Add missing validating webhook configuration

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

cli/internal/helm/BUILD.bazel

@@ -388,6 +388,7 @@ go_library(
         "charts/csi-snapshotter/snapshot-controller/templates/snapshot-controller.yaml",
         "charts/csi-snapshotter/snapshot-controller/templates/snapshot-webhook.yaml",
         "charts/csi-snapshotter/snapshot-controller/values.yaml",
+        "charts/csi-snapshotter/snapshot-controller/templates/admission-configuration.yaml",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/cli/internal/helm",
     visibility = ["//cli:__subpackages__"],

cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/admission-configuration.yaml

@@ -0,0 +1,23 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: "validation-webhook.snapshot.storage.k8s.io"
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/snapshot-validation-serving-cert
+webhooks:
+- name: "validation-webhook.snapshot.storage.k8s.io"
+  rules:
+  - apiGroups:   ["snapshot.storage.k8s.io"]
+    apiVersions: ["v1"]
+    operations:  ["CREATE", "UPDATE"]
+    resources:   ["volumesnapshots", "volumesnapshotcontents", "volumesnapshotclasses"]
+    scope:       "*"
+  clientConfig:
+    service:
+      namespace: {{ .Release.Namespace }}
+      name: "snapshot-validation-service"
+      path: "/volumesnapshot"
+  admissionReviewVersions: ["v1"]
+  sideEffects: None
+  failurePolicy: Fail # We recommend switching to Fail only after successful installation of the webhook server and webhook.
+  timeoutSeconds: 15 # This will affect the latency and performance. Finetune this value based on your application's tolerance.

cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/selfsigned-issuer.yaml

@@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: snapshot-webhook-selfsigned-issuer
+  name: snapshot-validation-selfsigned-issuer
   namespace: {{ .Release.Namespace }}
 spec:
   selfSigned: {}

cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/serving-cert.yaml

@@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: snapshot-webhook-serving-cert
+  name: snapshot-validation-serving-cert
   namespace: {{ .Release.Namespace }}
 spec:
   dnsNames:
@@ -9,5 +9,5 @@ spec:
   - 'snapshot-validation-service.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesClusterDomain }}'
   issuerRef:
     kind: Issuer
-    name: snapshot-webhook-selfsigned-issuer
+    name: snapshot-validation-selfsigned-issuer
-  secretName: webhook-server-cert
+  secretName: snapshot-validation-serving-cert

cli/internal/helm/charts/csi-snapshotter/snapshot-controller/templates/snapshot-webhook.yaml

@@ -42,7 +42,7 @@ spec:
       volumes:
         - name: snapshot-validation-webhook-certs
           secret:
-            secretName: webhook-server-cert
+            secretName: snapshot-validation-serving-cert
 ---
 apiVersion: v1
 kind: Service