github.com/k8snetworkplumbingwg/sriov-network-operator@v1.2.1-0.20240408194816-2d2e5a45d453/bindata/manifests/operator-webhook/003-webhook.yaml

github.com/k8snetworkplumbingwg/sriov-network-operator@v1.2.1-0.20240408194816-2d2e5a45d453/bindata/manifests/operator-webhook/003-webhook.yaml (about)

     1  ---
     2  apiVersion: admissionregistration.k8s.io/v1
     3  kind: MutatingWebhookConfiguration
     4  metadata:
     5    name: {{.SRIOVMutatingWebhookName}}
     6    annotations:
     7      {{- if eq .ClusterType "openshift" }}
     8      service.beta.openshift.io/inject-cabundle: "true"
     9      {{- else if and (.CertManagerEnabled) (eq .ClusterType "kubernetes") }}
    10      # Limitation: Certificate must be named as the secret it produces to avoid overcomplicating the logic with
    11      # more variables.
    12      cert-manager.io/inject-ca-from: {{.Namespace}}/{{.OperatorWebhookSecretName}}
    13      {{- end }}
    14  webhooks:
    15    - name: operator-webhook.sriovnetwork.openshift.io
    16      sideEffects: None
    17      admissionReviewVersions: ["v1", "v1beta1"]
    18      failurePolicy: Fail
    19      clientConfig:
    20        service:
    21          name: operator-webhook-service
    22          namespace: {{.Namespace}}
    23          path: "/mutating-custom-resource"
    24        {{- if and (not .CertManagerEnabled) (eq .ClusterType "kubernetes") }}
    25        caBundle: "{{.OperatorWebhookCA}}"
    26        {{- end }}
    27      rules:
    28        - operations: [ "CREATE", "UPDATE" ]
    29          apiGroups: ["sriovnetwork.openshift.io"]
    30          apiVersions: ["v1"]
    31          resources: ["sriovnetworknodepolicies"]
    32  
    33  ---
    34  apiVersion: admissionregistration.k8s.io/v1
    35  kind: ValidatingWebhookConfiguration
    36  metadata:
    37    name: {{.SRIOVMutatingWebhookName}}
    38    annotations:
    39      {{- if eq .ClusterType "openshift" }}
    40      service.beta.openshift.io/inject-cabundle: "true"
    41      {{- else if and (.CertManagerEnabled) (eq .ClusterType "kubernetes") }}
    42      # Limitation: Certificate must be named as the secret it produces to avoid overcomplicating the logic with
    43      # more variables.
    44      cert-manager.io/inject-ca-from: {{.Namespace}}/{{.OperatorWebhookSecretName}}
    45      {{- end }}
    46  webhooks:
    47    - name: operator-webhook.sriovnetwork.openshift.io
    48      sideEffects: None
    49      admissionReviewVersions: ["v1", "v1beta1"]
    50      failurePolicy: Fail
    51      clientConfig:
    52        service:
    53          name: operator-webhook-service
    54          namespace: {{.Namespace}}
    55          path: "/validating-custom-resource"
    56        {{- if and (not .CertManagerEnabled) (eq .ClusterType "kubernetes") }}
    57        caBundle: "{{.OperatorWebhookCA}}"
    58        {{- end }}
    59      rules:
    60        - operations: [ "CREATE", "UPDATE", "DELETE" ]
    61          apiGroups: ["sriovnetwork.openshift.io"]
    62          apiVersions: ["v1"]
    63          resources: ["sriovnetworknodepolicies"]
    64        - operations: [ "CREATE", "UPDATE", "DELETE" ]
    65          apiGroups: [ "sriovnetwork.openshift.io" ]
    66          apiVersions: [ "v1" ]
    67          resources: [ "sriovoperatorconfigs" ]
    68        - operations: [ "CREATE", "UPDATE", "DELETE" ]
    69          apiGroups: [ "sriovnetwork.openshift.io" ]
    70          apiVersions: [ "v1" ]
    71          resources: [ "sriovnetworkpoolconfigs" ]