Add injector.webhookAnnotations chart option (#584)

templates/_helpers.tpl

@@ -353,6 +353,21 @@ Sets extra injector service annotations
   {{- end }}
 {{- end -}}
 
+{{/*
+Sets extra injector webhook annotations
+*/}}
+{{- define "injector.webhookAnnotations" -}}
+  {{- if .Values.injector.webhookAnnotations }}
+  annotations:
+    {{- $tp := typeOf .Values.injector.webhookAnnotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
 {{/*
 Sets extra ui service annotations
 */}}

templates/injector-mutating-webhook.yaml

@@ -11,6 +11,7 @@ metadata:
     app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{- template "injector.webhookAnnotations" . }}
 webhooks:
   - name: vault.hashicorp.com
     sideEffects: None

test/unit/injector-mutating-webhook.bats

@@ -121,3 +121,35 @@ load _helpers
 
   [ "${actual}" = "\"Fail\"" ]
 }
+
+#--------------------------------------------------------------------
+# annotations
+
+@test "injector/MutatingWebhookConfiguration: default annotations" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-mutating-webhook.yaml \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "injector/MutatingWebhookConfiguration: specify annotations yaml" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-mutating-webhook.yaml \
+      --set 'injector.webhookAnnotations.foo=bar' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations.foo' | tee /dev/stderr)
+  [ "${actual}" = "bar" ]
+}
+
+@test "injector/MutatingWebhookConfiguration: specify annotations yaml string" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-mutating-webhook.yaml \
+      --set 'injector.webhookAnnotations=foo: bar' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations.foo' | tee /dev/stderr)
+  [ "${actual}" = "bar" ]
+}

values.schema.json

@@ -357,6 +357,12 @@
                         "array",
                         "string"
                     ]
+                },
+                "webhookAnnotations": {
+                    "type": [
+                        "object",
+                        "string"
+                    ]
                 }
             }
         },

values.yaml

@@ -119,6 +119,9 @@ injector:
   #
   failurePolicy: Ignore
 
+  # Extra annotations to attach to the webhook
+  webhookAnnotations: {}
+
   certs:
     # secretName is the name of the secret that has the TLS certificate and
     # private key to serve the injector webhook. If this is null, then the
@@ -126,9 +129,10 @@ injector:
     # a service account to the injector to generate its own certificates.
     secretName: null
 
-    # caBundle is a base64-encoded PEM-encoded certificate bundle for the
+    # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA
-    # CA that signed the TLS certificate that the webhook serves. This must
+    # that signed the TLS certificate that the webhook serves. This must be set
-    # be set if secretName is non-null.
+    # if secretName is non-null, unless an external service like cert-manager is
+    # keeping the caBundle updated.
     caBundle: ""
 
     # certName and keyName are the names of the files within the secret for