From 94adad83358e2db400558a03747684e9a58e2d02 Mon Sep 17 00:00:00 2001 From: Yong Wen Chua Date: Mon, 7 Dec 2020 23:18:25 +0800 Subject: [PATCH] Update mutating webhook API Version (#408) * Update mutating webhook API Version * Set to ignore by default * Remove extra `-` * Add required fields --- templates/injector-mutating-webhook.yaml | 8 ++++++++ test/unit/injector-mutating-webhook.bats | 4 ++-- values.yaml | 5 +++-- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index db8c337..df28dc8 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -1,5 +1,9 @@ {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} +apiVersion: admissionregistration.k8s.io/v1 +{{- else }} apiVersion: admissionregistration.k8s.io/v1beta1 +{{- end }} kind: MutatingWebhookConfiguration metadata: name: {{ template "vault.fullname" . }}-agent-injector-cfg @@ -9,6 +13,10 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} webhooks: - name: vault.hashicorp.com + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" clientConfig: service: name: {{ template "vault.fullname" . }}-agent-injector-svc diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index 9668227..bb307f8 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -76,7 +76,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "injector/MutatingWebhookConfiguration: failurePolicy empty by default" { +@test "injector/MutatingWebhookConfiguration: failurePolicy 'Ignore' by default" { cd `chart_dir` local actual=$(helm template \ --show-only templates/injector-mutating-webhook.yaml \ @@ -84,7 +84,7 @@ load _helpers --namespace foo \ . | tee /dev/stderr | yq '.webhooks[0].failurePolicy' | tee /dev/stderr) - [ "${actual}" = "null" ] + [ "${actual}" = "\"Ignore\"" ] } @test "injector/MutatingWebhookConfiguration: can set failurePolicy" { diff --git a/values.yaml b/values.yaml index 002c038..4293cf4 100644 --- a/values.yaml +++ b/values.yaml @@ -70,11 +70,12 @@ injector: # sidecar-injector: enabled namespaceSelector: {} - # Configures failurePolicy of the webhook. By default webhook failures are ignored. + # Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the + # API Version of the WebHook. # To block pod creation while webhook is unavailable, set the policy to `Fail` below. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy # - # failurePolcy: Fail + failurePolicy: Ignore certs: # secretName is the name of the secret that has the TLS certificate and