istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/base/templates/default.yaml (about) 1 {{- if not (eq .Values.defaultRevision "") }} 2 apiVersion: admissionregistration.k8s.io/v1 3 kind: ValidatingWebhookConfiguration 4 metadata: 5 name: istiod-default-validator 6 labels: 7 app: istiod 8 release: {{ .Release.Name }} 9 istio: istiod 10 istio.io/rev: {{ .Values.defaultRevision | quote }} 11 webhooks: 12 - name: validation.istio.io 13 clientConfig: 14 {{- if .Values.base.validationURL }} 15 url: {{ .Values.base.validationURL }} 16 {{- else }} 17 service: 18 {{- if (eq .Values.defaultRevision "default") }} 19 name: istiod 20 {{- else }} 21 name: istiod-{{ .Values.defaultRevision }} 22 {{- end }} 23 namespace: {{ .Values.global.istioNamespace }} 24 path: "/validate" 25 {{- end }} 26 {{- if .Values.base.validationCABundle }} 27 caBundle: "{{ .Values.base.validationCABundle }}" 28 {{- end }} 29 rules: 30 - operations: 31 - CREATE 32 - UPDATE 33 apiGroups: 34 - security.istio.io 35 - networking.istio.io 36 - telemetry.istio.io 37 - extensions.istio.io 38 apiVersions: 39 - "*" 40 resources: 41 - "*" 42 43 {{- if .Values.base.validationCABundle }} 44 # Disable webhook controller in Pilot to stop patching it 45 failurePolicy: Fail 46 {{- else }} 47 # Fail open until the validation webhook is ready. The webhook controller 48 # will update this to `Fail` and patch in the `caBundle` when the webhook 49 # endpoint is ready. 50 failurePolicy: Ignore 51 {{- end }} 52 sideEffects: None 53 admissionReviewVersions: ["v1beta1", "v1"] 54 {{- end }}