From 8fbf1aee37e630322169b2b00d0fb676f0ce87a0 Mon Sep 17 00:00:00 2001
From: Ori Rawlings <orawlings@expediagroup.com>
Date: Mon, 12 Oct 2020 12:01:56 -0500
Subject: [PATCH] Add configurable failurePolicy for injector's webhook

Fixes #399
---
 templates/injector-mutating-webhook.yaml | 3 +++
 values.yaml                              | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml
index 141798686..db8c337d7 100644
--- a/templates/injector-mutating-webhook.yaml
+++ b/templates/injector-mutating-webhook.yaml
@@ -24,4 +24,7 @@ webhooks:
     namespaceSelector:
 {{ toYaml .Values.injector.namespaceSelector | indent 6}}
 {{ end }}
+{{- with .Values.injector.failurePolicy }}
+    failurePolicy: {{.}}
+{{ end }}
 {{ end }}
diff --git a/values.yaml b/values.yaml
index 538cb3a4f..11a7315d4 100644
--- a/values.yaml
+++ b/values.yaml
@@ -70,6 +70,12 @@ injector:
   #      sidecar-injector: enabled
   namespaceSelector: {}
 
+  # Configures failurePolicy of the webhook. By default webhook failures are ignored. 
+  # To block pod creation while webhook is unavailable, set the policy to `Fail` below.
+  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
+  #
+  # failurePolcy: Fail
+
   certs:
     # secretName is the name of the secret that has the TLS certificate and
     # private key to serve the injector webhook. If this is null, then the