ingress-nginx-helm/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml

{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ include "ingress-nginx.fullname" . }}-admission-create
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
    app.kubernetes.io/component: admission-webhook
spec:
{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
  # Alpha feature since k8s 1.12
  ttlSecondsAfterFinished: 0
{{- end }}
  template:
    metadata:
      name: {{ include "ingress-nginx.fullname" . }}-admission-create
    {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
      annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
    {{- end }}
      labels:
        {{- include "ingress-nginx.labels" . | nindent 8 }}
        app.kubernetes.io/component: admission-webhook
    spec:
    {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
      priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
    {{- end }}
    {{- if .Values.imagePullSecrets }}
      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
    {{- end }}
      containers:
        - name: create
          {{- with .Values.controller.admissionWebhooks.patch.image }}
          image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
          {{- end }}
          imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
          args:
            - create
            - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc
            - --namespace=$(POD_NAMESPACE)
            - --secret-name={{ include "ingress-nginx.fullname" . }}-admission
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          {{- if .Values.controller.admissionWebhooks.createSecretJob.resources }}
          resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
          {{- end }}
      restartPolicy: OnFailure
      serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
    {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
      nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
    {{- end }}
    {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
      tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
    {{- end }}
      securityContext:
        runAsNonRoot: true
        runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
{{- end }}
Cleanup chart code 2020-03-02 08:49:26 -06:00			`{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
Hardcode component names. By removing this, we reduce unecessary config options and moving parts. Signed-off-by: Naseem <naseem@transit.app> 2020-03-03 21:53:23 -05:00			`name: {{ include "ingress-nginx.fullname" . }}-admission-create`
added namespace field in the namespace scoped resource templates of helm chart (#7256) * added namespace field in the namespace scoped resource templates of helm chart * moved namespace field from roleRef to metadata 2021-06-21 11:56:51 +00:00			`namespace: {{ .Release.Namespace }}`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`annotations:`
			`"helm.sh/hook": pre-install,pre-upgrade`
			`"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded`
			`labels:`
Update helm templates to match new chart name 2020-02-28 08:53:24 -06:00			`{{- include "ingress-nginx.labels" . \| nindent 4 }}`
			`app.kubernetes.io/component: admission-webhook`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`spec:`
Cleanup chart code 2020-03-02 08:49:26 -06:00			`{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`# Alpha feature since k8s 1.12`
			`ttlSecondsAfterFinished: 0`
Cleanup chart code 2020-03-02 08:49:26 -06:00			`{{- end }}`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`template:`
			`metadata:`
Hardcode component names. By removing this, we reduce unecessary config options and moving parts. Signed-off-by: Naseem <naseem@transit.app> 2020-03-03 21:53:23 -05:00			`name: {{ include "ingress-nginx.fullname" . }}-admission-create`
Cleanup chart code 2020-03-02 08:49:26 -06:00			`{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}`
			`annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations \| nindent 8 }}`
			`{{- end }}`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`labels:`
Update helm templates to match new chart name 2020-02-28 08:53:24 -06:00			`{{- include "ingress-nginx.labels" . \| nindent 8 }}`
			`app.kubernetes.io/component: admission-webhook`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`spec:`
Cleanup chart code 2020-03-02 08:49:26 -06:00			`{{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}`
Add configuration option for the imagePullSecrets in the WH jobs 2020-05-04 17:46:27 +00:00			`{{- end }}`
			`{{- if .Values.imagePullSecrets }}`
			`imagePullSecrets: {{ toYaml .Values.imagePullSecrets \| nindent 8 }}`
Cleanup chart code 2020-03-02 08:49:26 -06:00			`{{- end }}`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`containers:`
			`- name: create`
Allow pulling images by digest The digest uniquely identifies a specific version of the image, so it is never updated by Kubernetes unless you change the digest value. This is desirable for security to gain confidence that no unvetted changes are pulled to a deployment. 2020-05-20 11:34:18 -04:00			`{{- with .Values.controller.admissionWebhooks.patch.image }}`
updated values.yaml and templates to have separate values for registry and image with container images, left repository value for backwards compatability (#7095) 2021-05-23 11:07:38 -05:00			`image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"`
Allow pulling images by digest The digest uniquely identifies a specific version of the image, so it is never updated by Kubernetes unless you change the digest value. This is desirable for security to gain confidence that no unvetted changes are pulled to a deployment. 2020-05-20 11:34:18 -04:00			`{{- end }}`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}`
			`args:`
			`- create`
Use Env expansion for namespace in args When deploying the controller to a custom namespace, users have to overwrite the namespace attribute as well as the hardcoded namespace values in a number of args for the Deployment and the admission controller Jobs. Instead, this commit, uses the namespace name from the DownwardAPI, and allows users to simply change the namespace attribute without having to worry about the container args. 2020-07-29 11:08:51 +02:00			`- --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc`
			`- --namespace=$(POD_NAMESPACE)`
Hardcode component names. By removing this, we reduce unecessary config options and moving parts. Signed-off-by: Naseem <naseem@transit.app> 2020-03-03 21:53:23 -05:00			`- --secret-name={{ include "ingress-nginx.fullname" . }}-admission`
Use Env expansion for namespace in args When deploying the controller to a custom namespace, users have to overwrite the namespace attribute as well as the hardcoded namespace values in a number of args for the Deployment and the admission controller Jobs. Instead, this commit, uses the namespace name from the DownwardAPI, and allows users to simply change the namespace attribute without having to worry about the container args. 2020-07-29 11:08:51 +02:00			`env:`
			`- name: POD_NAMESPACE`
			`valueFrom:`
			`fieldRef:`
			`fieldPath: metadata.namespace`
Helm - Enable configuring request and limit for containers in webhook jobs (#7434) * helm: add feature to configure request and limit for container in createSecret and patchWebhook job Signed-off-by: Bhumij Gupta <bhumijgupta@gmail.com> * Remove empty line in helm template Signed-off-by: Bhumij Gupta <bhumijgupta@gmail.com> * Add test for admission webhook job container resources Signed-off-by: Bhumij Gupta <bhumijgupta@gmail.com> * Add new line character at the end of charts ci file Signed-off-by: Bhumij Gupta <bhumijgupta@gmail.com> 2021-08-06 04:01:41 +05:30			`{{- if .Values.controller.admissionWebhooks.createSecretJob.resources }}`
			`resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources \| nindent 12 }}`
			`{{- end }}`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`restartPolicy: OnFailure`
Hardcode component names. By removing this, we reduce unecessary config options and moving parts. Signed-off-by: Naseem <naseem@transit.app> 2020-03-03 21:53:23 -05:00			`serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission`
Cleanup chart code 2020-03-02 08:49:26 -06:00			`{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}`
			`nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector \| nindent 8 }}`
add toleration support for admission webhooks Update charts/ingress-nginx/Chart.yaml Co-authored-by: Alex Harder <13860012+ChiefAlexander@users.noreply.github.com> 2020-05-19 12:58:57 +07:00			`{{- end }}`
			`{{- if .Values.controller.admissionWebhooks.patch.tolerations }}`
			`tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations \| nindent 8 }}`
Cleanup chart code 2020-03-02 08:49:26 -06:00			`{{- end }}`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`securityContext:`
			`runAsNonRoot: true`
Move webhook runAsUser from patch.image.runAsUser to patch.runAsUser 2020-05-04 17:50:00 +00:00			`runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}`
Start migration of helm chart (#5159) 2020-02-24 16:25:57 -03:00			`{{- end }}`