Merge pull request #101 from sagikazarmark/fix-kube-secrets-init

Fix mutating webhook config template
sagikazarmark · Jun 20, 2021 · 0eb173c · 0eb173c
2 parents 9ae9c3d + 1f6a54d
commit 0eb173c
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 25 deletions.
diff --git a/charts/kube-secrets-init/Chart.yaml b/charts/kube-secrets-init/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 type: application
 name: kube-secrets-init
-version: 0.8.0
+version: 0.8.1
 appVersion: 0.4.0
 kubeVersion: ">=1.16.0-0"
 description: kube-secrets-init is a Kubernetes mutating admission webhook, that mutates any Pod that is using specially prefixed environment variables, directly or from Kubernetes as Secret or ConfigMap.
@@ -14,22 +14,8 @@ maintainers:
     url: https://sagikazarmark.hu
 annotations:
   artifacthub.io/changes: |
-    - kind: changed
-      description: Removed redundant objectSelector default
-    - kind: added
-      description: Mutating webhook failure policy configuration
-    - kind: added
-      description: Label matching to objectSelector
-    - kind: added
-      description: Mutating webhook timeout configuration
     - kind: fixed
-      description: Default mutating webhook object selector key
-    - kind: added
-      description: Secondary object selector to mutating webhook
-    - kind: changed
-      description: Removed unused autoscaling configuration
-    - kind: added
-      description: Operations guide
+      description: Mutating webhook config template
   artifacthub.io/images: |
     - name: kube-secrets-init
       image: ghcr.io/doitintl/kube-secrets-init:0.4.0

diff --git a/charts/kube-secrets-init/README.md b/charts/kube-secrets-init/README.md
@@ -1,6 +1,6 @@
 # kube-secrets-init
 
-![version: 0.8.0](https://img.shields.io/badge/version-0.8.0-informational?style=flat-square) ![type: application](https://img.shields.io/badge/type-application-informational?style=flat-square) ![app version: 0.4.0](https://img.shields.io/badge/app%20version-0.4.0-informational?style=flat-square) ![kube version: >=1.16.0-0](https://img.shields.io/badge/kube%20version->=1.16.0--0-informational?style=flat-square) [![artifact hub](https://img.shields.io/badge/artifact%20hub-kube--secrets--init-informational?style=flat-square)](https://artifacthub.io/packages/helm/sagikazarmark/kube-secrets-init)
+![version: 0.8.1](https://img.shields.io/badge/version-0.8.1-informational?style=flat-square) ![type: application](https://img.shields.io/badge/type-application-informational?style=flat-square) ![app version: 0.4.0](https://img.shields.io/badge/app%20version-0.4.0-informational?style=flat-square) ![kube version: >=1.16.0-0](https://img.shields.io/badge/kube%20version->=1.16.0--0-informational?style=flat-square) [![artifact hub](https://img.shields.io/badge/artifact%20hub-kube--secrets--init-informational?style=flat-square)](https://artifacthub.io/packages/helm/sagikazarmark/kube-secrets-init)
 
 kube-secrets-init is a Kubernetes mutating admission webhook, that mutates any Pod that is using specially prefixed environment variables, directly or from Kubernetes as Secret or ConfigMap.
 

diff --git a/charts/kube-secrets-init/ci/webhook-config-values.yaml b/charts/kube-secrets-init/ci/webhook-config-values.yaml
@@ -0,0 +1,22 @@
+provider: none
+
+failurePolicy: Ignore
+timeoutSeconds: 30
+
+namespaceSelector:
+  matchLabels:
+    "kube-secrets-init.doit-intl.com/enable-mutation": "true"
+  matchExpressions:
+    - key: name
+      operator: NotIn
+      values:
+        - kube-system
+
+objectSelector:
+  matchLabels:
+    "kube-secrets-init.doit-intl.com/enable-mutation": "true"
+  matchExpressions:
+    - key: name
+      operator: NotIn
+      values:
+        - kube-system
diff --git a/charts/kube-secrets-init/templates/mutatingwebhook.yaml b/charts/kube-secrets-init/templates/mutatingwebhook.yaml
@@ -71,12 +71,12 @@ webhooks:
     namespaceSelector:
       {{- with .Values.namespaceSelector.matchLabels }}
       matchLabels:
-        {{- toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       matchExpressions:
-      {{- with .Values.namespaceSelector.matchExpressions }}
-{{ toYaml . | indent 8 }}
-      {{- end }}
+        {{- with .Values.namespaceSelector.matchExpressions }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
         - key: kube-secrets-init.doit-intl.com/disable-mutation
           operator: NotIn
           values:
@@ -89,12 +89,12 @@ webhooks:
     objectSelector:
       {{- with .Values.objectSelector.matchLabels }}
       matchLabels:
-        {{- toYaml . | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       matchExpressions:
-      {{- with .Values.objectSelector.matchExpressions }}
-{{ toYaml . | indent 8 }}
-      {{- end }}
+        {{- with .Values.objectSelector.matchExpressions }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
         - key: kube-secrets-init.doit-intl.com/mutate
           operator: NotIn
           values:

diff --git a/charts/kube-secrets-init/templates/tests/test-mutating-webhook.yaml b/charts/kube-secrets-init/templates/tests/test-mutating-webhook.yaml
@@ -10,7 +10,11 @@ spec:
   containers:
     - name: secrets-init
       image: busybox
+      {{- if .Values.namespaceSelector.matchLabels  }}
+      args: ['test', '!', '-f', '/helper/bin/secrets-init']
+      {{ else }}
       args: ['test', '-f', '/helper/bin/secrets-init']
+      {{- end }}
       env:
         # Cheating the webhook into mutating the pod
         - name: SECRET