Merge pull request topolvm#960 from dsvetl/main

Add ObjectSelector Configuration for Webhooks
Nordix · Sep 9, 2024 · 736f451 · 736f451
2 parents f5c95d6 + 2d0c4ce
commit 736f451
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/charts/topolvm/README.md b/charts/topolvm/README.md
@@ -157,7 +157,9 @@ See [Getting Started](https://github.com/topolvm/topolvm/blob/topolvm-chart-v15.
 | webhook.caBundle | string | `nil` | Specify the certificate to be used for AdmissionWebhook. |
 | webhook.existingCertManagerIssuer | object | `{}` | Specify the cert-manager issuer to be used for AdmissionWebhook. |
 | webhook.podMutatingWebhook.enabled | bool | `false` | Enable Pod MutatingWebhook. |
+| webhook.podMutatingWebhook.objectSelector | object | `{}` | Labels required on Pods for webhook action. **WARNING**: Modifying objectSelector can affect TopoLVM Pod scheduling. Proceed with caution. # ref: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector |
 | webhook.pvcMutatingWebhook.enabled | bool | `true` | Enable PVC MutatingWebhook. |
+| webhook.pvcMutatingWebhook.objectSelector | object | `{}` | Labels required on PVCs for webhook action. **WARNING**: Modifying objectSelector can affect TopoLVM PVC management. Proceed with caution. # ref: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector |
 
 ## Generate Manifests
 

diff --git a/charts/topolvm/templates/mutatingwebhooks.yaml b/charts/topolvm/templates/mutatingwebhooks.yaml
@@ -21,6 +21,13 @@ webhooks:
       - key: {{ include "topolvm.pluginName" . }}/webhook
         operator: NotIn
         values: ["ignore"]
+    {{- if .Values.webhook.podMutatingWebhook.objectSelector }}
+    objectSelector:
+      matchLabels:
+        {{- range $key, $value := .Values.webhook.podMutatingWebhook.objectSelector }}
+        {{ $key }}: {{ $value }}
+        {{- end }}
+    {{- end }}
     failurePolicy: Fail
     matchPolicy: Equivalent
     clientConfig:
@@ -52,6 +59,13 @@ webhooks:
       - key: {{ include "topolvm.pluginName" . }}/webhook
         operator: NotIn
         values: ["ignore"]
+    {{- if .Values.webhook.pvcMutatingWebhook.objectSelector }}
+    objectSelector:
+      matchLabels:
+        {{- range $key, $value := .Values.webhook.pvcMutatingWebhook.objectSelector }}
+        {{ $key }}: {{ $value }}
+        {{- end }}
+    {{- end }}
     failurePolicy: Fail
     matchPolicy: Equivalent
     clientConfig:

diff --git a/charts/topolvm/values.yaml b/charts/topolvm/values.yaml
@@ -697,9 +697,19 @@ webhook:
   podMutatingWebhook:
     # webhook.podMutatingWebhook.enabled -- Enable Pod MutatingWebhook.
     enabled: false
+    # webhook.podMutatingWebhook.objectSelector -- Labels required on Pods for webhook action.
+    # **WARNING**: Modifying objectSelector can affect TopoLVM Pod scheduling. Proceed with caution.
+    ## ref: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
+    objectSelector: {}
+      # webhook: topolvm
   pvcMutatingWebhook:
     # webhook.pvcMutatingWebhook.enabled -- Enable PVC MutatingWebhook.
     enabled: true
+    # webhook.pvcMutatingWebhook.objectSelector -- Labels required on PVCs for webhook action.
+    # **WARNING**: Modifying objectSelector can affect TopoLVM PVC management. Proceed with caution.
+    ## ref: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
+    objectSelector: {}
+      # webhook: topolvm
 
 # Container Security Context
 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/