istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml (about)

     1  {{- if .Values.global.configCluster }}
     2  {{- if .Values.global.configValidation }}
     3  apiVersion: admissionregistration.k8s.io/v1
     4  kind: ValidatingWebhookConfiguration
     5  metadata:
     6    name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
     7    labels:
     8      app: istiod
     9      release: {{ .Release.Name }}
    10      istio: istiod
    11      istio.io/rev: {{ .Values.revision | default "default" | quote }}
    12  webhooks:
    13    # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
    14    # are rejecting invalid configs on a per-revision basis.
    15    - name: rev.validation.istio.io
    16      clientConfig:
    17        # Should change from base but cannot for API compat
    18        {{- if .Values.base.validationURL }}
    19        url: {{ .Values.base.validationURL }}
    20        {{- else }}
    21        service:
    22          name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
    23          namespace: {{ .Values.global.istioNamespace }}
    24          path: "/validate"
    25        {{- end }}
    26        {{- if .Values.base.validationCABundle }}
    27        caBundle: "{{ .Values.base.validationCABundle }}"
    28        {{- end }}
    29      rules:
    30        - operations:
    31            - CREATE
    32            - UPDATE
    33          apiGroups:
    34            - security.istio.io
    35            - networking.istio.io
    36            - telemetry.istio.io
    37            - extensions.istio.io
    38          apiVersions:
    39            - "*"
    40          resources:
    41            - "*"
    42      {{- if .Values.base.validationCABundle }}
    43      # Disable webhook controller in Pilot to stop patching it
    44      failurePolicy: Fail
    45      {{- else }}
    46      # Fail open until the validation webhook is ready. The webhook controller
    47      # will update this to `Fail` and patch in the `caBundle` when the webhook
    48      # endpoint is ready.
    49      failurePolicy: Ignore
    50      {{- end }}
    51      sideEffects: None
    52      admissionReviewVersions: ["v1beta1", "v1"]
    53      objectSelector:
    54        matchExpressions:
    55          - key: istio.io/rev
    56            operator: In
    57            values:
    58            {{- if (eq .Values.revision "") }}
    59            - "default"
    60            {{- else }}
    61            - "{{ .Values.revision }}"
    62            {{- end }}
    63  ---
    64  {{- end }}
    65  {{- end }}