From aa00c43156be742f5bd1d03883938bcf767dd1c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <dw@edgeless.systems>
Date: Mon, 26 Jun 2023 10:35:17 +0200
Subject: [PATCH] Add missing validating webhook configuration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
---
 cli/internal/helm/BUILD.bazel                 |  1 +
 .../templates/admission-configuration.yaml    | 23 +++++++++++++++++++
 .../templates/selfsigned-issuer.yaml          |  2 +-
 .../templates/serving-cert.yaml               |  6 ++---
 .../templates/snapshot-webhook.yaml           |  2 +-
 5 files changed, 29 insertions(+), 5 deletions(-)
 create mode 100644 cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/admission-configuration.yaml

diff --git a/cli/internal/helm/BUILD.bazel b/cli/internal/helm/BUILD.bazel
index 3a4990ffd..f2eaebd46 100644
--- a/cli/internal/helm/BUILD.bazel
+++ b/cli/internal/helm/BUILD.bazel
@@ -388,6 +388,7 @@ go_library(
         "charts/csi-snapshotter/snapshot-controller/templates/snapshot-controller.yaml",
         "charts/csi-snapshotter/snapshot-controller/templates/snapshot-webhook.yaml",
         "charts/csi-snapshotter/snapshot-controller/values.yaml",
+        "charts/csi-snapshotter/snapshot-controller/templates/admission-configuration.yaml",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/cli/internal/helm",
     visibility = ["//cli:__subpackages__"],
diff --git a/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/admission-configuration.yaml b/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/admission-configuration.yaml
new file mode 100644
index 000000000..95e26f473
--- /dev/null
+++ b/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/admission-configuration.yaml
@@ -0,0 +1,23 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: "validation-webhook.snapshot.storage.k8s.io"
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/snapshot-validation-serving-cert
+webhooks:
+- name: "validation-webhook.snapshot.storage.k8s.io"
+  rules:
+  - apiGroups:   ["snapshot.storage.k8s.io"]
+    apiVersions: ["v1"]
+    operations:  ["CREATE", "UPDATE"]
+    resources:   ["volumesnapshots", "volumesnapshotcontents", "volumesnapshotclasses"]
+    scope:       "*"
+  clientConfig:
+    service:
+      namespace: {{ .Release.Namespace }}
+      name: "snapshot-validation-service"
+      path: "/volumesnapshot"
+  admissionReviewVersions: ["v1"]
+  sideEffects: None
+  failurePolicy: Fail # We recommend switching to Fail only after successful installation of the webhook server and webhook.
+  timeoutSeconds: 15 # This will affect the latency and performance. Finetune this value based on your application's tolerance.
diff --git a/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/selfsigned-issuer.yaml b/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/selfsigned-issuer.yaml
index 874637846..9789b56aa 100644
--- a/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/selfsigned-issuer.yaml
+++ b/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/selfsigned-issuer.yaml
@@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: snapshot-webhook-selfsigned-issuer
+  name: snapshot-validation-selfsigned-issuer
   namespace: {{ .Release.Namespace }}
 spec:
   selfSigned: {}
diff --git a/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/serving-cert.yaml b/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/serving-cert.yaml
index e27bf0914..93c24cec6 100644
--- a/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/serving-cert.yaml
+++ b/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/serving-cert.yaml
@@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: snapshot-webhook-serving-cert
+  name: snapshot-validation-serving-cert
   namespace: {{ .Release.Namespace }}
 spec:
   dnsNames:
@@ -9,5 +9,5 @@ spec:
   - 'snapshot-validation-service.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesClusterDomain }}'
   issuerRef:
     kind: Issuer
-    name: snapshot-webhook-selfsigned-issuer
-  secretName: webhook-server-cert
+    name: snapshot-validation-selfsigned-issuer
+  secretName: snapshot-validation-serving-cert
diff --git a/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/snapshot-webhook.yaml b/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/snapshot-webhook.yaml
index 69ee1be40..861f284d7 100644
--- a/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/snapshot-webhook.yaml
+++ b/cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/snapshot-webhook.yaml
@@ -42,7 +42,7 @@ spec:
       volumes:
         - name: snapshot-validation-webhook-certs
           secret:
-            secretName: webhook-server-cert
+            secretName: snapshot-validation-serving-cert
 ---
 apiVersion: v1
 kind: Service