mirror of
https://github.com/openappsec/openappsec.git
synced 2025-07-14 22:44:44 +03:00
175 lines
5.4 KiB
YAML
175 lines
5.4 KiB
YAML
{{- if (and .Values.ingressController.admissionWebhook.enabled .Values.ingressController.enabled) }}
|
|
{{- $certCert := "" -}}
|
|
{{- $certKey := "" -}}
|
|
{{- $caCert := "" -}}
|
|
{{- $caKey := "" -}}
|
|
{{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
|
|
{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) ( include "kong.namespace" . ) -}}
|
|
{{- $ca := genCA "kong-admission-ca" 3650 -}}
|
|
{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
|
|
{{- $certCert = $cert.Cert -}}
|
|
{{- $certKey = $cert.Key -}}
|
|
{{- $caCert = $ca.Cert -}}
|
|
{{- $caKey = $ca.Key -}}
|
|
|
|
{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-ca-keypair" (include "kong.fullname" .))) -}}
|
|
{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-keypair" (include "kong.fullname" .))) -}}
|
|
{{- if $certSecret }}
|
|
{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
|
|
{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
|
|
{{- end }}
|
|
{{- if $caSecret }}
|
|
{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}}
|
|
{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}}
|
|
{{- end }}
|
|
{{- end }}
|
|
kind: ValidatingWebhookConfiguration
|
|
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
|
|
apiVersion: admissionregistration.k8s.io/v1
|
|
{{- else }}
|
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
|
{{- end }}
|
|
metadata:
|
|
name: {{ template "kong.fullname" . }}-validations
|
|
namespace: {{ template "kong.namespace" . }}
|
|
labels:
|
|
{{- include "kong.metaLabels" . | nindent 4 }}
|
|
{{- if .Values.ingressController.admissionWebhook.annotations }}
|
|
annotations:
|
|
{{- range $key, $value := .Values.ingressController.admissionWebhook.annotations }}
|
|
{{ $key }}: {{ $value | quote }}
|
|
{{- end }}
|
|
{{- end }}
|
|
webhooks:
|
|
- name: validations.kong.konghq.com
|
|
{{- with .Values.ingressController.admissionWebhook.namespaceSelector }}
|
|
namespaceSelector:
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
{{- with .Values.ingressController.admissionWebhook.timeoutSeconds }}
|
|
timeoutSeconds: {{ . }}
|
|
{{- end }}
|
|
objectSelector:
|
|
matchExpressions:
|
|
- key: owner
|
|
operator: NotIn
|
|
values:
|
|
- helm
|
|
failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }}
|
|
sideEffects: None
|
|
admissionReviewVersions: ["v1beta1"]
|
|
rules:
|
|
- apiGroups:
|
|
- configuration.konghq.com
|
|
apiVersions:
|
|
- '*'
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- kongconsumers
|
|
- kongplugins
|
|
{{- if (semverCompare ">= 2.0.4" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
- kongclusterplugins
|
|
{{- end }}
|
|
{{- if (semverCompare ">= 2.8.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
- kongingresses
|
|
{{- end }}
|
|
- apiGroups:
|
|
- ''
|
|
apiVersions:
|
|
- 'v1'
|
|
operations:
|
|
{{- if (semverCompare ">= 2.12.1" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
- CREATE
|
|
{{- end }}
|
|
- UPDATE
|
|
resources:
|
|
- secrets
|
|
{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
- services
|
|
{{- end }}
|
|
{{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
- apiGroups:
|
|
- networking.k8s.io
|
|
apiVersions:
|
|
- 'v1'
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- ingresses
|
|
- apiGroups:
|
|
- gateway.networking.k8s.io
|
|
apiVersions:
|
|
- 'v1alpha2'
|
|
- 'v1beta1'
|
|
{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
|
|
- 'v1'
|
|
{{- end }}
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- gateways
|
|
- httproutes
|
|
{{- end }}
|
|
clientConfig:
|
|
{{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
|
|
caBundle: {{ b64enc $caCert }}
|
|
{{- else }}
|
|
{{- if .Values.ingressController.admissionWebhook.certificate.caBundle }}
|
|
caBundle: {{ b64enc .Values.ingressController.admissionWebhook.certificate.caBundle }}
|
|
{{- end }}
|
|
{{- end }}
|
|
service:
|
|
name: {{ template "kong.service.validationWebhook" . }}
|
|
namespace: {{ template "kong.namespace" . }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: {{ template "kong.service.validationWebhook" . }}
|
|
namespace: {{ template "kong.namespace" . }}
|
|
labels:
|
|
{{- include "kong.metaLabels" . | nindent 4 }}
|
|
{{- if .Values.ingressController.admissionWebhook.service.labels }}
|
|
{{- toYaml .Values.ingressController.admissionWebhook.service.labels | nindent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
ports:
|
|
- name: webhook
|
|
port: 443
|
|
protocol: TCP
|
|
targetPort: webhook
|
|
selector:
|
|
{{- include "kong.metaLabels" . | nindent 4 }}
|
|
app.kubernetes.io/component: app
|
|
{{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: {{ template "kong.fullname" . }}-validation-webhook-ca-keypair
|
|
namespace: {{ template "kong.namespace" . }}
|
|
labels:
|
|
{{- include "kong.metaLabels" . | nindent 4 }}
|
|
type: kubernetes.io/tls
|
|
data:
|
|
tls.crt: {{ b64enc $caCert }}
|
|
tls.key: {{ b64enc $caKey }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: {{ template "kong.fullname" . }}-validation-webhook-keypair
|
|
namespace: {{ template "kong.namespace" . }}
|
|
labels:
|
|
{{- include "kong.metaLabels" . | nindent 4 }}
|
|
type: kubernetes.io/tls
|
|
data:
|
|
tls.crt: {{ b64enc $certCert }}
|
|
tls.key: {{ b64enc $certKey }}
|
|
{{- end }}
|
|
{{- end }}
|