From 5eb0ba5865f152e297ae3924903e8ae72b97ce52 Mon Sep 17 00:00:00 2001
From: Ori Rawlings <orirawlings@gmail.com>
Date: Tue, 13 Oct 2020 08:20:06 -0500
Subject: [PATCH] Add configurable failurePolicy for injector's webhook (#400)

Fixes #399
---
 templates/injector-mutating-webhook.yaml |  3 +++
 test/unit/injector-mutating-webhook.bats | 23 +++++++++++++++++++++++
 values.yaml                              |  6 ++++++
 3 files changed, 32 insertions(+)

diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml
index 1417986..db8c337 100644
--- a/templates/injector-mutating-webhook.yaml
+++ b/templates/injector-mutating-webhook.yaml
@@ -24,4 +24,7 @@ webhooks:
     namespaceSelector:
 {{ toYaml .Values.injector.namespaceSelector | indent 6}}
 {{ end }}
+{{- with .Values.injector.failurePolicy }}
+    failurePolicy: {{.}}
+{{ end }}
 {{ end }}
diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats
index 5fb2b6d..9668227 100755
--- a/test/unit/injector-mutating-webhook.bats
+++ b/test/unit/injector-mutating-webhook.bats
@@ -75,3 +75,26 @@ load _helpers
 
   [ "${actual}" = "true" ]
 }
+
+@test "injector/MutatingWebhookConfiguration: failurePolicy empty by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-mutating-webhook.yaml  \
+      --set 'injector.enabled=true' \
+      --namespace foo \
+      . | tee /dev/stderr |
+      yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "injector/MutatingWebhookConfiguration: can set failurePolicy" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-mutating-webhook.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'injector.failurePolicy=Fail' \
+      . | tee /dev/stderr |
+      yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
+
+  [ "${actual}" = "\"Fail\"" ]
+}
diff --git a/values.yaml b/values.yaml
index 538cb3a..11a7315 100644
--- a/values.yaml
+++ b/values.yaml
@@ -70,6 +70,12 @@ injector:
   #      sidecar-injector: enabled
   namespaceSelector: {}
 
+  # Configures failurePolicy of the webhook. By default webhook failures are ignored. 
+  # To block pod creation while webhook is unavailable, set the policy to `Fail` below.
+  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
+  #
+  # failurePolcy: Fail
+
   certs:
     # secretName is the name of the secret that has the TLS certificate and
     # private key to serve the injector webhook. If this is null, then the