| apiVersion: admissionregistration.k8s.io/v1 |
| kind: ValidatingWebhookConfiguration |
| metadata: |
| name: {{ include "webhook.fullname" . }} |
| labels: |
| app: {{ include "webhook.name" . }} |
| app.kubernetes.io/name: {{ include "webhook.name" . }} |
| app.kubernetes.io/instance: {{ .Release.Name }} |
| app.kubernetes.io/component: "webhook" |
| {{- include "labels" . | nindent 4 }} |
| annotations: |
| cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote}} |
| {{- with .Values.webhook.validatingWebhookConfigurationAnnotations }} |
| {{- toYaml . | nindent 4 }} |
| {{- end }} |
| webhooks: |
| - name: webhook.cert-manager.io |
| namespaceSelector: |
| matchExpressions: |
| - key: "cert-manager.io/disable-validation" |
| operator: "NotIn" |
| values: |
| - "true" |
| - key: "name" |
| operator: "NotIn" |
| values: |
| - {{ include "cert-manager.namespace" . }} |
| rules: |
| - apiGroups: |
| - "cert-manager.io" |
| - "acme.cert-manager.io" |
| apiVersions: |
| - "v1" |
| operations: |
| - CREATE |
| - UPDATE |
| resources: |
| - "*/*" |
| admissionReviewVersions: ["v1"] |
| # This webhook only accepts v1 cert-manager resources. |
| # Equivalent matchPolicy ensures that non-v1 resource requests are sent to |
| # this webhook (after the resources have been converted to v1). |
| matchPolicy: Equivalent |
| timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} |
| failurePolicy: Fail |
| sideEffects: None |
| clientConfig: |
| {{- if .Values.webhook.url.host }} |
| url: https://{{ .Values.webhook.url.host }}/validate |
| {{- else }} |
| service: |
| name: {{ template "webhook.fullname" . }} |
| namespace: {{ include "cert-manager.namespace" . }} |
| path: /validate |
| {{- end }} |