istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml (about) 1 {{- /* Core defines the common configuration used by all webhook segments */}} 2 {{/* Copy just what we need to avoid expensive deepCopy */}} 3 {{- $whv := dict 4 "revision" .Values.revision 5 "injectionPath" .Values.istiodRemote.injectionPath 6 "injectionURL" .Values.istiodRemote.injectionURL 7 "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy 8 "caBundle" .Values.istiodRemote.injectionCABundle 9 "namespace" .Release.Namespace }} 10 {{- define "core" }} 11 {{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign 12 a unique prefix to each. */}} 13 - name: {{.Prefix}}sidecar-injector.istio.io 14 clientConfig: 15 {{- if .injectionURL }} 16 url: "{{ .injectionURL }}" 17 {{- else }} 18 service: 19 name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} 20 namespace: {{ .namespace }} 21 path: "{{ .injectionPath }}" 22 port: 443 23 {{- end }} 24 {{- if .caBundle }} 25 caBundle: "{{ .caBundle }}" 26 {{- end }} 27 sideEffects: None 28 rules: 29 - operations: [ "CREATE" ] 30 apiGroups: [""] 31 apiVersions: ["v1"] 32 resources: ["pods"] 33 failurePolicy: Fail 34 reinvocationPolicy: "{{ .reinvocationPolicy }}" 35 admissionReviewVersions: ["v1beta1", "v1"] 36 {{- end }} 37 {{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} 38 {{- if not .Values.global.operatorManageWebhooks }} 39 apiVersion: admissionregistration.k8s.io/v1 40 kind: MutatingWebhookConfiguration 41 metadata: 42 {{- if eq .Release.Namespace "istio-system"}} 43 name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} 44 {{- else }} 45 name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 46 {{- end }} 47 labels: 48 istio.io/rev: {{ .Values.revision | default "default" | quote }} 49 install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 50 operator.istio.io/component: "Pilot" 51 app: sidecar-injector 52 release: {{ .Release.Name }} 53 webhooks: 54 {{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} 55 56 {{- /* Case 1: namespace selector matches, and object doesn't disable */}} 57 {{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} 58 {{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} 59 namespaceSelector: 60 matchExpressions: 61 - key: istio.io/rev 62 operator: In 63 values: 64 {{- if (eq .Values.revision "") }} 65 - "default" 66 {{- else }} 67 - "{{ .Values.revision }}" 68 {{- end }} 69 - key: istio-injection 70 operator: DoesNotExist 71 objectSelector: 72 matchExpressions: 73 - key: sidecar.istio.io/inject 74 operator: NotIn 75 values: 76 - "false" 77 78 {{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} 79 {{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} 80 namespaceSelector: 81 matchExpressions: 82 - key: istio.io/rev 83 operator: DoesNotExist 84 - key: istio-injection 85 operator: DoesNotExist 86 objectSelector: 87 matchExpressions: 88 - key: sidecar.istio.io/inject 89 operator: NotIn 90 values: 91 - "false" 92 - key: istio.io/rev 93 operator: In 94 values: 95 {{- if (eq .Values.revision "") }} 96 - "default" 97 {{- else }} 98 - "{{ .Values.revision }}" 99 {{- end }} 100 101 102 {{- /* Webhooks for default revision */}} 103 {{- if (eq .Values.revision "") }} 104 105 {{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} 106 {{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} 107 namespaceSelector: 108 matchExpressions: 109 - key: istio-injection 110 operator: In 111 values: 112 - enabled 113 objectSelector: 114 matchExpressions: 115 - key: sidecar.istio.io/inject 116 operator: NotIn 117 values: 118 - "false" 119 120 {{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} 121 {{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} 122 namespaceSelector: 123 matchExpressions: 124 - key: istio-injection 125 operator: DoesNotExist 126 - key: istio.io/rev 127 operator: DoesNotExist 128 objectSelector: 129 matchExpressions: 130 - key: sidecar.istio.io/inject 131 operator: In 132 values: 133 - "true" 134 - key: istio.io/rev 135 operator: DoesNotExist 136 137 {{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} 138 {{- /* Special case 3: no labels at all */}} 139 {{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} 140 namespaceSelector: 141 matchExpressions: 142 - key: istio-injection 143 operator: DoesNotExist 144 - key: istio.io/rev 145 operator: DoesNotExist 146 - key: "kubernetes.io/metadata.name" 147 operator: "NotIn" 148 values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] 149 objectSelector: 150 matchExpressions: 151 - key: sidecar.istio.io/inject 152 operator: DoesNotExist 153 - key: istio.io/rev 154 operator: DoesNotExist 155 {{- end }} 156 157 {{- end }} 158 {{- end }}