Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: scope of webhook configurations #3676

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions cmd/build/helmify/replacements.go
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ var replacements = map[string]string{
- services/proxy
- nodes/proxy
- services/status
scope: 'Namespaced'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's not modify existing behavior. Can you use helm to conditionally set the field separetly?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am reading it from the values now, what do you think?

{{- end }}`,

"HELMSUBST_MUTATING_WEBHOOK_CLIENT_CONFIG: \"\"": `{{- if .Values.mutatingWebhookURL }}
Expand Down Expand Up @@ -258,6 +259,7 @@ var replacements = map[string]string{
- 'nodes/proxy'
# For constraints that mitigate CVE-2020-8554
- 'services/status'
scope: 'Namespaced'
{{- end }}`,

"HELMSUBST_MUTATING_WEBHOOK_MATCH_CONDITIONS": `{{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }}`,
Expand Down
52 changes: 52 additions & 0 deletions config/crd/bases/gvkmanifest.gatekeeper.sh_gvkmanifests.yaml
plavy marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: gvkmanifests.gvkmanifest.gatekeeper.sh
spec:
group: gvkmanifest.gatekeeper.sh
names:
kind: GVKManifest
listKind: GVKManifestList
plural: gvkmanifests
singular: gvkmanifest
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: GVKManifest is the Schema for the GVKManifest API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
groups:
additionalProperties:
additionalProperties:
items:
type: string
type: array
type: object
type: object
type: object
type: object
served: true
storage: true
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ webhooks:
- services/proxy
- nodes/proxy
- services/status
scope: 'Namespaced'
{{- end }}
sideEffects: None
timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ webhooks:
- 'nodes/proxy'
# For constraints that mitigate CVE-2020-8554
- 'services/status'
scope: 'Namespaced'
{{- end }}
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
Expand Down