| Giorgi Lekveishvili | 725bb39 | 2023-05-05 18:24:27 +0400 | [diff] [blame] | 1 | {{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} |
| 2 | apiVersion: batch/v1 |
| 3 | kind: Job |
| 4 | metadata: |
| 5 | name: {{ include "ingress-nginx.fullname" . }}-admission-patch |
| 6 | namespace: {{ .Release.Namespace }} |
| 7 | annotations: |
| 8 | "helm.sh/hook": post-install,post-upgrade |
| 9 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded |
| 10 | labels: |
| 11 | {{- include "ingress-nginx.labels" . | nindent 4 }} |
| 12 | app.kubernetes.io/component: admission-webhook |
| 13 | spec: |
| 14 | {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} |
| 15 | # Alpha feature since k8s 1.12 |
| 16 | ttlSecondsAfterFinished: 0 |
| 17 | {{- end }} |
| 18 | template: |
| 19 | metadata: |
| 20 | name: {{ include "ingress-nginx.fullname" . }}-admission-patch |
| 21 | {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} |
| 22 | annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} |
| 23 | {{- end }} |
| 24 | labels: |
| 25 | {{- include "ingress-nginx.labels" . | nindent 8 }} |
| 26 | app.kubernetes.io/component: admission-webhook |
| 27 | spec: |
| 28 | {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} |
| 29 | priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} |
| 30 | {{- end }} |
| 31 | {{- if .Values.imagePullSecrets }} |
| 32 | imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} |
| 33 | {{- end }} |
| 34 | containers: |
| 35 | - name: patch |
| 36 | {{- with .Values.controller.admissionWebhooks.patch.image }} |
| 37 | image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" |
| 38 | {{- end }} |
| 39 | imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} |
| 40 | args: |
| 41 | - patch |
| 42 | - --webhook-name={{ include "ingress-nginx.fullname" . }}-admission |
| 43 | - --namespace=$(POD_NAMESPACE) |
| 44 | - --patch-mutating=false |
| 45 | - --secret-name={{ include "ingress-nginx.fullname" . }}-admission |
| 46 | - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }} |
| 47 | env: |
| 48 | - name: POD_NAMESPACE |
| 49 | valueFrom: |
| 50 | fieldRef: |
| 51 | fieldPath: metadata.namespace |
| 52 | {{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }} |
| 53 | resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} |
| 54 | {{- end }} |
| 55 | restartPolicy: OnFailure |
| 56 | serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission |
| 57 | {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} |
| 58 | nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} |
| 59 | {{- end }} |
| 60 | {{- if .Values.controller.admissionWebhooks.patch.tolerations }} |
| 61 | tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} |
| 62 | {{- end }} |
| 63 | securityContext: |
| 64 | runAsNonRoot: true |
| 65 | runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }} |
| 66 | {{- end }} |