Skip to content

Commit

Permalink
feat: make mwh namespaceSelector configurable in helm charts (#644)
Browse files Browse the repository at this point in the history 
Signed-off-by: Anish Ramasekar <[email protected]>
  • Loading branch information
@aramase
aramase committed Nov 22, 2022
1 parent f7755df commit 28a5746
Show file tree
Hide file tree
Showing 7 changed files with 59 additions and 52 deletions.
51 changes: 26 additions & 25 deletions manifest_staging/charts/workload-identity-webhook/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,31 +29,32 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide

## Parameters

| Parameter | Description | Default |
| :---------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ |
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v0.14.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| arcCluster | Specify if it runs on Arc cluster | `false` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| service.type | Service type | `ClusterIP` |
| service.port | Service port | `443` |
| service.targetPort | Service target port | `9443` |
| azureTenantID | [**REQUIRED**] Azure tenant ID | `` |
| azureEnvironment | Azure Environment | `AzurePublicCloud` |
| logEncoder | The log encoder to use for the webhook manager (`json`, `console`) | `console` |
| metricsAddr | The address to bind the metrics server to | `:8095` |
| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook. Default is `Ignore` and it's safe. Setting this to fail closed could cause cluster outage when webhook is not available. | `Ignore` |
| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. | `` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` |
| Parameter | Description | Default |
| :------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ |
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v0.14.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| arcCluster | Specify if it runs on Arc cluster | `false` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| service.type | Service type | `ClusterIP` |
| service.port | Service port | `443` |
| service.targetPort | Service target port | `9443` |
| azureTenantID | [**REQUIRED**] Azure tenant ID | `` |
| azureEnvironment | Azure Environment | `AzurePublicCloud` |
| logEncoder | The log encoder to use for the webhook manager (`json`, `console`) | `console` |
| metricsAddr | The address to bind the metrics server to | `:8095` |
| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook. Default is `Ignore` and it's safe. Setting this to fail closed could cause cluster outage when webhook is not available. | `Ignore` |
| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. | `` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` |
| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` |

## Contributing Changes

Expand Down
1 change: 1 addition & 0 deletions ...mplates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ webhooks:
failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }}
matchPolicy: Equivalent
name: mutation.azure-workload-identity.io
namespaceSelector: {{- toYaml .Values.mutatingWebhookNamespaceSelector | nindent 4 }}
objectSelector: {{- toYaml .Values.mutatingWebhookObjectSelector | nindent 4 }}
rules:
- apiGroups:
Expand Down
1 change: 1 addition & 0 deletions manifest_staging/charts/workload-identity-webhook/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,4 @@ priorityClassName: system-cluster-critical
mutatingWebhookObjectSelector: {}
mutatingWebhookAnnotations: {}
podLabels: {}
mutatingWebhookNamespaceSelector: {}
1 change: 1 addition & 0 deletions third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ webhooks:
failurePolicy: HELMSUBST_MUTATING_WEBHOOK_FAILURE_POLICY
name: mutation.azure-workload-identity.io
objectSelector: HELMSUBST_MUTATING_WEBHOOK_OBJECT_SELECTOR
namespaceSelector: HELMSUBST_MUTATING_WEBHOOK_NAMESPACE_SELECTOR
---
apiVersion: v1
kind: ServiceAccount
Expand Down
5 changes: 3 additions & 2 deletions third_party/open-policy-agent/gatekeeper/helmify/replacements.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,10 @@ var replacements = map[string]string{

`HELMSUBST_MUTATING_WEBHOOK_ANNOTATIONS: ""`: `{{- toYaml .Values.mutatingWebhookAnnotations | nindent 4 }}`,

`HELMSUBST_SERVICEACCOUNT_IMAGE_PULL_SECRETS: ""`:
`{{- if .Values.imagePullSecrets }}
`HELMSUBST_SERVICEACCOUNT_IMAGE_PULL_SECRETS: ""`: `{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml .Values.imagePullSecrets | nindent 2 }}
{{- end }}`,

`HELMSUBST_MUTATING_WEBHOOK_NAMESPACE_SELECTOR`: `{{- toYaml .Values.mutatingWebhookNamespaceSelector | nindent 4 }}`,
}
Loading

0 comments on commit 28a5746

Please sign in to comment.