From 035836a9f54c227157d8d91ea2963401d5a07d31 Mon Sep 17 00:00:00 2001 From: Travis Raines <571832+rainest@users.noreply.github.com> Date: Wed, 8 May 2024 02:18:38 -0700 Subject: [PATCH] feat(admission) add secret filter (#1061) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Grzegorz BurzyƄski --- charts/kong/CHANGELOG.md | 10 +++ charts/kong/README.md | 1 + charts/kong/ci/.chartsnap.yaml | 2 + .../__snapshots__/custom-labels-values.snap | 53 ++++++++++- .../kong/ci/__snapshots__/default-values.snap | 53 ++++++++++- .../__snapshots__/kong-ingress-1-values.snap | 53 ++++++++++- .../__snapshots__/kong-ingress-2-values.snap | 53 ++++++++++- .../__snapshots__/kong-ingress-3-values.snap | 53 ++++++++++- .../__snapshots__/kong-ingress-4-values.snap | 53 ++++++++++- .../kong-ingress-5-3.1-rbac-values.snap | 53 ++++++++++- .../proxy-appprotocol-values.snap | 53 ++++++++++- .../ci/__snapshots__/service-account.snap | 53 ++++++++++- .../single-image-default-values.snap | 53 ++++++++++- .../kong/ci/__snapshots__/test1-values.snap | 53 ++++++++++- .../kong/ci/__snapshots__/test2-values.snap | 53 ++++++++++- .../kong/ci/__snapshots__/test5-values.snap | 53 ++++++++++- charts/kong/ci/test2-values.yaml | 1 + charts/kong/templates/admission-webhook.yaml | 90 ++++++++++++++++++- charts/kong/values.yaml | 1 + 19 files changed, 777 insertions(+), 17 deletions(-) diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index 63ded3833..1189420fd 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -11,6 +11,16 @@ for use when the external Service and container listens should differ, such as when terminating TLS at a LoadBalancer. [#1021](https://github.com/Kong/charts/pull/1021) +* Added an `ingressController.admissionWebhook.filterSecrets` option. When + enabled, the webhook will only validate Secrets that have one of the + recognized KIC labels: + + * `konghq.com/credential: <"key-auth", "jwt", etc. credential types>` + * `konghq.com/validate: <"plugin", "custom">` + + Earlier versions checked all Secrets and did not require labels, interfering + with non-KIC labels. Requires KIC 3.0+. + [#1061](https://github.com/Kong/charts/pull/1061) ## 2.38.0 diff --git a/charts/kong/README.md b/charts/kong/README.md index 3c5f3da05..b6d92c1b7 100644 --- a/charts/kong/README.md +++ b/charts/kong/README.md @@ -751,6 +751,7 @@ section of `values.yaml` file: | watchNamespaces | List of namespaces to watch. Watches all namespaces if empty | [] | | admissionWebhook.enabled | Whether to enable the validating admission webhook | true | | admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore | +| admissionWebhook.filterSecrets | Limit the webhook to only Secrets with the appropriate KIC validation labels. | false | | admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 | | admissionWebhook.address | The address the ingress controller will listen on for admission webhooks, if not 0.0.0.0 | | | admissionWebhook.annotations | Annotations for the Validation Webhook Configuration | | diff --git a/charts/kong/ci/.chartsnap.yaml b/charts/kong/ci/.chartsnap.yaml index 110e0b269..b5a7c27fe 100644 --- a/charts/kong/ci/.chartsnap.yaml +++ b/charts/kong/ci/.chartsnap.yaml @@ -24,3 +24,5 @@ dynamicFields: name: chartsnap-kong-validations jsonPath: - /webhooks/0/clientConfig/caBundle + - /webhooks/1/clientConfig/caBundle + - /webhooks/2/clientConfig/caBundle diff --git a/charts/kong/ci/__snapshots__/custom-labels-values.snap b/charts/kong/ci/__snapshots__/custom-labels-values.snap index e73c0c346..0b4dedb3d 100644 --- a/charts/kong/ci/__snapshots__/custom-labels-values.snap +++ b/charts/kong/ci/__snapshots__/custom-labels-values.snap @@ -854,6 +854,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - admissionReviewVersions: - v1beta1 clientConfig: @@ -890,7 +942,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/__snapshots__/default-values.snap b/charts/kong/ci/__snapshots__/default-values.snap index 54e4ee155..efab6fa60 100644 --- a/charts/kong/ci/__snapshots__/default-values.snap +++ b/charts/kong/ci/__snapshots__/default-values.snap @@ -846,6 +846,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - admissionReviewVersions: - v1beta1 clientConfig: @@ -882,7 +934,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap index 5b5c55d64..bd215b591 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap @@ -875,6 +875,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - admissionReviewVersions: - v1beta1 clientConfig: @@ -911,7 +963,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap index 0275e9e04..8c4910d73 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap @@ -877,6 +877,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - admissionReviewVersions: - v1beta1 clientConfig: @@ -913,7 +965,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap index 80e4ed5b1..442738396 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap @@ -864,6 +864,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - admissionReviewVersions: - v1beta1 clientConfig: @@ -900,7 +952,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/__snapshots__/kong-ingress-4-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-4-values.snap index 7cc685071..fbcabaab2 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-4-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-4-values.snap @@ -917,6 +917,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - admissionReviewVersions: - v1beta1 clientConfig: @@ -953,7 +1005,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap index b8b61c170..2f4dd0430 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap @@ -846,6 +846,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - admissionReviewVersions: - v1beta1 clientConfig: @@ -882,7 +934,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/__snapshots__/proxy-appprotocol-values.snap b/charts/kong/ci/__snapshots__/proxy-appprotocol-values.snap index 570846774..e408dcfc4 100644 --- a/charts/kong/ci/__snapshots__/proxy-appprotocol-values.snap +++ b/charts/kong/ci/__snapshots__/proxy-appprotocol-values.snap @@ -842,6 +842,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - admissionReviewVersions: - v1beta1 clientConfig: @@ -878,7 +930,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/__snapshots__/service-account.snap b/charts/kong/ci/__snapshots__/service-account.snap index 7a81a623e..9f16dedef 100644 --- a/charts/kong/ci/__snapshots__/service-account.snap +++ b/charts/kong/ci/__snapshots__/service-account.snap @@ -840,6 +840,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - admissionReviewVersions: - v1beta1 clientConfig: @@ -876,7 +928,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/__snapshots__/single-image-default-values.snap b/charts/kong/ci/__snapshots__/single-image-default-values.snap index 8c7a35a5b..12e973f69 100644 --- a/charts/kong/ci/__snapshots__/single-image-default-values.snap +++ b/charts/kong/ci/__snapshots__/single-image-default-values.snap @@ -846,6 +846,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - admissionReviewVersions: - v1beta1 clientConfig: @@ -882,7 +934,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/__snapshots__/test1-values.snap b/charts/kong/ci/__snapshots__/test1-values.snap index 6c24c1589..5cebe34c1 100644 --- a/charts/kong/ci/__snapshots__/test1-values.snap +++ b/charts/kong/ci/__snapshots__/test1-values.snap @@ -933,6 +933,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - admissionReviewVersions: - v1beta1 clientConfig: @@ -969,7 +1021,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/__snapshots__/test2-values.snap b/charts/kong/ci/__snapshots__/test2-values.snap index 58a8dc023..539f71052 100644 --- a/charts/kong/ci/__snapshots__/test2-values.snap +++ b/charts/kong/ci/__snapshots__/test2-values.snap @@ -1563,6 +1563,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + timeoutSeconds: 5 + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/validate + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + timeoutSeconds: 5 - admissionReviewVersions: - v1beta1 clientConfig: @@ -1599,7 +1651,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/__snapshots__/test5-values.snap b/charts/kong/ci/__snapshots__/test5-values.snap index c8ad34bba..fd3bf6a02 100644 --- a/charts/kong/ci/__snapshots__/test5-values.snap +++ b/charts/kong/ci/__snapshots__/test5-values.snap @@ -1471,6 +1471,58 @@ metadata: name: chartsnap-kong-validations namespace: default webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - admissionReviewVersions: - v1beta1 clientConfig: @@ -1507,7 +1559,6 @@ webhooks: - CREATE - UPDATE resources: - - secrets - services - apiGroups: - networking.k8s.io diff --git a/charts/kong/ci/test2-values.yaml b/charts/kong/ci/test2-values.yaml index ba77b5cb7..ddcc6fd9f 100644 --- a/charts/kong/ci/test2-values.yaml +++ b/charts/kong/ci/test2-values.yaml @@ -9,6 +9,7 @@ ingressController: admissionWebhook: enabled: true timeoutSeconds: 5 + filterSecrets: true env: anonymous_reports: "false" envFrom: diff --git a/charts/kong/templates/admission-webhook.yaml b/charts/kong/templates/admission-webhook.yaml index 979f1c0ab..1f121eff0 100644 --- a/charts/kong/templates/admission-webhook.yaml +++ b/charts/kong/templates/admission-webhook.yaml @@ -41,6 +41,91 @@ metadata: {{- end }} {{- end }} webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + {{- if not .Values.ingressController.admissionWebhook.certificate.provided }} + caBundle: {{ b64enc $caCert }} + {{- else }} + {{- if .Values.ingressController.admissionWebhook.certificate.caBundle }} + caBundle: {{ b64enc .Values.ingressController.admissionWebhook.certificate.caBundle }} + {{- end }} + {{- end }} + service: + name: {{ template "kong.service.validationWebhook" . }} + namespace: {{ template "kong.namespace" . }} + failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }} + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + {{- with .Values.ingressController.admissionWebhook.namespaceSelector }} + namespaceSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ingressController.admissionWebhook.timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + objectSelector: + matchExpressions: + - key: "konghq.com/credential" + operator: "Exists" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + {{- if not .Values.ingressController.admissionWebhook.certificate.provided }} + caBundle: {{ b64enc $caCert }} + {{- else }} + {{- if .Values.ingressController.admissionWebhook.certificate.caBundle }} + caBundle: {{ b64enc .Values.ingressController.admissionWebhook.certificate.caBundle }} + {{- end }} + {{- end }} + service: + name: {{ template "kong.service.validationWebhook" . }} + namespace: {{ template "kong.namespace" . }} + failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }} + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + {{- with .Values.ingressController.admissionWebhook.namespaceSelector }} + namespaceSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ingressController.admissionWebhook.timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + {{- if .Values.ingressController.admissionWebhook.filterSecrets }} + objectSelector: + matchExpressions: + - key: "konghq.com/validate" + operator: "Exists" + {{- else }} + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + {{- end }} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None - name: validations.kong.konghq.com {{- with .Values.ingressController.admissionWebhook.namespaceSelector }} namespaceSelector: @@ -75,18 +160,15 @@ webhooks: {{- if (semverCompare ">= 2.8.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - kongingresses {{- end }} +{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - apiGroups: - '' apiVersions: - 'v1' operations: -{{- if (semverCompare ">= 2.12.1" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - CREATE -{{- end }} - UPDATE resources: - - secrets -{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - services {{- end }} {{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index 0829fcba6..b4e7aabb5 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -582,6 +582,7 @@ ingressController: admissionWebhook: enabled: true + filterSecrets: false failurePolicy: Ignore port: 8080 certificate: