istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/templates/default.yaml (about) 1 {{- if .Values.global.configCluster }} 2 {{- if not (eq .Values.defaultRevision "") }} 3 apiVersion: admissionregistration.k8s.io/v1 4 kind: ValidatingWebhookConfiguration 5 metadata: 6 name: istiod-default-validator 7 labels: 8 app: istiod 9 release: {{ .Release.Name }} 10 istio: istiod 11 istio.io/rev: {{ .Values.defaultRevision | quote }} 12 webhooks: 13 - name: validation.istio.io 14 clientConfig: 15 {{- if .Values.base.validationURL }} 16 url: {{ .Values.base.validationURL }} 17 {{- else }} 18 service: 19 {{- if (eq .Values.defaultRevision "default") }} 20 name: istiod 21 {{- else }} 22 name: istiod-{{ .Values.defaultRevision }} 23 {{- end }} 24 namespace: {{ .Values.global.istioNamespace }} 25 path: "/validate" 26 {{- end }} 27 {{- if .Values.base.validationCABundle }} 28 caBundle: "{{ .Values.base.validationCABundle }}" 29 {{- end }} 30 rules: 31 - operations: 32 - CREATE 33 - UPDATE 34 apiGroups: 35 - security.istio.io 36 - networking.istio.io 37 - telemetry.istio.io 38 - extensions.istio.io 39 apiVersions: 40 - "*" 41 resources: 42 - "*" 43 44 {{- if .Values.base.validationCABundle }} 45 # Disable webhook controller in Pilot to stop patching it 46 failurePolicy: Fail 47 {{- else }} 48 # Fail open until the validation webhook is ready. The webhook controller 49 # will update this to `Fail` and patch in the `caBundle` when the webhook 50 # endpoint is ready. 51 failurePolicy: Ignore 52 {{- end }} 53 sideEffects: None 54 admissionReviewVersions: ["v1beta1", "v1"] 55 {{- end }} 56 {{- end }}