kubevela/charts/vela-core/templates/admission-webhooks/validatingWebhookConfiguration.yaml

{{- if .Values.admissionWebhooks.enabled -}}
{{- /* Preserve existing caBundle on upgrade to avoid breaking admission if hooks fail. */}}
{{- $vName := printf "%s-admission" (include "kubevela.fullname" .) -}}
{{- $existing := (lookup "admissionregistration.k8s.io/v1" "ValidatingWebhookConfiguration" "" $vName) -}}
{{- $vals := dict "traits" "" "apps" "" "comps" "" "policies" "" -}}
{{- if $existing -}}
{{- range $existing.webhooks -}}
{{- if eq .name "validating.core.oam.dev.v1beta1.traitdefinitions" -}}{{- $_ := set $vals "traits" .clientConfig.caBundle -}}{{- end -}}
{{- if eq .name "validating.core.oam.dev.v1beta1.applications" -}}{{- $_ := set $vals "apps" .clientConfig.caBundle -}}{{- end -}}
{{- if eq .name "validating.core.oam-dev.v1beta1.componentdefinitions" -}}{{- $_ := set $vals "comps" .clientConfig.caBundle -}}{{- end -}}
{{- if eq .name "validating.core.oam-dev.v1beta1.policydefinitions" -}}{{- $_ := set $vals "policies" .clientConfig.caBundle -}}{{- end -}}
{{- end -}}
{{- end -}}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: {{ template "kubevela.fullname" . }}-admission
  namespace: {{ .Release.Namespace }}
  {{- if .Values.admissionWebhooks.certManager.enabled }}
  annotations:
    cert-manager.io/inject-ca-from: {{ printf "%s/%s-root-cert" .Release.Namespace (include "kubevela.fullname" .) | quote }}
  {{- end }}
webhooks:
  - clientConfig:
      caBundle: {{ default "Cg==" (get $vals "traits") }}
      service:
        name: {{ template "kubevela.name" . }}-webhook
        namespace: {{ .Release.Namespace }}
        path: /validating-core-oam-dev-v1beta1-traitdefinitions
    {{- if .Values.admissionWebhooks.patch.enabled  }}
    failurePolicy: Ignore
    {{- else }}
    failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }}
    {{- end }}
    name: validating.core.oam.dev.v1beta1.traitdefinitions
    sideEffects: None
    admissionReviewVersions:
      - v1beta1
      - v1
    rules:
      - apiGroups:
          - core.oam.dev
        apiVersions:
          - v1beta1
        operations:
          - CREATE
          - UPDATE
        resources:
          - traitdefinitions
    timeoutSeconds: 5
  - clientConfig:
      caBundle: {{ default "Cg==" (get $vals "apps") }}
      service:
        name: {{ template "kubevela.name" . }}-webhook
        namespace: {{ .Release.Namespace }}
        path: /validating-core-oam-dev-v1beta1-applications
    {{- if .Values.admissionWebhooks.patch.enabled  }}
    failurePolicy: Ignore
    {{- else }}
    failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }}
    {{- end }}
    name: validating.core.oam.dev.v1beta1.applications
    admissionReviewVersions:
      - v1beta1
      - v1
    sideEffects: None
    rules:
      - apiGroups:
          - core.oam.dev
        apiVersions:
          - v1beta1
        operations:
          - CREATE
          - UPDATE
        resources:
          - applications
  - clientConfig:
      caBundle: {{ default "Cg==" (get $vals "comps") }}
      service:
        name: {{ template "kubevela.name" . }}-webhook
        namespace: {{ .Release.Namespace }}
        path: /validating-core-oam-dev-v1beta1-componentdefinitions
    {{- if .Values.admissionWebhooks.patch.enabled  }}
    failurePolicy: Ignore
    {{- else }}
    failurePolicy: Fail
    {{- end }}
    name: validating.core.oam-dev.v1beta1.componentdefinitions
    sideEffects: None
    admissionReviewVersions:
      - v1beta1
      - v1
    rules:
      - apiGroups:
          - core.oam.dev
        apiVersions:
          - v1beta1
        operations:
          - CREATE
          - UPDATE
        resources:
          - componentdefinitions
  - clientConfig:
      caBundle: {{ default "Cg==" (get $vals "policies") }}
      service:
        name: {{ template "kubevela.name" . }}-webhook
        namespace: {{ .Release.Namespace }}
        path: /validating-core-oam-dev-v1beta1-policydefinitions
    {{- if .Values.admissionWebhooks.patch.enabled  }}
    failurePolicy: Ignore
    {{- else }}
    failurePolicy: Fail
    {{- end }}
    name: validating.core.oam-dev.v1beta1.policydefinitions
    sideEffects: None
    admissionReviewVersions:
      - v1beta1
      - v1
    rules:
      - apiGroups:
          - core.oam.dev
        apiVersions:
          - v1beta1
        operations:
          - CREATE
          - UPDATE
        resources:
          - policydefinitions
  - clientConfig:
      caBundle: Cg==
      service:
        name: {{ template "kubevela.name" . }}-webhook
        namespace: {{ .Release.Namespace }}
        path: /validating-core-oam-dev-v1beta1-workflowstepdefinitions
    {{- if .Values.admissionWebhooks.patch.enabled  }}
    failurePolicy: Ignore
    {{- else }}
    failurePolicy: Fail
    {{- end }}
    name: validating.core.oam-dev.v1beta1.workflowstepdefinitions
    sideEffects: None
    admissionReviewVersions:
      - v1beta1
      - v1
    rules:
      - apiGroups:
          - core.oam.dev
        apiVersions:
          - v1beta1
        operations:
          - CREATE
          - UPDATE
        resources:
          - workflowstepdefinitions
{{- end -}}