From 3217339a5d8fd07a3ab75dbedd6c33ebc26d9d57 Mon Sep 17 00:00:00 2001 From: Reddysekhar Gaduputi Date: Sun, 2 Jun 2024 15:55:43 +0530 Subject: [PATCH] Chart make admission webhook patch job RBAC configurable (#11375) Signed-off-by: Reddysekhar Gaduputi --- charts/ingress-nginx/README.md | 8 ++++++-- charts/ingress-nginx/templates/_helpers.tpl | 10 +++++----- .../job-patch/clusterrole.yaml | 2 +- .../job-patch/clusterrolebinding.yaml | 4 ++-- .../job-patch/job-createSecret.yaml | 2 +- .../job-patch/job-patchWebhook.yaml | 2 +- .../admission-webhooks/job-patch/role.yaml | 2 +- .../job-patch/rolebinding.yaml | 4 ++-- .../job-patch/serviceaccount.yaml | 6 +++--- .../admission-webhooks-clusterrole_test.yaml | 11 ---------- ...sion-webhooks-clusterrolebinding_test.yaml | 11 ---------- .../admission-webhooks-role_test.yaml | 11 ---------- .../admission-webhooks-rolebinding_test.yaml | 11 ---------- .../job-patch/clusterrole_test.yaml | 11 ++++++++++ .../job-patch/clusterrolebinding_test.yaml | 11 ++++++++++ .../job-patch/role_test.yaml | 11 ++++++++++ .../job-patch/rolebinding_test.yaml | 11 ++++++++++ .../serviceaccount_test.yaml} | 20 +++++++++---------- charts/ingress-nginx/values.yaml | 20 +++++++++++-------- 19 files changed, 88 insertions(+), 80 deletions(-) delete mode 100644 charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-clusterrole_test.yaml delete mode 100644 charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-clusterrolebinding_test.yaml delete mode 100644 charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-role_test.yaml delete mode 100644 charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-rolebinding_test.yaml create mode 100644 charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml create mode 100644 charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml create mode 100644 charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml create mode 100644 charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml rename charts/ingress-nginx/tests/admission-webhooks/{admission-webhooks-service-account_test.yaml => job-patch/serviceaccount_test.yaml} (53%) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 9e7a62a1b..70c3dd235 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -263,19 +263,23 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # | +| controller.admissionWebhooks.patch.rbac | object | `{"create":true}` | Admission webhook patch job RBAC | +| controller.admissionWebhooks.patch.rbac.create | bool | `true` | Create RBAC or not | | controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods | +| controller.admissionWebhooks.patch.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | Admission webhook patch job service account | +| controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token or not | +| controller.admissionWebhooks.patch.serviceAccount.create | bool | `true` | Create a service account or not | +| controller.admissionWebhooks.patch.serviceAccount.name | string | `""` | Custom service account name | | controller.admissionWebhooks.patch.tolerations | list | `[]` | | | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | | controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | | controller.admissionWebhooks.port | int | `8443` | | -| controller.admissionWebhooks.rbac | object | `{"create":true}` | Create RBAC for admission webhook patch job or not | | controller.admissionWebhooks.service.annotations | object | `{}` | | | controller.admissionWebhooks.service.externalIPs | list | `[]` | | | controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` | | | controller.admissionWebhooks.service.servicePort | int | `443` | | | controller.admissionWebhooks.service.type | string | `"ClusterIP"` | | -| controller.admissionWebhooks.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | ServiceAccount for admission webhook patch job | | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # | | controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index aeed83534..0c6a3e207 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -168,13 +168,13 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{/* -Create the name of the admission webhook job service account to use +Create the name of the admission webhook patch job service account to use */}} -{{- define "ingress-nginx.admissionWebhooks.serviceAccountName" -}} -{{- if .Values.controller.admissionWebhooks.serviceAccount.create -}} - {{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.serviceAccount.name }} +{{- define "ingress-nginx.admissionWebhooks.patch.serviceAccountName" -}} +{{- if .Values.controller.admissionWebhooks.patch.serviceAccount.create -}} + {{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patch.serviceAccount.name }} {{- else -}} - {{ default "default" .Values.controller.admissionWebhooks.serviceAccount.name }} + {{ default "default" .Values.controller.admissionWebhooks.patch.serviceAccount.name }} {{- end -}} {{- end -}} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index 4d3f7340c..a21848201 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml index 0cef12dea..b89388433 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -18,6 +18,6 @@ roleRef: name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} subjects: - kind: ServiceAccount - name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }} + name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index a3e1443ca..176616467 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -66,7 +66,7 @@ spec: resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }} + serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index 4a772c6ae..f7d44a24d 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -68,7 +68,7 @@ spec: resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }} + serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml index 75d76150f..c4b23aa08 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml index 7e8873e82..425e8d821 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -19,6 +19,6 @@ roleRef: name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} subjects: - kind: ServiceAccount - name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }} + name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml index 12b0b5863..52f94dcce 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -1,8 +1,8 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.serviceAccount.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.serviceAccount.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "ingress-nginx.admissionWebhooks.serviceAccountName" . }} + name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade @@ -13,5 +13,5 @@ metadata: {{- with .Values.controller.admissionWebhooks.patch.labels }} {{- toYaml . | nindent 4 }} {{- end }} -automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.serviceAccount.automountServiceAccountToken }} +automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-clusterrole_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-clusterrole_test.yaml deleted file mode 100644 index 5535b62ff..000000000 --- a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-clusterrole_test.yaml +++ /dev/null @@ -1,11 +0,0 @@ -suite: AdmissionWebhooks > RBAC > ClusterRole -templates: - - admission-webhooks/job-patch/clusterrole.yaml - -tests: - - it: should not create ClusterRole if `controller.admissionWebhooks.rbac.create` is false - set: - controller.admissionWebhooks.rbac.create: false - asserts: - - hasDocuments: - count: 0 diff --git a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-clusterrolebinding_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-clusterrolebinding_test.yaml deleted file mode 100644 index 8c8a728c6..000000000 --- a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-clusterrolebinding_test.yaml +++ /dev/null @@ -1,11 +0,0 @@ -suite: AdmissionWebhooks > RBAC > ClusterRoleBinding -templates: - - admission-webhooks/job-patch/clusterrolebinding.yaml - -tests: - - it: should not create ClusterRoleBinding if `controller.admissionWebhooks.rbac.create` is false - set: - controller.admissionWebhooks.rbac.create: false - asserts: - - hasDocuments: - count: 0 diff --git a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-role_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-role_test.yaml deleted file mode 100644 index ed829ae4d..000000000 --- a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-role_test.yaml +++ /dev/null @@ -1,11 +0,0 @@ -suite: AdmissionWebhooks > RBAC > Role -templates: - - admission-webhooks/job-patch/role.yaml - -tests: - - it: should not create Role if `controller.admissionWebhooks.rbac.create` is false - set: - controller.admissionWebhooks.rbac.create: false - asserts: - - hasDocuments: - count: 0 diff --git a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-rolebinding_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-rolebinding_test.yaml deleted file mode 100644 index 748ece8a6..000000000 --- a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-rolebinding_test.yaml +++ /dev/null @@ -1,11 +0,0 @@ -suite: AdmissionWebhooks > RBAC > RoleBinding -templates: - - admission-webhooks/job-patch/rolebinding.yaml - -tests: - - it: should not create RoleBinding if `controller.admissionWebhooks.rbac.create` is false - set: - controller.admissionWebhooks.rbac.create: false - asserts: - - hasDocuments: - count: 0 diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml new file mode 100644 index 000000000..8c392d970 --- /dev/null +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml @@ -0,0 +1,11 @@ +suite: AdmissionWebhooks > Patch Job > ClusterRole +templates: + - admission-webhooks/job-patch/clusterrole.yaml + +tests: + - it: should not create a ClusterRole if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml new file mode 100644 index 000000000..27c173925 --- /dev/null +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml @@ -0,0 +1,11 @@ +suite: AdmissionWebhooks > Patch Job > ClusterRoleBinding +templates: + - admission-webhooks/job-patch/clusterrolebinding.yaml + +tests: + - it: should not create a ClusterRoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml new file mode 100644 index 000000000..4436de480 --- /dev/null +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml @@ -0,0 +1,11 @@ +suite: AdmissionWebhooks > Patch Job > Role +templates: + - admission-webhooks/job-patch/role.yaml + +tests: + - it: should not create a Role if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml new file mode 100644 index 000000000..21f36d07f --- /dev/null +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml @@ -0,0 +1,11 @@ +suite: AdmissionWebhooks > Patch Job > RoleBinding +templates: + - admission-webhooks/job-patch/rolebinding.yaml + +tests: + - it: should not create a RoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-service-account_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml similarity index 53% rename from charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-service-account_test.yaml rename to charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml index efd094cf8..30fd9c06c 100644 --- a/charts/ingress-nginx/tests/admission-webhooks/admission-webhooks-service-account_test.yaml +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml @@ -1,18 +1,18 @@ -suite: AdmissionWebhooks > ServiceAccount +suite: AdmissionWebhooks > Patch Job > ServiceAccount templates: - - admission-webhooks/serviceaccount.yaml + - admission-webhooks/job-patch/serviceaccount.yaml tests: - - it: should not create a ServiceAccount if `controller.admissionWebhooks.serviceAccount.create` is false + - it: should not create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is false set: - controller.admissionWebhooks.serviceAccount.create: false + controller.admissionWebhooks.patch.serviceAccount.create: false asserts: - hasDocuments: count: 0 - - it: should create a ServiceAccount if `controller.admissionWebhooks.serviceAccount.create` is true + - it: should create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is true set: - controller.admissionWebhooks.serviceAccount.create: true + controller.admissionWebhooks.patch.serviceAccount.create: true asserts: - hasDocuments: count: 1 @@ -22,9 +22,9 @@ tests: path: metadata.name value: ingress-nginx-admission - - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.serviceAccount.name` is set to non-empty value + - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set set: - controller.admissionWebhooks.serviceAccount.name: ingress-nginx-admission-test-sa + controller.admissionWebhooks.patch.serviceAccount.name: ingress-nginx-admission-test-sa asserts: - hasDocuments: count: 1 @@ -34,9 +34,9 @@ tests: path: metadata.name value: ingress-nginx-admission-test-sa - - it: automountServiceAccountToken in ServiceAccount should be false if `controller.admissionWebhooks.serviceAccount.automountServiceAccountToken` is false + - it: should create a ServiceAccount with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false set: - controller.admissionWebhooks.serviceAccount.automountServiceAccountToken: false + controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false asserts: - hasDocuments: count: 1 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 929cf11e4..41b61c8d3 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -754,14 +754,6 @@ controller: labels: {} # -- Use an existing PSP instead of creating one existingPsp: "" - # -- Create RBAC for admission webhook patch job or not - rbac: - create: true - # -- ServiceAccount for admission webhook patch job - serviceAccount: - create: true - name: "" - automountServiceAccountToken: true service: annotations: {} # clusterIP: "" @@ -830,6 +822,18 @@ controller: labels: {} # -- Security context for secret creation & webhook patch pods securityContext: {} + # -- Admission webhook patch job RBAC + rbac: + # -- Create RBAC or not + create: true + # -- Admission webhook patch job service account + serviceAccount: + # -- Create a service account or not + create: true + # -- Custom service account name + name: "" + # -- Auto-mount service account token or not + automountServiceAccountToken: true # Use certmanager to generate webhook certs certManager: enabled: false