zalando-incubator · gargravarr · Aug 23, 2023 · Aug 7, 2023 · Aug 8, 2023 · Aug 15, 2023
diff --git a/cluster/manifests/01-admission-control/routegroups-webhook.yaml b/cluster/manifests/01-admission-control/routegroups-webhook.yaml
@@ -1,11 +1,12 @@
-{{ if eq .Cluster.ConfigItems.routegroups_validation "enabled" }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: "routegroup-admitter.teapot.zalan.do"
+  name: "skipper-admitter.teapot.zalan.do"
   labels:
-    application: routegroups-admission-webhook
+    application: skipper-ingress
+    component: webhook
 webhooks:
+{{ if eq .Cluster.ConfigItems.routegroups_validation "enabled" }}
   - name: "routegroup-admitter.teapot.zalan.do"
     rules:
       - operations: ["CREATE", "UPDATE"]
@@ -19,3 +20,15 @@ webhooks:
     sideEffects: None
     timeoutSeconds: 5
 {{ end }}
+  - name: "ingress-admitter.teapot.zalan.do"
+    rules:
+      - operations: ["CREATE", "UPDATE"]
+        apiGroups: ["networking.k8s.io"]
+        apiVersions: ["v1"]
+        resources: ["ingresses"]
+    clientConfig:
+      url: "https://localhost:9085/ingresses"
+      caBundle: "{{ .ConfigItems.ca_cert_decompressed }}"
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
+    timeoutSeconds: 5 
diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml
@@ -1,8 +1,10 @@
 # everything defined under here will be deleted before applying the manifests
 pre_apply:
+- name: "skipper-admitter.teapot.zalan.do"
+  kind: ValidatingWebhookConfiguration
 {{ if ne .Cluster.ConfigItems.routegroups_validation "enabled" }}
 - name: "routegroup-admitter.teapot.zalan.do"
-  kind: ValidatingWebhookConfiguration
+  kind: ValidatingWebhookConfiguration 
 {{ end }}
 - name: cronjob-monitor
   namespace: kube-system

diff --git a/cluster/node-pools/master-default/userdata.yaml b/cluster/node-pools/master-default/userdata.yaml
@@ -241,9 +241,8 @@ write_files:
             - mountPath: /etc/kubernetes/admission-controller-kubeconfig
               name: admission-controller-kubeconfig
               readOnly: true
-{{- if or (eq .Cluster.ConfigItems.routegroups_validation "provisioned") (eq .Cluster.ConfigItems.routegroups_validation "enabled") }}
-        - name: routegroups-admission-webhook
-          image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.16.167
+        - name: skipper-admission-webhook
+          image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.17.1
           args:
             - webhook
             - --address=:9085
@@ -270,7 +269,6 @@ write_files:
             - mountPath: /etc/kubernetes/ssl
               name: ssl-certs-kubernetes
               readOnly: true
-{{- end}}
         - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/k8s-authnz-webhook:master-127
           name: webhook
           ports:
@@ -491,7 +489,7 @@ write_files:
               -> disableAccessLog()
               -> setPath("/metrics")
               -> "http://127.0.0.1:8081";
-            routegroups_admission_webhook: Path("/routegroups-admission-webhook")
+            skipper_admission_webhook: Path("/skipper-admission-webhook")
               -> disableAccessLog()
               -> setPath("/metrics")
               -> "https://127.0.0.1:9085";