istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml (about)

     1  {{- if .Values.global.configValidation }}
     2  apiVersion: admissionregistration.k8s.io/v1
     3  kind: ValidatingWebhookConfiguration
     4  metadata:
     5    name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
     6    labels:
     7      app: istiod
     8      release: {{ .Release.Name }}
     9      istio: istiod
    10      istio.io/rev: {{ .Values.revision | default "default" | quote }}
    11  webhooks:
    12    # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
    13    # are rejecting invalid configs on a per-revision basis.
    14    - name: rev.validation.istio.io
    15      clientConfig:
    16        # Should change from base but cannot for API compat
    17        {{- if .Values.base.validationURL }}
    18        url: {{ .Values.base.validationURL }}
    19        {{- else }}
    20        service:
    21          name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
    22          namespace: {{ .Values.global.istioNamespace }}
    23          path: "/validate"
    24        {{- end }}
    25        {{- if .Values.base.validationCABundle }}
    26        caBundle: "{{ .Values.base.validationCABundle }}"
    27        {{- end }}
    28      rules:
    29        - operations:
    30            - CREATE
    31            - UPDATE
    32          apiGroups:
    33            - security.istio.io
    34            - networking.istio.io
    35            - telemetry.istio.io
    36            - extensions.istio.io
    37          apiVersions:
    38            - "*"
    39          resources:
    40            - "*"
    41      {{- if .Values.base.validationCABundle }}
    42      # Disable webhook controller in Pilot to stop patching it
    43      failurePolicy: Fail
    44      {{- else }}
    45      # Fail open until the validation webhook is ready. The webhook controller
    46      # will update this to `Fail` and patch in the `caBundle` when the webhook
    47      # endpoint is ready.
    48      failurePolicy: Ignore
    49      {{- end }}
    50      sideEffects: None
    51      admissionReviewVersions: ["v1beta1", "v1"]
    52      objectSelector:
    53        matchExpressions:
    54          - key: istio.io/rev
    55            operator: In
    56            values:
    57            {{- if (eq .Values.revision "") }}
    58            - "default"
    59            {{- else }}
    60            - "{{ .Values.revision }}"
    61            {{- end }}
    62  ---
    63  {{- end }}