feat: set reinvocationPolicy: IfNeeded for webhook (#794)

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Azure · Mar 15, 2023 · a2c807b · a2c807b
1 parent 245f593
commit a2c807b
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 1 deletion.
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -16,6 +16,7 @@ webhooks:
   failurePolicy: Fail
   matchPolicy: Equivalent
   name: mutation.azure-workload-identity.io
+  reinvocationPolicy: IfNeeded
   rules:
   - apiGroups:
     - ""

diff --git a/...mplates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/...mplates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
@@ -25,6 +25,7 @@ webhooks:
   objectSelector:
     matchLabels:
       azure.workload.identity/use: "true"
+  reinvocationPolicy: IfNeeded
   rules:
   - apiGroups:
     - ""

diff --git a/manifest_staging/deploy/azure-wi-webhook.yaml b/manifest_staging/deploy/azure-wi-webhook.yaml
@@ -254,6 +254,7 @@ webhooks:
   objectSelector:
     matchLabels:
       azure.workload.identity/use: "true"
+  reinvocationPolicy: IfNeeded
   rules:
   - apiGroups:
     - ""

diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go
@@ -32,7 +32,7 @@ var (
 	ProxyImageVersion string
 )
 
-// +kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=mutation.azure-workload-identity.io,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Equivalent
+// +kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=mutation.azure-workload-identity.io,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Equivalent,reinvocationPolicy=IfNeeded
 // +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch
 
 // this is required for the webhook server certs generated and rotated as part of cert-controller rotator