{{- if (.Values.webhooks.enabled) }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: app: {{ include "confluent-operator.name" . }} app.kubernetes.io/name: {{ include "confluent-operator.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/component: "confluent-operator" helm.sh/chart: {{ include "confluent-operator.chart" . }} name: confluent-operator-{{ .Release.Namespace }}.webhook.platform.confluent.io webhooks: - admissionReviewVersions: - v1beta1 clientConfig: service: name: confluent-operator namespace: {{ .Release.Namespace }} path: /confluent-operator/validate port: {{ .Values.webhooks.port }} failurePolicy: Fail name: cfk-resources.webhooks.platform.confluent.io namespaceSelector: matchExpressions: - key: confluent-operator.webhooks.platform.confluent.io/disable operator: NotIn values: [ "true" ] {{- if .Values.namespaced }} - key: kubernetes.io/metadata.name operator: In values: {{- if empty .Values.namespaceList }} - {{ .Release.Namespace }} {{- else }} {{- range $i, $v := .Values.namespaceList }} - {{ trim $v }} {{- end }} {{- end }} {{- end }} objectSelector: matchExpressions: - key: confluent-operator.webhooks.platform.confluent.io/disable operator: NotIn values: [ "true" ] rules: - apiGroups: - platform.confluent.io apiVersions: - v1beta1 operations: - DELETE resources: - zookeepers - kafkas - ksqldbs - controlcenters scope: Namespaced sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1beta1 clientConfig: service: name: confluent-operator namespace: {{ .Release.Namespace }} path: /confluent-operator/validate port: {{ .Values.webhooks.port }} failurePolicy: Fail name: core-resources.webhooks.platform.confluent.io namespaceSelector: matchExpressions: - key: confluent-operator.webhooks.platform.confluent.io/disable operator: NotIn values: [ "true" ] {{- if .Values.namespaced }} - key: kubernetes.io/metadata.name operator: In values: {{- if empty .Values.namespaceList }} - {{ .Release.Namespace }} {{- else }} {{- range $i, $v := .Values.namespaceList }} - {{ trim $v }} {{- end }} {{- end }} {{- end }} objectSelector: matchLabels: confluent-platform: "true" rules: - apiGroups: - apps apiVersions: - v1 operations: - DELETE resources: - statefulsets scope: Namespaced sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1beta1 clientConfig: service: name: confluent-operator namespace: {{ .Release.Namespace }} path: /confluent-operator/validate port: {{ .Values.webhooks.port }} failurePolicy: Fail name: kafka-pods.webhooks.platform.confluent.io namespaceSelector: matchExpressions: - key: confluent-operator.webhooks.platform.confluent.io/disable operator: NotIn values: [ "true" ] {{- if .Values.namespaced }} - key: kubernetes.io/metadata.name operator: In values: {{- if empty .Values.namespaceList }} - {{ .Release.Namespace }} {{- else }} {{- range $i, $v := .Values.namespaceList }} - {{ trim $v }} {{- end }} {{- end }} {{- end }} objectSelector: matchLabels: confluent-platform: "true" platform.confluent.io/type: kafka rules: - apiGroups: - "" apiVersions: - v1 operations: - DELETE resources: - pods scope: Namespaced sideEffects: None timeoutSeconds: 30 - admissionReviewVersions: - v1beta1 clientConfig: service: name: confluent-operator namespace: {{ .Release.Namespace }} path: /confluent-operator/validate port: {{ .Values.webhooks.port }} failurePolicy: Fail name: evictions.webhooks.platform.confluent.io namespaceSelector: matchExpressions: {{- if .Values.namespaced }} - key: kubernetes.io/metadata.name operator: In values: {{- if empty .Values.namespaceList }} - {{ .Release.Namespace }} {{- else }} {{- range $i, $v := .Values.namespaceList }} - {{ trim $v }} {{- end }} {{- end }} {{- end }} rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE resources: - pods/eviction scope: Namespaced sideEffects: None timeoutSeconds: 30 {{- end }}