Chart make admission webhook patch job RBAC configurable (#11375)

Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com>
2024-06-02 15:55:43 +05:30 · 2024-06-02 15:55:43 +05:30 · 3217339a5d
commit 3217339a5d
parent 4a74fee06d
19 changed files with 88 additions and 80 deletions
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@ -263,19 +263,23 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
 | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
+| controller.admissionWebhooks.patch.rbac | object | `{"create":true}` | Admission webhook patch job RBAC |
+| controller.admissionWebhooks.patch.rbac.create | bool | `true` | Create RBAC or not |
 | controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods |
+| controller.admissionWebhooks.patch.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | Admission webhook patch job service account |
+| controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token or not |
+| controller.admissionWebhooks.patch.serviceAccount.create | bool | `true` | Create a service account or not |
+| controller.admissionWebhooks.patch.serviceAccount.name | string | `""` | Custom service account name |
 | controller.admissionWebhooks.patch.tolerations | list | `[]` |  |
 | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` |  |
 | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` |  |
 | controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
 | controller.admissionWebhooks.port | int | `8443` |  |
-| controller.admissionWebhooks.rbac | object | `{"create":true}` | Create RBAC for admission webhook patch job or not |
 | controller.admissionWebhooks.service.annotations | object | `{}` |  |
 | controller.admissionWebhooks.service.externalIPs | list | `[]` |  |
 | controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` |  |
 | controller.admissionWebhooks.service.servicePort | int | `443` |  |
 | controller.admissionWebhooks.service.type | string | `"ClusterIP"` |  |
-| controller.admissionWebhooks.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | ServiceAccount for admission webhook patch job |
 | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # |
 | controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
 | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |
--- a/charts/ingress-nginx/templates/_helpers.tpl
+++ b/charts/ingress-nginx/templates/_helpers.tpl
@ -168,13 +168,13 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}

 {{/*
-Create the name of the admission webhook job service account to use
+Create the name of the admission webhook patch job service account to use
 */}}
-{{- define "ingress-nginx.admissionWebhooks.serviceAccountName" -}}
-{{- if .Values.controller.admissionWebhooks.serviceAccount.create -}}
-    {{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.serviceAccount.name }}
+{{- define "ingress-nginx.admissionWebhooks.patch.serviceAccountName" -}}
+{{- if .Values.controller.admissionWebhooks.patch.serviceAccount.create -}}
+    {{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patch.serviceAccount.name }}
 {{- else -}}
-    {{ default "default" .Values.controller.admissionWebhooks.serviceAccount.name }}
+    {{ default "default" .Values.controller.admissionWebhooks.patch.serviceAccount.name }}
 {{- end -}}
 {{- end -}}

--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@ -18,6 +18,6 @@ roleRef:
  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
 subjects:
  - kind: ServiceAccount
-    name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
+    name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
    namespace: {{ include "ingress-nginx.namespace" . }}
 {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@ -66,7 +66,7 @@ spec:
          resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
          {{- end }}
      restartPolicy: OnFailure
-      serviceAccountName: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
+      serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
    {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
      nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
    {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@ -68,7 +68,7 @@ spec:
          resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
          {{- end }}
      restartPolicy: OnFailure
-      serviceAccountName: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
+      serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
    {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
      nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
    {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@ -19,6 +19,6 @@ roleRef:
  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
 subjects:
  - kind: ServiceAccount
-    name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
+    name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
    namespace: {{ include "ingress-nginx.namespace" . }}
 {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
@ -1,8 +1,8 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.serviceAccount.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.serviceAccount.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }}
+  name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
  namespace: {{ include "ingress-nginx.namespace" . }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
@ -13,5 +13,5 @@ metadata:
    {{- with .Values.controller.admissionWebhooks.patch.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
-automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.serviceAccount.automountServiceAccountToken }}
+automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }}
 {{- end }}
--- a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-clusterrole_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-clusterrole_test.yaml
@ -1,11 +0,0 @@
-suite: AdmissionWebhooks > RBAC > ClusterRole
-templates:
-  - admission-webhooks/job-patch/clusterrole.yaml
-
-tests:
-  - it: should not create ClusterRole if `controller.admissionWebhooks.rbac.create` is false
-    set:
-      controller.admissionWebhooks.rbac.create: false
-    asserts:
-      - hasDocuments:
-          count: 0
--- a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-clusterrolebinding_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-clusterrolebinding_test.yaml
@ -1,11 +0,0 @@
-suite: AdmissionWebhooks > RBAC > ClusterRoleBinding
-templates:
-  - admission-webhooks/job-patch/clusterrolebinding.yaml
-
-tests:
-  - it: should not create ClusterRoleBinding if `controller.admissionWebhooks.rbac.create` is false
-    set:
-      controller.admissionWebhooks.rbac.create: false
-    asserts:
-      - hasDocuments:
-          count: 0
--- a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-role_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-role_test.yaml
@ -1,11 +0,0 @@
-suite: AdmissionWebhooks > RBAC > Role
-templates:
-  - admission-webhooks/job-patch/role.yaml
-
-tests:
-  - it: should not create Role if `controller.admissionWebhooks.rbac.create` is false
-    set:
-      controller.admissionWebhooks.rbac.create: false
-    asserts:
-      - hasDocuments:
-          count: 0
--- a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-rolebinding_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-rolebinding_test.yaml
@ -1,11 +0,0 @@
-suite: AdmissionWebhooks > RBAC > RoleBinding
-templates:
-  - admission-webhooks/job-patch/rolebinding.yaml
-
-tests:
-  - it: should not create RoleBinding if `controller.admissionWebhooks.rbac.create` is false
-    set:
-      controller.admissionWebhooks.rbac.create: false
-    asserts:
-      - hasDocuments:
-          count: 0
--- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml
@ -0,0 +1,11 @@
+suite: AdmissionWebhooks > Patch Job > ClusterRole
+templates:
+  - admission-webhooks/job-patch/clusterrole.yaml
+
+tests:
+  - it: should not create a ClusterRole if `controller.admissionWebhooks.patch.rbac.create` is false
+    set:
+      controller.admissionWebhooks.patch.rbac.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml
@ -0,0 +1,11 @@
+suite: AdmissionWebhooks > Patch Job > ClusterRoleBinding
+templates:
+  - admission-webhooks/job-patch/clusterrolebinding.yaml
+
+tests:
+  - it: should not create a ClusterRoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false
+    set:
+      controller.admissionWebhooks.patch.rbac.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml
@ -0,0 +1,11 @@
+suite: AdmissionWebhooks > Patch Job > Role
+templates:
+  - admission-webhooks/job-patch/role.yaml
+
+tests:
+  - it: should not create a Role if `controller.admissionWebhooks.patch.rbac.create` is false
+    set:
+      controller.admissionWebhooks.patch.rbac.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml
@ -0,0 +1,11 @@
+suite: AdmissionWebhooks > Patch Job > RoleBinding
+templates:
+  - admission-webhooks/job-patch/rolebinding.yaml
+
+tests:
+  - it: should not create a RoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false
+    set:
+      controller.admissionWebhooks.patch.rbac.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-service-account_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-service-account_test.yaml
@ -1,18 +1,18 @@
-suite: AdmissionWebhooks > ServiceAccount
+suite: AdmissionWebhooks > Patch Job > ServiceAccount
 templates:
-  - admission-webhooks/serviceaccount.yaml
+  - admission-webhooks/job-patch/serviceaccount.yaml

 tests:
-  - it: should not create a ServiceAccount if `controller.admissionWebhooks.serviceAccount.create` is false
+  - it: should not create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is false
    set:
-      controller.admissionWebhooks.serviceAccount.create: false
+      controller.admissionWebhooks.patch.serviceAccount.create: false
    asserts:
      - hasDocuments:
          count: 0

-  - it: should create a ServiceAccount if `controller.admissionWebhooks.serviceAccount.create` is true
+  - it: should create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is true
    set:
-      controller.admissionWebhooks.serviceAccount.create: true
+      controller.admissionWebhooks.patch.serviceAccount.create: true
    asserts:
      - hasDocuments:
          count: 1
@ -22,9 +22,9 @@ tests:
          path: metadata.name
          value: ingress-nginx-admission

-  - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.serviceAccount.name` is set to non-empty value
+  - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set
    set:
-      controller.admissionWebhooks.serviceAccount.name: ingress-nginx-admission-test-sa
+      controller.admissionWebhooks.patch.serviceAccount.name: ingress-nginx-admission-test-sa
    asserts:
      - hasDocuments:
          count: 1
@ -34,9 +34,9 @@ tests:
          path: metadata.name
          value: ingress-nginx-admission-test-sa

-  - it: automountServiceAccountToken in ServiceAccount should be false if `controller.admissionWebhooks.serviceAccount.automountServiceAccountToken` is false
+  - it: should create a ServiceAccount with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false
    set:
-      controller.admissionWebhooks.serviceAccount.automountServiceAccountToken: false
+      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
    asserts:
      - hasDocuments:
          count: 1
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@ -754,14 +754,6 @@ controller:
    labels: {}
    # -- Use an existing PSP instead of creating one
    existingPsp: ""
-    # -- Create RBAC for admission webhook patch job or not
-    rbac:
-      create: true
-    # -- ServiceAccount for admission webhook patch job
-    serviceAccount:
-      create: true
-      name: ""
-      automountServiceAccountToken: true
    service:
      annotations: {}
      # clusterIP: ""
@ -830,6 +822,18 @@ controller:
      labels: {}
      # -- Security context for secret creation & webhook patch pods
      securityContext: {}
+      # -- Admission webhook patch job RBAC
+      rbac:
+        # -- Create RBAC or not
+        create: true
+      # -- Admission webhook patch job service account
+      serviceAccount:
+        # -- Create a service account or not
+        create: true
+        # -- Custom service account name
+        name: ""
+        # -- Auto-mount service account token or not
+        automountServiceAccountToken: true
    # Use certmanager to generate webhook certs
    certManager:
      enabled: false