{{- if .Values.webhookConfiguration.enabled }}
apiVersion: v1
kind: List
metadata:
name: {{ .Values.webhookConfiguration.name }}
labels: {{- include "akri.labels" . | nindent 4 }}
items:
- apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.webhookConfiguration.name }}
namespace: {{ .Release.Namespace }}
labels: {{- include "akri.labels" . | nindent 8 }}
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
app.kubernetes.io/component: admission-webhook
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Values.webhookConfiguration.name }}
namespace: {{ .Release.Namespace }}
labels: {{- include "akri.labels" . | nindent 8 }}
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
app.kubernetes.io/component: admission-webhook
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Values.webhookConfiguration.name }}
namespace: {{ .Release.Namespace }}
labels: {{- include "akri.labels" . | nindent 8 }}
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
app.kubernetes.io/component: admission-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Values.webhookConfiguration.name }}
subjects:
- kind: ServiceAccount
name: {{ .Values.webhookConfiguration.name }}
namespace: {{ .Release.Namespace }}
- apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.webhookConfiguration.name }}
labels: {{- include "akri.labels" . | nindent 8 }}
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
app.kubernetes.io/component: admission-webhook
spec:
replicas: 1
selector:
matchLabels: {{- include "akri.selectorLabels" . | nindent 10 }}
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
template:
metadata:
labels: {{- include "akri.labels" . | nindent 12 }}
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
app.kubernetes.io/component: admission-webhook
spec:
{{- if .Values.rbac.enabled }}
serviceAccountName: {{ .Values.webhookConfiguration.name }}
{{- end }}
containers:
- name: webhook
{{- if .Values.useDevelopmentContainers }}
{{- if .Values.useLatestContainers }}
image: {{ printf "%s:latest-dev" .Values.webhookConfiguration.image.repository | quote }}
{{- else }}
image: {{ printf "%s:%s" .Values.webhookConfiguration.image.repository (default (printf "v%s-dev" .Chart.AppVersion) .Values.webhookConfiguration.image.tag) | quote }}
{{- end }}
{{- else }}
{{- if .Values.useLatestContainers }}
image: {{ printf "%s:latest" .Values.webhookConfiguration.image.repository | quote }}
{{- else }}
image: {{ printf "%s:%s" .Values.webhookConfiguration.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.webhookConfiguration.image.tag) | quote }}
{{- end }}
{{- end }}
imagePullPolicy: {{ .Values.webhookConfiguration.image.pullPolicy }}
resources:
requests:
memory: {{ .Values.webhookConfiguration.resources.memoryRequest }}
cpu: {{ .Values.webhookConfiguration.resources.cpuRequest }}
limits:
memory: {{ .Values.webhookConfiguration.resources.memoryLimit }}
cpu: {{ .Values.webhookConfiguration.resources.cpuLimit }}
args:
- --tls-crt-file=/secrets/tls.crt
- --tls-key-file=/secrets/tls.key
- --port=8443
volumeMounts:
- name: secrets
mountPath: /secrets
readOnly: true
volumes:
- name: secrets
secret:
secretName: {{ .Values.webhookConfiguration.name }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.webhookConfiguration.allowOnControlPlane }}
tolerations:
{{- /* Allow this pod to run on the master. */}}
- key: node-role.kubernetes.io/master
effect: NoSchedule
{{- end }}
nodeSelector:
{{- if .Values.webhookConfiguration.nodeSelectors }}
{{- toYaml .Values.webhookConfiguration.nodeSelectors | nindent 8 }}
{{- end }}
"kubernetes.io/os": linux
{{- if .Values.webhookConfiguration.onlyOnControlPlane }}
node-role.kubernetes.io/master: ""
{{- end }}
- apiVersion: v1
kind: Service
metadata:
name: {{ .Values.webhookConfiguration.name }}
labels: {{- include "akri.labels" . | nindent 8 }}
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
app.kubernetes.io/component: admission-webhook
spec:
selector: {{- include "akri.selectorLabels" . | nindent 8 }}
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
ports:
- name: http
port: 443
targetPort: 8443
- apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ .Values.webhookConfiguration.name }}
labels: {{- include "akri.labels" . | nindent 8 }}
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
app.kubernetes.io/component: admission-webhook
webhooks:
- name: {{ .Values.webhookConfiguration.name }}.{{ .Release.Namespace }}.svc
clientConfig:
service:
name: {{ .Values.webhookConfiguration.name }}
namespace: {{ .Release.Namespace }}
port: 443
path: "/validate"
{{- if .Values.webhookConfiguration.caBundle }}
caBundle: {{ .Values.webhookConfiguration.caBundle }}
{{- end }}
rules:
- operations:
- "CREATE"
- "UPDATE"
apiGroups:
- {{ .Values.crds.group }}
apiVersions:
- {{ .Values.crds.version }}
resources:
- "configurations"
scope: "*"
admissionReviewVersions:
- v1
- v1beta1
sideEffects: None
{{- end }}