Admission Webhook: Truncate name. (#10523)

charts/ingress-nginx/README.md

@@ -240,6 +240,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.certManager.enabled | bool | `false` |  |
 | controller.admissionWebhooks.certManager.rootCert.duration | string | `""` |  |
 | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` |  |
+| controller.admissionWebhooks.createSecretJob.name | string | `"create"` |  |
 | controller.admissionWebhooks.createSecretJob.resources | object | `{}` |  |
 | controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | controller.admissionWebhooks.enabled | bool | `true` |  |
@@ -248,6 +249,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
 | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` |  |
 | controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
+| controller.admissionWebhooks.name | string | `"admission"` |  |
 | controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
@@ -264,6 +266,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.patch.securityContext.runAsNonRoot | bool | `true` |  |
 | controller.admissionWebhooks.patch.securityContext.runAsUser | int | `2000` |  |
 | controller.admissionWebhooks.patch.tolerations | list | `[]` |  |
+| controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` |  |
 | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` |  |
 | controller.admissionWebhooks.patchWebhookJob.securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | controller.admissionWebhooks.port | int | `8443` |  |

charts/ingress-nginx/templates/_helpers.tpl

@@ -164,6 +164,30 @@ Create the name of the controller service account to use
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create a default fully qualified admission webhook name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "ingress-nginx.admissionWebhooks.fullname" -}}
+{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified admission webhook secret creation job name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "ingress-nginx.admissionWebhooks.createSecretJob.fullname" -}}
+{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.createSecretJob.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified admission webhook patch job name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" -}}
+{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patchWebhookJob.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
 */}}

charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml

@@ -42,10 +42,10 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-admission
+  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
   namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
-  secretName: {{ include "ingress-nginx.fullname" . }}-admission
+  secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
   duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }}
   issuerRef:
     {{- if .Values.controller.admissionWebhooks.certManager.issuerRef }}

charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml

@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-admission
+  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -28,7 +28,7 @@ rules:
     {{- with .Values.controller.admissionWebhooks.existingPsp }}
     - {{ . }}
     {{- else }}
-    - {{ include "ingress-nginx.fullname" . }}-admission
+    - {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
     {{- end }}
 {{- end }}
 {{- end }}

charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml

@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-admission
+  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -15,9 +15,9 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "ingress-nginx.fullname" . }}-admission
+  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
 subjects:
   - kind: ServiceAccount
-    name: {{ include "ingress-nginx.fullname" . }}-admission
+    name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
     namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
 {{- end }}

charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-admission-create
+  name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }}
   namespace: {{ include "ingress-nginx.namespace" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
@@ -23,7 +23,7 @@ spec:
 {{- end }}
   template:
     metadata:
-      name: {{ include "ingress-nginx.fullname" . }}-admission-create
+      name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }}
     {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
       annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
     {{- end }}
@@ -50,7 +50,7 @@ spec:
             - create
             - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc
             - --namespace=$(POD_NAMESPACE)
-            - --secret-name={{ include "ingress-nginx.fullname" . }}-admission
+            - --secret-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }}
           env:
             - name: POD_NAMESPACE
               valueFrom:
@@ -66,7 +66,7 @@ spec:
           resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
           {{- end }}
       restartPolicy: OnFailure
-      serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
+      serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
     {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
       nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
     {{- end }}

charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-admission-patch
+  name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }}
   namespace: {{ include "ingress-nginx.namespace" . }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
@@ -23,7 +23,7 @@ spec:
 {{- end }}
   template:
     metadata:
-      name: {{ include "ingress-nginx.fullname" . }}-admission-patch
+      name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }}
     {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
       annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
     {{- end }}
@@ -48,10 +48,10 @@ spec:
           imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
           args:
             - patch
-            - --webhook-name={{ include "ingress-nginx.fullname" . }}-admission
+            - --webhook-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }}
             - --namespace=$(POD_NAMESPACE)
             - --patch-mutating=false
-            - --secret-name={{ include "ingress-nginx.fullname" . }}-admission
+            - --secret-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }}
             - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }}
           env:
             - name: POD_NAMESPACE
@@ -68,7 +68,7 @@ spec:
           resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
           {{- end }}
       restartPolicy: OnFailure
-      serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
+      serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
     {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
       nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
     {{- end }}

charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml

@@ -2,7 +2,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-admission
+  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
   namespace: {{ include "ingress-nginx.namespace" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade

charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml

@@ -3,7 +3,7 @@
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-admission
+  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml

@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name:  {{ include "ingress-nginx.fullname" . }}-admission
+  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
   namespace: {{ include "ingress-nginx.namespace" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade

charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml

@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-admission
+  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
   namespace: {{ include "ingress-nginx.namespace" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
@@ -16,9 +16,9 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ include "ingress-nginx.fullname" . }}-admission
+  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
 subjects:
   - kind: ServiceAccount
-    name: {{ include "ingress-nginx.fullname" . }}-admission
+    name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
     namespace: {{ (include "ingress-nginx.namespace" .) | quote }}
 {{- end }}

charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-admission
+  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
   namespace: {{ include "ingress-nginx.namespace" . }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade

charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml

@@ -6,8 +6,8 @@ kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
   {{- if .Values.controller.admissionWebhooks.certManager.enabled }}
-    certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }}
+    certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s" .Release.Namespace (include "ingress-nginx.admissionWebhooks.fullname" .) | quote }}
-    cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }}
+    cert-manager.io/inject-ca-from: {{ printf "%s/%s" .Release.Namespace (include "ingress-nginx.admissionWebhooks.fullname" .) | quote }}
   {{- end }}
   {{- if .Values.controller.admissionWebhooks.annotations }}
     {{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
@@ -18,7 +18,7 @@ metadata:
     {{- with .Values.controller.admissionWebhooks.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-  name: {{ include "ingress-nginx.fullname" . }}-admission
+  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
 webhooks:
   - name: validate.nginx.ingress.kubernetes.io
     matchPolicy: Equivalent

charts/ingress-nginx/templates/controller-daemonset.yaml

@@ -227,7 +227,7 @@ spec:
       {{- if .Values.controller.admissionWebhooks.enabled }}
         - name: webhook-cert
           secret:
-            secretName: {{ include "ingress-nginx.fullname" . }}-admission
+            secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
         {{- if .Values.controller.admissionWebhooks.certManager.enabled }}
             items:
               - key: tls.crt

charts/ingress-nginx/templates/controller-deployment.yaml

@@ -230,7 +230,7 @@ spec:
       {{- if .Values.controller.admissionWebhooks.enabled }}
         - name: webhook-cert
           secret:
-            secretName: {{ include "ingress-nginx.fullname" . }}-admission
+            secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
         {{- if .Values.controller.admissionWebhooks.certManager.enabled }}
             items:
               - key: tls.crt

charts/ingress-nginx/values.yaml

@@ -586,6 +586,7 @@ controller:
       allowPrivilegeEscalation: false
     resources: {}
   admissionWebhooks:
+    name: admission
     annotations: {}
     # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".
 
@@ -622,6 +623,7 @@ controller:
       servicePort: 443
       type: ClusterIP
     createSecretJob:
+      name: create
       securityContext:
         allowPrivilegeEscalation: false
       resources: {}
@@ -632,6 +634,7 @@ controller:
       #   cpu: 10m
       #   memory: 20Mi
     patchWebhookJob:
+      name: patch
       securityContext:
         allowPrivilegeEscalation: false
       resources: {}