54 lines
1.7 KiB
YAML
54 lines
1.7 KiB
YAML
# Check if the TLS secret already exists and initialize variables for later use at the top level
|
|
{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.tls.secretName }}
|
|
{{ $ca := "" }}
|
|
{{ $key := "" }}
|
|
{{ $crt := "" }}
|
|
---
|
|
{{- if (eq .Values.tls.source "generate") }}
|
|
{{- if and $secret (not .Values.tls.renew) }}
|
|
{{- $ca = get $secret.data "ca.crt" }}
|
|
{{- $key = get $secret.data "tls.key" }}
|
|
{{- $crt = get $secret.data "tls.crt" }}
|
|
{{- else }}
|
|
{{- $serviceName := (printf "%s.%s.svc" "csi-snapshot-webhook" .Release.Namespace)}}
|
|
{{- $cert := genSelfSignedCert $serviceName nil (list $serviceName) 3650 }}
|
|
{{- $ca = b64enc $cert.Cert }}
|
|
{{- $key = b64enc $cert.Key }}
|
|
{{- $crt = b64enc $cert.Cert }}
|
|
{{- end }}
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: {{ .Values.tls.secretName }}
|
|
namespace: {{ .Release.Namespace }}
|
|
type: kubernetes.io/tls
|
|
data:
|
|
ca.crt: {{ $ca }}
|
|
tls.key: {{ $key }}
|
|
tls.crt: {{ $crt }}
|
|
---
|
|
{{- end }}
|
|
apiVersion: admissionregistration.k8s.io/v1
|
|
kind: ValidatingWebhookConfiguration
|
|
metadata:
|
|
name: "validation-webhook.snapshot.storage.k8s.io"
|
|
namespace: {{ .Release.Namespace }}
|
|
webhooks:
|
|
- name: "validation-webhook.snapshot.storage.k8s.io"
|
|
rules:
|
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
apiVersions: ["v1", "v1beta1"]
|
|
operations: ["CREATE", "UPDATE"]
|
|
resources: ["volumesnapshots", "volumesnapshotcontents"]
|
|
scope: "*"
|
|
clientConfig:
|
|
service:
|
|
namespace: {{ .Release.Namespace }}
|
|
name: "csi-snapshot-webhook"
|
|
path: "/volumesnapshot"
|
|
caBundle: {{ $ca }}
|
|
admissionReviewVersions: ["v1", "v1beta1"]
|
|
sideEffects: None
|
|
failurePolicy: {{ .Values.validationWebHook.failurePolicy }}
|
|
timeoutSeconds: {{ .Values.validationWebHook.timeout }}
|