feat(helm): improve admission configurations (#1607)

Signed-off-by: Oliver Bähler <[email protected]>

Author: oliverbaehler

charts/capsule/README.md

@@ -137,7 +137,7 @@ Here the values you can override:
   {{- end }}
 {{- end }}
 
-### Webhooks Parameters
+### Admission Webhook Parameters
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
@@ -147,30 +147,6 @@ Here the values you can override:
   {{- end }}
 {{- end }}
 
-## Created resources
-
-This Helm Chart creates the following Kubernetes resources in the release namespace:
-
-* Capsule Namespace
-* Capsule Operator Deployment
-* Capsule Service
-* CA Secret
-* Certificate Secret
-* Tenant Custom Resource Definition
-* CapsuleConfiguration Custom Resource Definition
-* MutatingWebHookConfiguration
-* ValidatingWebHookConfiguration
-* RBAC Cluster Roles
-* Metrics Service
-
-And optionally, depending on the values set:
-
-* Capsule ServiceAccount
-* Capsule Service Monitor
-* PodSecurityPolicy
-* RBAC ClusterRole and RoleBinding for pod security policy
-* RBAC Role and Rolebinding for metrics scrape
-
 ## Notes on installing Custom Resource Definitions with Helm3
 
 Capsule, as many other add-ons, defines its own set of Custom Resource Definitions (CRDs). Helm3 removed the old CRDs installation method for a more simple methodology. In the Helm Chart, there is now a special directory called `crds` to hold the CRDs. These CRDs are not templated, but will be installed by default when running a `helm install` for the chart. If the CRDs already exist (for example, you already executed `helm install`), it will be skipped with a warning. When you wish to skip the CRDs installation, and do not see the warning, you can pass the `--skip-crds` flag to the `helm install` command.

charts/capsule/README.md.gotmpl

@@ -13,13 +13,28 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 webhooks:
-{{- with .Values.webhooks.hooks.defaults.pods }}
-- admissionReviewVersions:
+{{- with (mergeOverwrite .Values.webhooks.hooks.pods .Values.webhooks.hooks.defaults.pods) }}
+  {{- if .enabled }}
+- name: pod.defaults.projectcapsule.dev
+  admissionReviewVersions:
   - v1
   clientConfig:
     {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
-  name: pod.defaults.projectcapsule.dev
+  matchPolicy: {{ .matchPolicy }}
+  reinvocationPolicy: {{ .reinvocationPolicy }}
+  {{- with .namespaceSelector }}
+  namespaceSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .objectSelector }}
+  objectSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .matchConditions }}
+  matchConditions:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
   rules:
   - apiGroups:
     - ""
@@ -30,18 +45,32 @@ webhooks:
     resources:
     - pods
     scope: "Namespaced"
-  namespaceSelector:
-  {{- toYaml .namespaceSelector | nindent 4}}
   sideEffects: None
   timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
+  {{- end }}
 {{- end }}
-{{- with .Values.webhooks.hooks.defaults.pvc }}
-- admissionReviewVersions:
+{{- with (mergeOverwrite .Values.webhooks.hooks.persistentvolumeclaims .Values.webhooks.hooks.defaults.pvc) }}
+  {{- if .enabled }}
+- name: storage.defaults.projectcapsule.dev
+  admissionReviewVersions:
   - v1
   clientConfig:
     {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
-  name: storage.defaults.projectcapsule.dev
+  matchPolicy: {{ .matchPolicy }}
+  reinvocationPolicy: {{ .reinvocationPolicy }}
+  {{- with .namespaceSelector }}
+  namespaceSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .objectSelector }}
+  objectSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .matchConditions }}
+  matchConditions:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
   rules:
   - apiGroups:
     - ""
@@ -52,18 +81,32 @@ webhooks:
     resources:
     - persistentvolumeclaims
     scope: "Namespaced"
-  namespaceSelector:
-  {{- toYaml .namespaceSelector | nindent 4}}
   sideEffects: None
   timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
+  {{- end }}
 {{- end }}
-{{- with .Values.webhooks.hooks.defaults.ingress }}
-- admissionReviewVersions:
+{{- with (mergeOverwrite .Values.webhooks.hooks.ingresses .Values.webhooks.hooks.defaults.ingress) }}
+  {{- if .enabled }}
+- name: ingress.defaults.projectcapsule.dev
+  admissionReviewVersions:
   - v1
   clientConfig:
     {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
-  name: ingress.defaults.projectcapsule.dev
+  matchPolicy: {{ .matchPolicy }}
+  reinvocationPolicy: {{ .reinvocationPolicy }}
+  {{- with .namespaceSelector }}
+  namespaceSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .objectSelector }}
+  objectSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .matchConditions }}
+  matchConditions:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
   rules:
   - apiGroups:
     - networking.k8s.io
@@ -76,18 +119,32 @@ webhooks:
     resources:
     - ingresses
     scope: "Namespaced"
-  namespaceSelector:
-  {{- toYaml .namespaceSelector | nindent 4}}
   sideEffects: None
   timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
+  {{- end }}
 {{- end }}
 {{- with .Values.webhooks.hooks.gateways }}
-- admissionReviewVersions:
+  {{- if .enabled }}
+- name: gateway.defaults.projectcapsule.dev
+  admissionReviewVersions:
   - v1
   clientConfig:
     {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
-  name: gateway.defaults.projectcapsule.dev
+  matchPolicy: {{ .matchPolicy }}
+  reinvocationPolicy: {{ .reinvocationPolicy }}
+  {{- with .namespaceSelector }}
+  namespaceSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .objectSelector }}
+  objectSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .matchConditions }}
+  matchConditions:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
   rules:
   - apiGroups:
     - gateway.networking.k8s.io
@@ -99,20 +156,21 @@ webhooks:
     resources:
     - gateways
     scope: "Namespaced"
-  namespaceSelector:
-  {{- toYaml .namespaceSelector | nindent 4}}
   sideEffects: None
   timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
+  {{- end }}
 {{- end }}
-{{- with (mergeOverwrite .Values.webhooks.hooks.namespace.mutation .Values.webhooks.hooks.namespaceOwnerReference) }}
-- admissionReviewVersions:
+{{- with (mergeOverwrite .Values.webhooks.hooks.namespaces .Values.webhooks.hooks.namespaceOwnerReference) }}
+  {{- if .enabled }}
+- name: namespaces.tenants.projectcapsule.dev
+  admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
     {{- include "capsule.webhooks.service" (dict "path" "/namespace-patch" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
-  matchPolicy: Equivalent
-  name: namespace-patching.tenants.projectcapsule.dev
+  matchPolicy: {{ .matchPolicy }}
+  reinvocationPolicy: {{ .reinvocationPolicy }}
   {{- with .namespaceSelector }}
   namespaceSelector:
     {{- toYaml . |  nindent 4 }}
@@ -121,7 +179,10 @@ webhooks:
   objectSelector:
     {{- toYaml . |  nindent 4 }}
   {{- end }}
-  reinvocationPolicy: Never
+  {{- with .matchConditions }}
+  matchConditions:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
   rules:
     - apiGroups:
         - ""
@@ -136,18 +197,30 @@ webhooks:
   sideEffects: NoneOnDryRun
   timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
   {{- end }}
-  {{- with .Values.webhooks.hooks.resourcepools.pools }}
-- admissionReviewVersions:
+{{- end }}
+{{- with .Values.webhooks.hooks.resourcepools.pools }}
+  {{- if .enabled }}
+- name: resourcepools.projectcapsule.dev
+  admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
     {{- include "capsule.webhooks.service" (dict "path" "/resourcepool/mutating" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
   matchPolicy: {{ .matchPolicy }}
-  name: resourcepools.projectcapsule.dev
-  namespaceSelector: {{ toYaml .namespaceSelector | nindent 4 }}
-  objectSelector: {{ toYaml .objectSelector | nindent 4 }}
   reinvocationPolicy: {{ .reinvocationPolicy }}
+  {{- with .namespaceSelector }}
+  namespaceSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .objectSelector }}
+  objectSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .matchConditions }}
+  matchConditions:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
   rules:
     - apiGroups:
       - "capsule.clastix.io"
@@ -162,18 +235,30 @@ webhooks:
   sideEffects: None
   timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
   {{- end }}
-  {{- with .Values.webhooks.hooks.resourcepools.claims }}
-- admissionReviewVersions:
+{{- end }}
+{{- with .Values.webhooks.hooks.resourcepools.claims }}
+  {{- if .enabled }}
+- name: resourcepoolclaims.projectcapsule.dev
+  admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
     {{- include "capsule.webhooks.service" (dict "path" "/resourcepool/claim/mutating" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
   matchPolicy: {{ .matchPolicy }}
-  name: resourcepoolclaims.projectcapsule.dev
-  namespaceSelector: {{ toYaml .namespaceSelector | nindent 4 }}
-  objectSelector: {{ toYaml .objectSelector | nindent 4 }}
   reinvocationPolicy: {{ .reinvocationPolicy }}
+  {{- with .namespaceSelector }}
+  namespaceSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .objectSelector }}
+  objectSelector:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
+  {{- with .matchConditions }}
+  matchConditions:
+    {{- toYaml . |  nindent 4 }}
+  {{- end }}
   rules:
     - apiGroups:
       - "capsule.clastix.io"
@@ -189,3 +274,4 @@ webhooks:
   timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
   {{- end }}
 {{- end }}
+{{- end }}