github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/cert-manager/templates/webhook-validating-webhook.yaml (about) 1 apiVersion: admissionregistration.k8s.io/v1 2 kind: ValidatingWebhookConfiguration 3 metadata: 4 name: {{ include "webhook.fullname" . }} 5 labels: 6 app: {{ include "webhook.name" . }} 7 app.kubernetes.io/name: {{ include "webhook.name" . }} 8 app.kubernetes.io/instance: {{ .Release.Name }} 9 app.kubernetes.io/component: "webhook" 10 {{- include "labels" . | nindent 4 }} 11 annotations: 12 cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote}} 13 {{- with .Values.webhook.validatingWebhookConfigurationAnnotations }} 14 {{- toYaml . | nindent 4 }} 15 {{- end }} 16 webhooks: 17 - name: webhook.cert-manager.io 18 namespaceSelector: 19 matchExpressions: 20 - key: "cert-manager.io/disable-validation" 21 operator: "NotIn" 22 values: 23 - "true" 24 - key: "name" 25 operator: "NotIn" 26 values: 27 - {{ include "cert-manager.namespace" . }} 28 rules: 29 - apiGroups: 30 - "cert-manager.io" 31 - "acme.cert-manager.io" 32 apiVersions: 33 - "v1" 34 operations: 35 - CREATE 36 - UPDATE 37 resources: 38 - "*/*" 39 admissionReviewVersions: ["v1"] 40 # This webhook only accepts v1 cert-manager resources. 41 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to 42 # this webhook (after the resources have been converted to v1). 43 matchPolicy: Equivalent 44 timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} 45 failurePolicy: Fail 46 sideEffects: None 47 clientConfig: 48 {{- if .Values.webhook.url.host }} 49 url: https://{{ .Values.webhook.url.host }}/validate 50 {{- else }} 51 service: 52 name: {{ template "webhook.fullname" . }} 53 namespace: {{ include "cert-manager.namespace" . }} 54 path: /validate 55 {{- end }}