Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Maintain pre-existing Mutating Webhook default values for Kubernetes 1.22 (#692)

Browse source 
* Prepare default values for MutatingWebhookConfiguration #691
* Add values.yaml values to injector-mutating-webhook.yaml #691
* Duplicate and deprecate top-level webhook settings and put them in a webhook object
* Made the new values default with the fallback to the old values.yaml
* Fix _helpers.tpl to support both old and new webhook annotations
* Add new tests and deprecate old ones for injector webhook configuration
* Old tests now work with old values.yaml
* Add all new fields showing that they have priority over old ones
* Add deprecation note to injector.failurePolicy #691
This commit is contained in:
Remco Buddelmeijer 2022-03-18 15:15:43 +01:00 committed by GitHub
parent 549d9b87b2
commit 56a253ba97
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 328 additions and 82 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
templates/_helpers.tpl
View file

@ -372,13 +372,13 @@ Sets extra injector service annotations
Sets extra injector webhook annotations
*/}}
{{- define "injector.webhookAnnotations" -}}
{{- if .Values.injector.webhookAnnotations }}
{{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }}
annotations:
{{- $tp := typeOf .Values.injector.webhookAnnotations }}
{{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.webhookAnnotations . | nindent 4 }}
{{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }}
{{- else }}
{{- toYaml .Values.injector.webhookAnnotations | nindent 4 }}
{{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}

18
templates/injector-mutating-webhook.yaml
View file

@ -14,10 +14,11 @@ metadata:
{{- template "injector.webhookAnnotations" . }}
webhooks:
- name: vault.hashicorp.com
failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }}
matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }}
sideEffects: None
admissionReviewVersions:
- "v1beta1"
- "v1"
timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }}
admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: {{ template "vault.fullname" . }}-agent-injector-svc
@ -29,15 +30,12 @@ webhooks:
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
{{- if .Values.injector.namespaceSelector }}
{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }}
namespaceSelector:
{{ toYaml .Values.injector.namespaceSelector | indent 6}}
{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
{{ end }}
{{- if .Values.injector.objectSelector }}
{{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }}
objectSelector:
{{ toYaml .Values.injector.objectSelector | indent 6}}
{{ end }}
{{- with .Values.injector.failurePolicy }}
failurePolicy: {{.}}
{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}}
{{ end }}
{{ end }}

293
test/unit/injector-mutating-webhook.bats
View file

@ -53,18 +53,191 @@ load _helpers
[ "${actual}" = "\"\"" ]
}
@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default" {
@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
[ "${actual}" = "\"Ignore\"" ]
}
@test "injector/MutatingWebhookConfiguration: can set failurePolicy (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--set 'injector.failurePolicy=Fail' \
. | tee /dev/stderr |
yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
[ "${actual}" = "\"Fail\"" ]
}
@test "injector/MutatingWebhookConfiguration: webhook.failurePolicy 'Ignore' by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.failurePolicy=Invalid' \
. | tee /dev/stderr |
yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
[ "${actual}" = "\"Ignore\"" ]
}
@test "injector/MutatingWebhookConfiguration: can set webhook.failurePolicy" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook.failurePolicy=Fail' \
--set 'injector.failurePolicy=Invalid' \
. | tee /dev/stderr |
yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
[ "${actual}" = "\"Fail\"" ]
}
@test "injector/MutatingWebhookConfiguration: webhook.matchPolicy 'Exact' by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
. | tee /dev/stderr |
yq '.webhooks[0].matchPolicy' | tee /dev/stderr)
[ "${actual}" = "\"Exact\"" ]
}
@test "injector/MutatingWebhookConfiguration: can set webhook.matchPolicy" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook.matchPolicy=Equivalent' \
. | tee /dev/stderr |
yq '.webhooks[0].matchPolicy' | tee /dev/stderr)
[ "${actual}" = "\"Equivalent\"" ]
}
@test "injector/MutatingWebhookConfiguration: timeoutSeconds by default 30" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
. | tee /dev/stderr |
yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr)
[ "${actual}" = "30" ]
}
@test "injector/MutatingWebhookConfiguration: can set webhook.timeoutSeconds" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook.timeoutSeconds=50' \
. | tee /dev/stderr |
yq '.webhooks[0].timeoutSeconds' | tee /dev/stderr)
[ "${actual}" = "50" ]
}
#--------------------------------------------------------------------
# annotations
@test "injector/MutatingWebhookConfiguration: default webhookAnnotations (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
. | tee /dev/stderr |
yq -r '.metadata.annotations' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--set 'injector.webhookAnnotations.foo=bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "injector/MutatingWebhookConfiguration: specify webhookAnnotations yaml string (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--set 'injector.webhookAnnotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "injector/MutatingWebhookConfiguration: default webhook.annotations" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook.annotations.foo=bar' \
--set 'injector.webhookAnnotations.invalid=invalid' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "injector/MutatingWebhookConfiguration: specify webhook.annotations yaml string" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook.annotations=foo: bar' \
--set 'injector.webhookAnnotations=invalid: invalid' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
#--------------------------------------------------------------------
# namespaceSelector
@test "injector/MutatingWebhookConfiguration: namespaceSelector empty by default (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].namespaceSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: can set namespaceSelector" {
@test "injector/MutatingWebhookConfiguration: can set namespaceSelector (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
@ -76,7 +249,59 @@ load _helpers
[ "${actual}" = "true" ]
}
@test "injector/MutatingWebhookConfiguration: objectSelector empty by default" {
@test "injector/MutatingWebhookConfiguration: webhook.namespaceSelector empty by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].namespaceSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: can set set webhook.namespaceSelector" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook.namespaceSelector.matchLabels.injector=true' \
--set 'injector.namespaceSelector.matchLabels.injector=false' \
. | tee /dev/stderr |
yq '.webhooks[0].namespaceSelector.matchLabels.injector' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# objectSelector
@test "injector/MutatingWebhookConfiguration: objectSelector empty by default (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].objectSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: can set objectSelector (deprecated)" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.webhook=null' \
--set 'injector.objectSelector.matchLabels.injector=true' \
. | tee /dev/stderr |
yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/MutatingWebhookConfiguration: webhook.objectSelector empty by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
@ -87,69 +312,15 @@ load _helpers
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: can set objectSelector" {
@test "injector/MutatingWebhookConfiguration: can set webhook.objectSelector" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.objectSelector.matchLabels.injector=true' \
--set 'injector.webhook.objectSelector.matchLabels.injector=true' \
--set 'injector.objectSelector.matchLabels.injector=false' \
. | tee /dev/stderr |
yq '.webhooks[0].objectSelector.matchLabels.injector' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
[ "${actual}" = "\"Ignore\"" ]
}
@test "injector/MutatingWebhookConfiguration: can set failurePolicy" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'injector.failurePolicy=Fail' \
. | tee /dev/stderr |
yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
[ "${actual}" = "\"Fail\"" ]
}
#--------------------------------------------------------------------
# annotations
@test "injector/MutatingWebhookConfiguration: default annotations" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
. | tee /dev/stderr |
yq -r '.metadata.annotations' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "injector/MutatingWebhookConfiguration: specify annotations yaml" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.webhookAnnotations.foo=bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "injector/MutatingWebhookConfiguration: specify annotations yaml string" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.webhookAnnotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
}

26
values.schema.json
View file

@ -374,6 +374,32 @@
"string"
]
},
"webhook": {
"type": "object",
"properties": {
"annotations": {
"type": [
"object",
"string"
]
},
"failurePolicy": {
"type": "string"
},
"matchPolicy": {
"type": "string"
},
"namespaceSelector": {
"type": "object"
},
"objectSelector": {
"type": "object"
},
"timeoutSeconds": {
"type": "integer"
}
}
},
"webhookAnnotations": {
"type": [
"object",

65
values.yaml
View file

@ -90,6 +90,61 @@ injector:
# Configures all Vault Agent sidecars to revoke their token when shutting down
revokeOnShutdown: false
webhook:
# Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
# API Version of the WebHook.
# To block pod creation while webhook is unavailable, set the policy to `Fail` below.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
#
failurePolicy: Ignore
# matchPolicy specifies the approach to accepting changes based on the rules of
# the MutatingWebhookConfiguration.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy
# for more details.
#
matchPolicy: Exact
# timeoutSeconds is the amount of seconds before the webhook request will be ignored
# or fails.
# If it is ignored or fails depends on the failurePolicy
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts
# for more details.
#
timeoutSeconds: 30
# namespaceSelector is the selector for restricting the webhook to only
# specific namespaces.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
# for more details.
# Example:
# namespaceSelector:
# matchLabels:
# sidecar-injector: enabled
namespaceSelector: {}
# objectSelector is the selector for restricting the webhook to only
# specific labels.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
# for more details.
# Example:
# objectSelector:
# matchLabels:
# vault-sidecar-injector: enabled
objectSelector: {}
# Extra annotations to attach to the webhook
annotations: {}
# Deprecated: please use 'webhook.failurePolicy' instead
# Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
# API Version of the WebHook.
# To block pod creation while webhook is unavailable, set the policy to `Fail` below.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
#
failurePolicy: Ignore
# Deprecated: please use 'webhook.namespaceSelector' instead
# namespaceSelector is the selector for restricting the webhook to only
# specific namespaces.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
@ -99,6 +154,8 @@ injector:
# matchLabels:
# sidecar-injector: enabled
namespaceSelector: {}
# Deprecated: please use 'webhook.objectSelector' instead
# objectSelector is the selector for restricting the webhook to only
# specific labels.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
@ -109,13 +166,7 @@ injector:
# vault-sidecar-injector: enabled
objectSelector: {}
# Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the
# API Version of the WebHook.
# To block pod creation while webhook is unavailable, set the policy to `Fail` below.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
#
failurePolicy: Ignore
# Deprecated: please use 'webhook.annotations' instead
# Extra annotations to attach to the webhook
webhookAnnotations: {}