From 712208aa42ce3d67c0ef84d1d535d32044c38412 Mon Sep 17 00:00:00 2001 From: Bruno Bressi <52347078+puffitos@users.noreply.github.com> Date: Thu, 14 Nov 2024 09:22:38 +0100 Subject: [PATCH] More configuration options for the validatingwebhookconfiguration (#64) * chore: complete validatingwebhookconfiguration The validating webhook configuration is missing some fields, which are automatically completed by k8s. Those missing fields can sometimes mess up gitops operators, which strictly check which fields are present or not Signed-off-by: Bruno Bressi * chore: added more fields & default values Signed-off-by: Bruno Bressi * fix: readded objectSelector in the correct place Signed-off-by: Bruno Bressi * chore: bumped to stable Signed-off-by: Bruno Bressi * chore: removed unneeded docker variables Signed-off-by: Bruno Bressi --------- Signed-off-by: Bruno Bressi --- Dockerfile | 1 - Makefile | 13 +++++++++++++ chart/Chart.yaml | 14 +++++++------- chart/templates/admission.yaml | 5 +++++ chart/values.yaml | 3 +++ 5 files changed, 28 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 139073fd..4130f64e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,3 @@ -# build stage FROM golang:1.23 AS build-env WORKDIR /app COPY . /app diff --git a/Makefile b/Makefile index eb6a832d..bf8a1694 100644 --- a/Makefile +++ b/Makefile @@ -74,3 +74,16 @@ e2e-cleanup: @k3d cluster delete cosign-tests || echo "Deleting cosign tests k3d cluster failed. Continuing..." @rm -f cosign.pub cosign.key second.pub second.key || echo "Removing files failed. Continuing..." @echo "Done." + +############# +### CHART ### +############# + +.PHONY: chart-lint chart +chart-lint: + @echo "Linting chart..." + @helm lint chart + +chart: + @echo "Packaging chart..." + @helm package chart diff --git a/chart/Chart.yaml b/chart/Chart.yaml index d076a526..3ddca801 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -2,12 +2,12 @@ apiVersion: v2 name: cosignwebhook description: A Helm chart for Cosign Webhook Admission Controller type: application -version: 4.1.0 +version: 4.1.1 appVersion: "4.3.0" maintainers: - - name: eumel8 - email: f.kloeker@telekom.de - url: https://www.telekom.com - - name: puffitos - email: bruno.bressi@telekom.de - url: https://www.telekom.com +- name: eumel8 + email: f.kloeker@telekom.de + url: https://www.telekom.com +- name: puffitos + email: bruno.bressi@telekom.de + url: https://www.telekom.com diff --git a/chart/templates/admission.yaml b/chart/templates/admission.yaml index aa556438..b054ef32 100644 --- a/chart/templates/admission.yaml +++ b/chart/templates/admission.yaml @@ -21,6 +21,7 @@ webhooks: - admissionReviewVersions: - v1 name: {{ .Values.admission.webhook.name }} + matchPolicy: {{ .Values.admission.matchPolicy }} namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name @@ -31,11 +32,15 @@ webhooks: name: {{ include "cosignwebhook.fullname" . }} namespace: {{ .Release.Namespace | default "default" }} path: "/validate" + port: 443 caBundle: {{ $ca.Cert | b64enc }} rules: - operations: ["CREATE","UPDATE"] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] + scope: "*" + objectSelector: {} failurePolicy: {{ .Values.admission.failurePolicy }} sideEffects: {{ .Values.admission.sideEffects }} + timeoutSeconds: {{ .Values.admission.timeoutSeconds }} diff --git a/chart/values.yaml b/chart/values.yaml index d181ffa5..a51ab235 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -25,6 +25,9 @@ admission: name: webhook.example.com # list of excluded namespaces, comma-separated # exclude: default, kube-system, cattle-system + exclude: "" + matchPolicy: Equivalent + timeoutSeconds: 10 podAnnotations: {}