chart: ingress-nginx update version
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
index fd762f9..f9ec709 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
@@ -9,6 +9,9 @@
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.patch.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
rules:
- apiGroups:
- admissionregistration.k8s.io
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
index 4990fb1..8719532 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
@@ -1,14 +1,17 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission
+ name: {{ include "ingress-nginx.fullname" . }}-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.patch.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
index 1f58bdc..d93433e 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: batch/v1
kind: Job
metadata:
@@ -7,9 +7,15 @@
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+ {{- with .Values.controller.admissionWebhooks.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.patch.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
spec:
{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
# Alpha feature since k8s 1.12
@@ -24,6 +30,9 @@
labels:
{{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.patch.labels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
spec:
{{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
@@ -47,6 +56,12 @@
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ {{- if .Values.controller.admissionWebhooks.extraEnvs }}
+ {{- toYaml .Values.controller.admissionWebhooks.extraEnvs | nindent 12 }}
+ {{- end }}
+ {{- if .Values.controller.admissionWebhooks.createSecretJob.securityContext }}
+ securityContext: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.securityContext | nindent 12 }}
+ {{- end }}
{{- if .Values.controller.admissionWebhooks.createSecretJob.resources }}
resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
{{- end }}
@@ -58,7 +73,8 @@
{{- if .Values.controller.admissionWebhooks.patch.tolerations }}
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }}
+ {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
securityContext:
- runAsNonRoot: true
- runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
+ {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
+ {{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
index 6d01ad2..0fa3ff9 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: batch/v1
kind: Job
metadata:
@@ -7,9 +7,15 @@
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+ {{- with .Values.controller.admissionWebhooks.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.patch.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
spec:
{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
# Alpha feature since k8s 1.12
@@ -24,6 +30,9 @@
labels:
{{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.patch.labels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
spec:
{{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
@@ -49,6 +58,12 @@
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ {{- if .Values.controller.admissionWebhooks.extraEnvs }}
+ {{- toYaml .Values.controller.admissionWebhooks.extraEnvs | nindent 12 }}
+ {{- end }}
+ {{- if .Values.controller.admissionWebhooks.patchWebhookJob.securityContext }}
+ securityContext: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.securityContext | nindent 12 }}
+ {{- end }}
{{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }}
resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
{{- end }}
@@ -60,7 +75,8 @@
{{- if .Values.controller.admissionWebhooks.patch.tolerations }}
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }}
+ {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
securityContext:
- runAsNonRoot: true
- runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
+ {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
+ {{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml
new file mode 100644
index 0000000..08b3225
--- /dev/null
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml
@@ -0,0 +1,26 @@
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.networkPolicyEnabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ include "ingress-nginx.fullname" . }}-admission
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+ "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+ labels:
+ {{- include "ingress-nginx.labels" . | nindent 4 }}
+ app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.patch.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ podSelector:
+ matchLabels:
+ {{- include "ingress-nginx.labels" . | nindent 6 }}
+ app.kubernetes.io/component: admission-webhook
+ policyTypes:
+ - Ingress
+ - Egress
+ egress:
+ - {}
+{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
index d2c7de6..e19c955 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
@@ -1,3 +1,4 @@
+{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
@@ -9,6 +10,9 @@
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.patch.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
spec:
allowPrivilegeEscalation: false
fsGroup:
@@ -34,3 +38,4 @@
- secret
- downwardAPI
{{- end }}
+{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
index 9b083ee..ea7c208 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
@@ -1,8 +1,8 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission
+ name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
@@ -10,6 +10,9 @@
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.patch.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
rules:
- apiGroups:
- ""
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
index edda07f..60c3f4f 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
@@ -10,6 +10,9 @@
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.patch.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
index 1ff0f7f..00be54e 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -10,4 +10,7 @@
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.patch.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
{{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
index 712f74f..f27244d 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
@@ -4,12 +4,20 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
+ annotations:
+ {{- if .Values.controller.admissionWebhooks.certManager.enabled }}
+ certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }}
+ cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }}
+ {{- end }}
{{- if .Values.controller.admissionWebhooks.annotations }}
- annotations: {{ toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
+ {{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
+ {{- with .Values.controller.admissionWebhooks.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
name: {{ include "ingress-nginx.fullname" . }}-admission
webhooks:
- name: validate.nginx.ingress.kubernetes.io