Add configurable failurePolicy for injector's webhook (#400)

Fixes #399

templates/injector-mutating-webhook.yaml

@@ -24,4 +24,7 @@ webhooks:
     namespaceSelector:
 {{ toYaml .Values.injector.namespaceSelector | indent 6}}
 {{ end }}
+{{- with .Values.injector.failurePolicy }}
+    failurePolicy: {{.}}
+{{ end }}
 {{ end }}

test/unit/injector-mutating-webhook.bats

@@ -75,3 +75,26 @@ load _helpers
 
   [ "${actual}" = "true" ]
 }
+
+@test "injector/MutatingWebhookConfiguration: failurePolicy empty by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-mutating-webhook.yaml  \
+      --set 'injector.enabled=true' \
+      --namespace foo \
+      . | tee /dev/stderr |
+      yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "injector/MutatingWebhookConfiguration: can set failurePolicy" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-mutating-webhook.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'injector.failurePolicy=Fail' \
+      . | tee /dev/stderr |
+      yq '.webhooks[0].failurePolicy' | tee /dev/stderr)
+
+  [ "${actual}" = "\"Fail\"" ]
+}

values.yaml

@@ -70,6 +70,12 @@ injector:
   #      sidecar-injector: enabled
   namespaceSelector: {}
 
+  # Configures failurePolicy of the webhook. By default webhook failures are ignored. 
+  # To block pod creation while webhook is unavailable, set the policy to `Fail` below.
+  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
+  #
+  # failurePolcy: Fail
+
   certs:
     # secretName is the name of the secret that has the TLS certificate and
     # private key to serve the injector webhook. If this is null, then the