diff --git a/manifest_staging/charts/workload-identity-webhook/README.md b/manifest_staging/charts/workload-identity-webhook/README.md index 498d45bf1..db60bf01f 100644 --- a/manifest_staging/charts/workload-identity-webhook/README.md +++ b/manifest_staging/charts/workload-identity-webhook/README.md @@ -29,31 +29,32 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide ## Parameters -| Parameter | Description | Default | -| :---------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ | -| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | -| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | -| image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| image.release | The image release tag to use | Current release version: `v0.14.0` | -| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| arcCluster | Specify if it runs on Arc cluster | `false` | -| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | -| affinity | The node affinity to use for pod scheduling | `{}` | -| tolerations | The tolerations to use for pod scheduling | `[]` | -| service.type | Service type | `ClusterIP` | -| service.port | Service port | `443` | -| service.targetPort | Service target port | `9443` | -| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | -| azureEnvironment | Azure Environment | `AzurePublicCloud` | -| logEncoder | The log encoder to use for the webhook manager (`json`, `console`) | `console` | -| metricsAddr | The address to bind the metrics server to | `:8095` | -| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` | -| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook. Default is `Ignore` and it's safe. Setting this to fail closed could cause cluster outage when webhook is not available. | `Ignore` | -| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` | -| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. | `` | -| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | -| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` | +| Parameter | Description | Default | +| :------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ | +| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | +| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | +| image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| image.release | The image release tag to use | Current release version: `v0.14.0` | +| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| arcCluster | Specify if it runs on Arc cluster | `false` | +| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | +| affinity | The node affinity to use for pod scheduling | `{}` | +| tolerations | The tolerations to use for pod scheduling | `[]` | +| service.type | Service type | `ClusterIP` | +| service.port | Service port | `443` | +| service.targetPort | Service target port | `9443` | +| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | +| azureEnvironment | Azure Environment | `AzurePublicCloud` | +| logEncoder | The log encoder to use for the webhook manager (`json`, `console`) | `console` | +| metricsAddr | The address to bind the metrics server to | `:8095` | +| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` | +| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook. Default is `Ignore` and it's safe. Setting this to fail closed could cause cluster outage when webhook is not available. | `Ignore` | +| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` | +| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. | `` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | +| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` | +| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | ## Contributing Changes diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 8d6dda18a..5f79c5239 100644 --- a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -21,6 +21,7 @@ webhooks: failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }} matchPolicy: Equivalent name: mutation.azure-workload-identity.io + namespaceSelector: {{- toYaml .Values.mutatingWebhookNamespaceSelector | nindent 4 }} objectSelector: {{- toYaml .Values.mutatingWebhookObjectSelector | nindent 4 }} rules: - apiGroups: diff --git a/manifest_staging/charts/workload-identity-webhook/values.yaml b/manifest_staging/charts/workload-identity-webhook/values.yaml index 822de3b31..08fc2da9b 100644 --- a/manifest_staging/charts/workload-identity-webhook/values.yaml +++ b/manifest_staging/charts/workload-identity-webhook/values.yaml @@ -35,3 +35,4 @@ priorityClassName: system-cluster-critical mutatingWebhookObjectSelector: {} mutatingWebhookAnnotations: {} podLabels: {} +mutatingWebhookNamespaceSelector: {} diff --git a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml index d7b41e1cd..c14515b77 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml @@ -88,6 +88,7 @@ webhooks: failurePolicy: HELMSUBST_MUTATING_WEBHOOK_FAILURE_POLICY name: mutation.azure-workload-identity.io objectSelector: HELMSUBST_MUTATING_WEBHOOK_OBJECT_SELECTOR + namespaceSelector: HELMSUBST_MUTATING_WEBHOOK_NAMESPACE_SELECTOR --- apiVersion: v1 kind: ServiceAccount diff --git a/third_party/open-policy-agent/gatekeeper/helmify/replacements.go b/third_party/open-policy-agent/gatekeeper/helmify/replacements.go index 362172db0..c84619ce8 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/replacements.go +++ b/third_party/open-policy-agent/gatekeeper/helmify/replacements.go @@ -29,9 +29,10 @@ var replacements = map[string]string{ `HELMSUBST_MUTATING_WEBHOOK_ANNOTATIONS: ""`: `{{- toYaml .Values.mutatingWebhookAnnotations | nindent 4 }}`, - `HELMSUBST_SERVICEACCOUNT_IMAGE_PULL_SECRETS: ""`: -`{{- if .Values.imagePullSecrets }} + `HELMSUBST_SERVICEACCOUNT_IMAGE_PULL_SECRETS: ""`: `{{- if .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 2 }} {{- end }}`, + + `HELMSUBST_MUTATING_WEBHOOK_NAMESPACE_SELECTOR`: `{{- toYaml .Values.mutatingWebhookNamespaceSelector | nindent 4 }}`, } diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md index 498d45bf1..db60bf01f 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md @@ -29,31 +29,32 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide ## Parameters -| Parameter | Description | Default | -| :---------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ | -| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | -| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | -| image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| image.release | The image release tag to use | Current release version: `v0.14.0` | -| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| arcCluster | Specify if it runs on Arc cluster | `false` | -| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | -| affinity | The node affinity to use for pod scheduling | `{}` | -| tolerations | The tolerations to use for pod scheduling | `[]` | -| service.type | Service type | `ClusterIP` | -| service.port | Service port | `443` | -| service.targetPort | Service target port | `9443` | -| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | -| azureEnvironment | Azure Environment | `AzurePublicCloud` | -| logEncoder | The log encoder to use for the webhook manager (`json`, `console`) | `console` | -| metricsAddr | The address to bind the metrics server to | `:8095` | -| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` | -| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook. Default is `Ignore` and it's safe. Setting this to fail closed could cause cluster outage when webhook is not available. | `Ignore` | -| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` | -| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. | `` | -| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | -| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` | +| Parameter | Description | Default | +| :------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ | +| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` | +| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` | +| image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| image.release | The image release tag to use | Current release version: `v0.14.0` | +| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| arcCluster | Specify if it runs on Arc cluster | `false` | +| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | +| affinity | The node affinity to use for pod scheduling | `{}` | +| tolerations | The tolerations to use for pod scheduling | `[]` | +| service.type | Service type | `ClusterIP` | +| service.port | Service port | `443` | +| service.targetPort | Service target port | `9443` | +| azureTenantID | [**REQUIRED**] Azure tenant ID | `` | +| azureEnvironment | Azure Environment | `AzurePublicCloud` | +| logEncoder | The log encoder to use for the webhook manager (`json`, `console`) | `console` | +| metricsAddr | The address to bind the metrics server to | `:8095` | +| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` | +| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook. Default is `Ignore` and it's safe. Setting this to fail closed could cause cluster outage when webhook is not available. | `Ignore` | +| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` | +| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. | `` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | +| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` | +| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | ## Contributing Changes diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml index 822de3b31..08fc2da9b 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml @@ -35,3 +35,4 @@ priorityClassName: system-cluster-critical mutatingWebhookObjectSelector: {} mutatingWebhookAnnotations: {} podLabels: {} +mutatingWebhookNamespaceSelector: {}