feat(admission) add secret filter (#1061)

Co-authored-by: Grzegorz Burzyński <czeslavo@gmail.com>
Kong · May 8, 2024 · 035836a · 035836a
1 parent e2ed787
commit 035836a
Show file tree

Hide file tree

Showing 19 changed files with 777 additions and 17 deletions.
diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md
@@ -11,6 +11,16 @@
   for use when the external Service and container listens should differ, such
   as when terminating TLS at a LoadBalancer.
   [#1021](https://github.com/Kong/charts/pull/1021)
+* Added an `ingressController.admissionWebhook.filterSecrets` option. When
+  enabled, the webhook will only validate Secrets that have one of the
+  recognized KIC labels:
+
+  * `konghq.com/credential: <"key-auth", "jwt", etc. credential types>`
+  * `konghq.com/validate: <"plugin", "custom">`
+
+  Earlier versions checked all Secrets and did not require labels, interfering
+  with non-KIC labels. Requires KIC 3.0+.
+  [#1061](https://github.com/Kong/charts/pull/1061)
 
 ## 2.38.0
 

diff --git a/charts/kong/README.md b/charts/kong/README.md
@@ -751,6 +751,7 @@ section of `values.yaml` file:
 | watchNamespaces                            | List of namespaces to watch. Watches all namespaces if empty                                                                                             | []                                 |
 | admissionWebhook.enabled                   | Whether to enable the validating admission webhook                                                                                                       | true                               |
 | admissionWebhook.failurePolicy             | How unrecognized errors from the admission endpoint are handled (Ignore or Fail)                                                                         | Ignore                             |
+| admissionWebhook.filterSecrets             | Limit the webhook to only Secrets with the appropriate KIC validation labels.                                                                            | false                              |
 | admissionWebhook.port                      | The port the ingress controller will listen on for admission webhooks                                                                                    | 8080                               |
 | admissionWebhook.address                   | The address the ingress controller will listen on for admission webhooks, if not 0.0.0.0                                                                 |                                    |
 | admissionWebhook.annotations               | Annotations for the Validation Webhook Configuration                                                                                                     |                                    |

diff --git a/charts/kong/ci/.chartsnap.yaml b/charts/kong/ci/.chartsnap.yaml
@@ -24,3 +24,5 @@ dynamicFields:
     name: chartsnap-kong-validations
     jsonPath:
       - /webhooks/0/clientConfig/caBundle
+      - /webhooks/1/clientConfig/caBundle
+      - /webhooks/2/clientConfig/caBundle
diff --git a/charts/kong/ci/__snapshots__/custom-labels-values.snap b/charts/kong/ci/__snapshots__/custom-labels-values.snap
diff --git a/charts/kong/ci/__snapshots__/default-values.snap b/charts/kong/ci/__snapshots__/default-values.snap
diff --git a/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap
diff --git a/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap
diff --git a/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap