diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 29364aa..3e936f7 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -353,6 +353,21 @@ Sets extra injector service annotations {{- end }} {{- end -}} +{{/* +Sets extra injector webhook annotations +*/}} +{{- define "injector.webhookAnnotations" -}} + {{- if .Values.injector.webhookAnnotations }} + annotations: + {{- $tp := typeOf .Values.injector.webhookAnnotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets extra ui service annotations */}} diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index abe23aa..de7dd56 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -11,6 +11,7 @@ metadata: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- template "injector.webhookAnnotations" . }} webhooks: - name: vault.hashicorp.com sideEffects: None diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index 65f505b..1e6e150 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -121,3 +121,35 @@ load _helpers [ "${actual}" = "\"Fail\"" ] } + +#-------------------------------------------------------------------- +# annotations + +@test "injector/MutatingWebhookConfiguration: default annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + . | tee /dev/stderr | + yq -r '.metadata.annotations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "injector/MutatingWebhookConfiguration: specify annotations yaml" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.webhookAnnotations.foo=bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + +@test "injector/MutatingWebhookConfiguration: specify annotations yaml string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.webhookAnnotations=foo: bar' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations.foo' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} diff --git a/values.schema.json b/values.schema.json index bd07137..c159c01 100644 --- a/values.schema.json +++ b/values.schema.json @@ -357,6 +357,12 @@ "array", "string" ] + }, + "webhookAnnotations": { + "type": [ + "object", + "string" + ] } } }, diff --git a/values.yaml b/values.yaml index 4c358ce..26bb7e9 100644 --- a/values.yaml +++ b/values.yaml @@ -119,6 +119,9 @@ injector: # failurePolicy: Ignore + # Extra annotations to attach to the webhook + webhookAnnotations: {} + certs: # secretName is the name of the secret that has the TLS certificate and # private key to serve the injector webhook. If this is null, then the @@ -126,9 +129,10 @@ injector: # a service account to the injector to generate its own certificates. secretName: null - # caBundle is a base64-encoded PEM-encoded certificate bundle for the - # CA that signed the TLS certificate that the webhook serves. This must - # be set if secretName is non-null. + # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA + # that signed the TLS certificate that the webhook serves. This must be set + # if secretName is non-null, unless an external service like cert-manager is + # keeping the caBundle updated. caBundle: "" # certName and keyName are the names of the files within the secret for