Add missing validating webhook configuration

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-10-01 01:36:09 -04:00 · 2023-06-26 10:35:17 +02:00 · 2023-06-26 10:35:17 +02:00 · aa00c43156
commit aa00c43156
parent 8619a90149
5 changed files with 29 additions and 5 deletions
--- a/cli/internal/helm/BUILD.bazel
+++ b/cli/internal/helm/BUILD.bazel
@ -388,6 +388,7 @@ go_library(
        "charts/csi-snapshotter/snapshot-controller/templates/snapshot-controller.yaml",
        "charts/csi-snapshotter/snapshot-controller/templates/snapshot-webhook.yaml",
        "charts/csi-snapshotter/snapshot-controller/values.yaml",
+        "charts/csi-snapshotter/snapshot-controller/templates/admission-configuration.yaml",
    ],
    importpath = "github.com/edgelesssys/constellation/v2/cli/internal/helm",
    visibility = ["//cli:__subpackages__"],
--- a/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/admission-configuration.yaml
+++ b/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/admission-configuration.yaml
@ -0,0 +1,23 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: "validation-webhook.snapshot.storage.k8s.io"
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/snapshot-validation-serving-cert
+webhooks:
+- name: "validation-webhook.snapshot.storage.k8s.io"
+  rules:
+  - apiGroups:   ["snapshot.storage.k8s.io"]
+    apiVersions: ["v1"]
+    operations:  ["CREATE", "UPDATE"]
+    resources:   ["volumesnapshots", "volumesnapshotcontents", "volumesnapshotclasses"]
+    scope:       "*"
+  clientConfig:
+    service:
+      namespace: {{ .Release.Namespace }}
+      name: "snapshot-validation-service"
+      path: "/volumesnapshot"
+  admissionReviewVersions: ["v1"]
+  sideEffects: None
+  failurePolicy: Fail # We recommend switching to Fail only after successful installation of the webhook server and webhook.
+  timeoutSeconds: 15 # This will affect the latency and performance. Finetune this value based on your application's tolerance.
--- a/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/selfsigned-issuer.yaml
+++ b/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/selfsigned-issuer.yaml
@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: snapshot-webhook-selfsigned-issuer
+  name: snapshot-validation-selfsigned-issuer
  namespace: {{ .Release.Namespace }}
 spec:
  selfSigned: {}
--- a/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/serving-cert.yaml
+++ b/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/serving-cert.yaml
@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: snapshot-webhook-serving-cert
+  name: snapshot-validation-serving-cert
  namespace: {{ .Release.Namespace }}
 spec:
  dnsNames:
@ -9,5 +9,5 @@ spec:
  - 'snapshot-validation-service.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesClusterDomain }}'
  issuerRef:
    kind: Issuer
-    name: snapshot-webhook-selfsigned-issuer
-  secretName: webhook-server-cert
+    name: snapshot-validation-selfsigned-issuer
+  secretName: snapshot-validation-serving-cert
--- a/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/snapshot-webhook.yaml
+++ b/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/snapshot-webhook.yaml
@ -42,7 +42,7 @@ spec:
      volumes:
        - name: snapshot-validation-webhook-certs
          secret:
-            secretName: webhook-server-cert
+            secretName: snapshot-validation-serving-cert
 ---
 apiVersion: v1
 kind: Service