{ printf "%s:latest" .Values.webhookConfiguration.image.repository | quote }}
            {{- else }}
            image: {{ printf "%s:%s" .Values.webhookConfiguration.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.webhookConfiguration.image.tag) | quote }}
            {{- end }}
            {{- end }}
            imagePullPolicy: {{ .Values.webhookConfiguration.image.pullPolicy }}
            resources:
              requests:
                memory: {{ .Values.webhookConfiguration.resources.memoryRequest }}
                cpu: {{ .Values.webhookConfiguration.resources.cpuRequest }}
              limits:
                memory: {{ .Values.webhookConfiguration.resources.memoryLimit }}
                cpu: {{ .Values.webhookConfiguration.resources.cpuLimit }}
            args:
            - --tls-crt-file=/secrets/tls.crt
            - --tls-key-file=/secrets/tls.key
            - --port=8443
            volumeMounts:
            - name: secrets
              mountPath: /secrets
              readOnly: true
          volumes:
            - name: secrets
              secret:
                secretName: {{ .Values.webhookConfiguration.name }}
          {{- with .Values.imagePullSecrets }}
          imagePullSecrets:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- if .Values.webhookConfiguration.allowOnControlPlane }}
          tolerations:
            {{- /* Allow this pod to run on the master. */}}
            - key: node-role.kubernetes.io/master
              effect: NoSchedule
          {{- end }}
          nodeSelector:
            {{- if .Values.webhookConfiguration.nodeSelectors }}
              {{- toYaml .Values.webhookConfiguration.nodeSelectors | nindent 8 }}
            {{- end }}
            "kubernetes.io/os": linux
            {{- if .Values.webhookConfiguration.onlyOnControlPlane }}
            node-role.kubernetes.io/master: ""
            {{- end }}
  - apiVersion: v1
    kind: Service
    metadata:
      name: {{ .Values.webhookConfiguration.name }}
      labels: {{- include "akri.labels" . | nindent 8 }}
        app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
        app.kubernetes.io/component: admission-webhook
    spec:
      selector: {{- include "akri.selectorLabels" . | nindent 8 }}
        app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
      ports:
        - name: http
          port: 443
          targetPort: 8443
  - apiVersion: admissionregistration.k8s.io/v1
    kind: ValidatingWebhookConfiguration
    metadata:
      name: {{ .Values.webhookConfiguration.name }}
      labels: {{- include "akri.labels" . | nindent 8 }}
        app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
        app.kubernetes.io/component: admission-webhook
    webhooks:
      - name: {{ .Values.webhookConfiguration.name }}.{{ .Release.Namespace }}.svc
        clientConfig:
          service:
            name: {{ .Values.webhookConfiguration.name }}
            namespace: {{ .Release.Namespace }}
            port: 443
            path: "/validate"
          {{- if .Values.webhookConfiguration.caBundle }}
          caBundle: {{ .Values.webhookConfiguration.caBundle }}
          {{- end }}
        rules:
          - operations:
              - "CREATE"
              - "UPDATE"
            apiGroups:
              - {{ .Values.crds.group }}
            apiVersions:
              - {{ .Values.crds.version }}
            resources:
              - "configurations"
            scope: "*"
        admissionReviewVersions:
          - v1
          - v1beta1
        sideEffects: None
{{- end }}