diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index d0cafa66..9dc88279 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -41,5 +41,9 @@ webhooks: namespaceSelector: {{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} {{ end }} +{{- if (((.Values.injector.webhook)).matchConditions) }} + matchConditions: +{{ toYaml ((.Values.injector.webhook)).matchConditions | indent 6}} +{{ end }} {{- template "injector.objectSelector" . -}} {{ end }} diff --git a/values.schema.json b/values.schema.json index 34506f97..4e66169e 100644 --- a/values.schema.json +++ b/values.schema.json @@ -584,6 +584,12 @@ "failurePolicy": { "type": "string" }, + "matchConditions": { + "type": "array", + "items": { + "type": "object" + } + }, "matchPolicy": { "type": "string" }, diff --git a/values.yaml b/values.yaml index 7d2c2dd4..5b001b05 100644 --- a/values.yaml +++ b/values.yaml @@ -171,6 +171,15 @@ injector: # timeoutSeconds: 30 + # matchConditions is the selector for restricting the webhook fine-grained request filtering. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions + # for more details. + # Example: + # matchConditions: + # - name: include-vault-pods + # expression: "has(object.metadata.annotations) && 'vault.hashicorp.com/agent-inject' in object.metadata.annotations" + matchConditions: [] + # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector