Skip to content

Commit

Permalink
feat: add reinvocationPolicy config to the MutatingWebhookConfigurati…
Browse files Browse the repository at this point in the history 
…on Chart Config (#1844)

* add reinvocationPolicy config to the MutatingWebhookConfiguration. Leaves the default as Never which is the Kubernetes default set today

Signed-off-by: Mitchell Maler <mitchell.maler@live.com>

* revert change

Signed-off-by: Mitchell Maler <mitchell.maler@live.com>

* run make manifests

Signed-off-by: Mitchell Maler <mitchell.maler@live.com>

Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
  • Loading branch information
@mitchellmaler @ritazh
mitchellmaler and ritazh committed Feb 24, 2022
1 parent b8bf07f commit 6efe4af
Show file tree
Hide file tree
Showing 7 changed files with 8 additions and 0 deletions.
1 change: 1 addition & 0 deletions cmd/build/helmify/kustomize-for-helm.yaml
View file
Expand Up @@ -198,6 +198,7 @@ webhooks:
namespace: gatekeeper-system
path: /v1/mutate
failurePolicy: HELMSUBST_MUTATING_WEBHOOK_FAILURE_POLICY
reinvocationPolicy: HELMSUBST_MUTATING_WEBHOOK_REINVOCATION_POLICY
rules:
- HELMSUBST_MUTATING_WEBHOOK_OPERATION_RULES
matchPolicy: Exact
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/replacements.go
View file
Expand Up @@ -57,6 +57,8 @@ var replacements = map[string]string{

"HELMSUBST_MUTATING_WEBHOOK_FAILURE_POLICY": `{{ .Values.mutatingWebhookFailurePolicy }}`,

"HELMSUBST_MUTATING_WEBHOOK_REINVOCATION_POLICY": `{{ .Values.mutatingWebhookReinvocationPolicy }}`,

"- HELMSUBST_MUTATING_WEBHOOK_EXEMPT_NAMESPACE_LABELS": `
{{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}}
- key: {{ $key }}
Expand Down
1 change: 1 addition & 0 deletions cmd/build/helmify/static/README.md
View file
Expand Up @@ -92,6 +92,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| enableExternalData | Enable external data (alpha feature) | `false` |
| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` |
| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` |
| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
Expand Down
1 change: 1 addition & 0 deletions cmd/build/helmify/static/values.yaml
View file
Expand Up @@ -14,6 +14,7 @@ enableDeleteOperations: false
enableExternalData: false
enableTLSHealthcheck: false
mutatingWebhookFailurePolicy: Ignore
mutatingWebhookReinvocationPolicy: Never
mutatingWebhookExemptNamespacesLabels: {}
mutatingWebhookTimeoutSeconds: 3
mutatingWebhookCustomRules: {}
Expand Down
1 change: 1 addition & 0 deletions manifest_staging/charts/gatekeeper/README.md
View file
Expand Up @@ -92,6 +92,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| enableExternalData | Enable external data (alpha feature) | `false` |
| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` |
| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` |
| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
Expand Down
1 change: 1 addition & 0 deletions ...per/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
View file
Expand Up @@ -31,6 +31,7 @@ webhooks:
operator: NotIn
value: {{ $value }}
{{- end }}
reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }}
rules:
{{- if .Values.mutatingWebhookCustomRules }}
{{- toYaml .Values.mutatingWebhookCustomRules | nindent 2 }}
Expand Down
1 change: 1 addition & 0 deletions manifest_staging/charts/gatekeeper/values.yaml
View file
Expand Up @@ -14,6 +14,7 @@ enableDeleteOperations: false
enableExternalData: false
enableTLSHealthcheck: false
mutatingWebhookFailurePolicy: Ignore
mutatingWebhookReinvocationPolicy: Never
mutatingWebhookExemptNamespacesLabels: {}
mutatingWebhookTimeoutSeconds: 3
mutatingWebhookCustomRules: {}
Expand Down

0 comments on commit 6efe4af

Please sign in to comment.