fix(webhook) exclude Helm Secrets

Helm charts with webhooks that handle Secrets run into an issue that prevents changes after an action that enables the webhook: helm/helm#10023 Because Helm's Secret for release information is subject to the webhook, Kubernetes will attempt to validate it, likely before the webhook service comes online (because Helm just created the Pod that will provide it). If the service is not online, validation fails, and Helm cannot update its Secret to mark the release status, usually leaving it stuck in a pending state that blocks future interactions. This change excludes Helm Secrets from our validation, because we have no need to validate them.
Kong · Nov 24, 2021 · 4ebfe8d · 4ebfe8d
1 parent 91d93fa
commit 4ebfe8d
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/charts/kong/templates/admission-webhook.yaml b/charts/kong/templates/admission-webhook.yaml
@@ -34,6 +34,9 @@ metadata:
     {{- include "kong.metaLabels" . | nindent 4 }}
 webhooks:
 - name: validations.kong.konghq.com
+  objectSelector:
+    matchLabels:
+      owner: !helm
   failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }}
   sideEffects: None
   admissionReviewVersions: ["v1beta1"]