shoebill-test/charts/istiod-istiod/templates/validatingwebhookconfiguration.yaml

{{- if .Values.global.configValidation }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
  labels:
    app: istiod
    release: {{ .Release.Name }}
    istio: istiod
    istio.io/rev: {{ .Values.revision | default "default" | quote }}
webhooks:
  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
  # are rejecting invalid configs on a per-revision basis.
  - name: rev.validation.istio.io
    clientConfig:
      # Should change from base but cannot for API compat
      {{- if .Values.base.validationURL }}
      url: {{ .Values.base.validationURL }}
      {{- else }}
      service:
        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
        namespace: {{ .Values.global.istioNamespace }}
        path: "/validate"
      {{- end }}
      {{- if .Values.base.validationCABundle }}
      caBundle: "{{ .Values.base.validationCABundle }}"
      {{- end }}
    rules:
      - operations:
          - CREATE
          - UPDATE
        apiGroups:
          - security.istio.io
          - networking.istio.io
          - telemetry.istio.io
          - extensions.istio.io
        apiVersions:
          - "*"
        resources:
          - "*"
    {{- if .Values.base.validationCABundle }}
    # Disable webhook controller in Pilot to stop patching it
    failurePolicy: Fail
    {{- else }}
    # Fail open until the validation webhook is ready. The webhook controller
    # will update this to `Fail` and patch in the `caBundle` when the webhook
    # endpoint is ready.
    failurePolicy: Ignore
    {{- end }}
    sideEffects: None
    admissionReviewVersions: ["v1"]
    objectSelector:
      matchExpressions:
        - key: istio.io/rev
          operator: In
          values:
          {{- if (eq .Values.revision "") }}
          - "default"
          {{- else }}
          - "{{ .Values.revision }}"
          {{- end }}
---
{{- end }}
chore(release): Add a new release: metrics-server A new release is added to the cluster: Name: metrics-server Namespace: kube-system Version: 3.11.0 Chart: metrics-server/metrics-server 2024-09-09 07:41:17 +00:00			`{{- if .Values.global.configValidation }}`
			`apiVersion: admissionregistration.k8s.io/v1`
			`kind: ValidatingWebhookConfiguration`
			`metadata:`
			`name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}`
			`labels:`
			`app: istiod`
			`release: {{ .Release.Name }}`
			`istio: istiod`
			`istio.io/rev: {{ .Values.revision \| default "default" \| quote }}`
			`webhooks:`
			`# Webhook handling per-revision validation. Mostly here so we can determine whether webhooks`
			`# are rejecting invalid configs on a per-revision basis.`
			`- name: rev.validation.istio.io`
			`clientConfig:`
			`# Should change from base but cannot for API compat`
			`{{- if .Values.base.validationURL }}`
			`url: {{ .Values.base.validationURL }}`
			`{{- else }}`
			`service:`
			`name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}`
			`namespace: {{ .Values.global.istioNamespace }}`
			`path: "/validate"`
			`{{- end }}`
			`{{- if .Values.base.validationCABundle }}`
			`caBundle: "{{ .Values.base.validationCABundle }}"`
			`{{- end }}`
			`rules:`
			`- operations:`
			`- CREATE`
			`- UPDATE`
			`apiGroups:`
			`- security.istio.io`
			`- networking.istio.io`
			`- telemetry.istio.io`
			`- extensions.istio.io`
			`apiVersions:`
			`- "*"`
			`resources:`
			`- "*"`
			`{{- if .Values.base.validationCABundle }}`
			`# Disable webhook controller in Pilot to stop patching it`
			`failurePolicy: Fail`
			`{{- else }}`
			`# Fail open until the validation webhook is ready. The webhook controller`
			# will update this to `Fail` and patch in the `caBundle` when the webhook
			`# endpoint is ready.`
			`failurePolicy: Ignore`
			`{{- end }}`
			`sideEffects: None`
			`admissionReviewVersions: ["v1"]`
			`objectSelector:`
			`matchExpressions:`
			`- key: istio.io/rev`
			`operator: In`
			`values:`
			`{{- if (eq .Values.revision "") }}`
			`- "default"`
			`{{- else }}`
			`- "{{ .Values.revision }}"`
			`{{- end }}`
			`---`
			`{{- end }}`