forked from sse-secure-systems/connaisseur
-
Notifications
You must be signed in to change notification settings - Fork 0
/
certificate_webhook-conf.yaml
123 lines (123 loc) · 4.35 KB
/
certificate_webhook-conf.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
{{- $k8sMinor := (include "k8s-version-minor" .) -}}
{{- $altNames := list -}}
{{- $altNames = append $altNames (printf "%s-svc" .Chart.Name) -}}
{{- $altNames = append $altNames (printf "%s-svc.%s" .Chart.Name .Release.Namespace) -}}
{{- $altNames = append $altNames (printf "%s-svc.%s.svc" .Chart.Name .Release.Namespace) -}}
{{- $altNames = append $altNames (printf "%s-svc.%s.svc.cluster.local" .Chart.Name .Release.Namespace) -}}
{{- $certs := genSelfSignedCert (printf "%s-svc.%s.svc" .Chart.Name .Release.Namespace) nil $altNames 36500 -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Chart.Name }}-tls
namespace: {{ .Release.Namespace }}
labels:
{{- include "helm.labels" . | nindent 4 }}
type: Opaque
data:
tls.crt: {{ default ($certs.Cert | b64enc) (include "getInstalledTLSCert" .) }}
tls.key: {{ default ($certs.Key | b64enc) (include "getInstalledTLSKey" .) }}
---
{{ if lt ($k8sMinor | int) 17 }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{ else }}
apiVersion: admissionregistration.k8s.io/v1
{{ end }}
kind: MutatingWebhookConfiguration
metadata:
name: {{ .Chart.Name }}-webhook
labels:
{{- include "helm.labels" . | nindent 4 }}
annotations:
{{- if .Values.deployment.isArgoCD }}
"argocd.argoproj.io/hook": PreSync
"argocd.argoproj.io/hook-delete-policy": BeforeHookCreation, HookSucceeded, HookFailed
{{- else }}
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
{{- end }}
webhooks:
- name: {{ .Chart.Name }}-svc.{{ .Release.Namespace }}.svc
failurePolicy: Ignore
reinvocationPolicy: {{ .Values.deployment.reinvocationPolicy | default "Never" }}
clientConfig:
service:
name: {{ .Chart.Name }}-svc
namespace: {{ .Release.Namespace }}
path: /mutate
caBundle: {{ default ($certs.Cert | b64enc) (include "getInstalledTLSCert" .) }}
rules: []
sideEffects: None
{{- if lt ($k8sMinor | int) 17 }}
admissionReviewVersions: ["v1beta1"]
{{- else }}
admissionReviewVersions: ["v1"]
{{- end }}
---
{{ if lt ($k8sMinor | int) 17 -}}
apiVersion: admissionregistration.k8s.io/v1beta1
{{ else -}}
apiVersion: admissionregistration.k8s.io/v1
{{ end -}}
kind: MutatingWebhookConfiguration
metadata:
name: {{ .Chart.Name }}-webhook
labels:
{{- include "helm.labels" . | nindent 4 }}
annotations:
{{- if .Values.deployment.isArgoCD }}
"argocd.argoproj.io/hook": PostSync
{{- else }}
"helm.sh/hook": post-install, post-upgrade, post-rollback
{{- end }}
webhooks:
- name: {{ .Chart.Name }}-svc.{{ .Release.Namespace }}.svc
failurePolicy: {{ .Values.deployment.failurePolicy | default "Fail" }}
reinvocationPolicy: {{ .Values.deployment.reinvocationPolicy | default "Never" }}
clientConfig:
service:
name: {{ .Chart.Name }}-svc
namespace: {{ .Release.Namespace }}
path: /mutate
caBundle: {{ default ($certs.Cert | b64enc) (include "getInstalledTLSCert" .) }}
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["*"]
apiVersions: ["*"]
{{- if .Values.automaticChildApproval }}
{{- if .Values.automaticChildApproval.enabled }}
resources: ["pods", "deployments", "replicationcontrollers", "replicasets", "daemonsets", "statefulsets", "jobs", "cronjobs"]
{{- else }}
resources: ["pods"]
{{- end }}
{{- else }}
resources: ["pods", "deployments", "replicationcontrollers", "replicasets", "daemonsets", "statefulsets", "jobs", "cronjobs"]
{{- end }}
sideEffects: None
{{- if gt ($k8sMinor | int) 13 }}
timeoutSeconds: 30
{{- end }}
{{- if lt ($k8sMinor | int) 17 }}
admissionReviewVersions: ["v1beta1"]
{{- else }}
admissionReviewVersions: ["v1"]
{{- end }}
{{- if .Values.namespacedValidation }}
{{- if .Values.namespacedValidation.enabled }}
namespaceSelector:
matchExpressions:
- key: securesystemsengineering.connaisseur/webhook
{{- if not .Values.namespacedValidation.mode}}
operator: NotIn
values:
- ignore
{{- else if eq .Values.namespacedValidation.mode "ignore"}}
operator: NotIn
values:
- ignore
{{- else if eq .Values.namespacedValidation.mode "validate"}}
operator: In
values:
- validate
{{- end }}
{{- end }}
{{- end }}