-
Notifications
You must be signed in to change notification settings - Fork 593
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(config) use a patch to add Secret hooks
Split the webhook manifest into the generated manifest and additional rule patches. Kubebuilder limitations require writing your own rules to use objectSelectors. Remove the kubebuilder Secret hook generation directive and document the workaround. Refactor the envtest runner to build a webhook manifest via Kustomize, rather than reading a static manifest.
- Loading branch information
Showing
6 changed files
with
76 additions
and
56 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
# https://github.com/kubernetes-sigs/controller-tools/issues/553 | ||
# controller-tools, and by extension kubebuilder, do not support specifying objectSelector, | ||
# which we need for the Secret rules. | ||
apiVersion: admissionregistration.k8s.io/v1 | ||
kind: ValidatingWebhookConfiguration | ||
metadata: | ||
name: validating-webhook-configuration | ||
webhooks: | ||
- admissionReviewVersions: | ||
- v1 | ||
clientConfig: | ||
service: | ||
name: webhook-service | ||
namespace: system | ||
path: / | ||
failurePolicy: Fail | ||
matchPolicy: Equivalent | ||
name: secrets.credentials.validation.ingress-controller.konghq.com | ||
objectSelector: | ||
matchExpressions: | ||
- key: "konghq.com/credential" | ||
operator: "Exists" | ||
rules: | ||
- apiGroups: | ||
- "" | ||
apiVersions: | ||
- v1 | ||
operations: | ||
- CREATE | ||
- UPDATE | ||
resources: | ||
- secrets | ||
sideEffects: None | ||
- admissionReviewVersions: | ||
- v1 | ||
clientConfig: | ||
service: | ||
name: webhook-service | ||
namespace: system | ||
path: / | ||
failurePolicy: Fail | ||
matchPolicy: Equivalent | ||
name: secrets.plugins.validation.ingress-controller.konghq.com | ||
objectSelector: | ||
matchExpressions: | ||
- key: "konghq.com/validate" | ||
operator: "Exists" | ||
rules: | ||
- apiGroups: | ||
- "" | ||
apiVersions: | ||
- v1 | ||
operations: | ||
- CREATE | ||
- UPDATE | ||
resources: | ||
- secrets | ||
sideEffects: None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- manifests.yaml | ||
|
||
patchesStrategicMerge: | ||
- additional_secret_hooks.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters