Updating the caBundle for the controller webhook

Signed-off-by: ytimocin <[email protected]>
radius-project · Jan 11, 2024 · e9b47ff · e9b47ff
1 parent be2bc0c
commit e9b47ff
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/deploy/Chart/templates/_helpers.tpl b/deploy/Chart/templates/_helpers.tpl
@@ -12,3 +12,25 @@
 {{- end -}}
 {{- print $version }}
 {{- end -}}
+
+{{/*
+Define a function to extract the caBundle for a given webhook name
+from a *WebhookConfiguration object
+*/}}
+{{- define "controller.getWebhookCaBundle" -}}
+{{- $existingWebhook := .existingWebhook -}}
+{{- $webhookName := .webhookName -}}
+{{- $fallbackCa := .fallbackCa -}}
+{{- $caBundle := "" -}}
+{{- if $fallbackCa -}}
+  {{- $caBundle = b64enc $fallbackCa.Cert -}}
+{{- end -}}
+{{- if $existingWebhook -}}
+  {{- range $webhook := $existingWebhook.webhooks -}}
+    {{- if eq $webhook.name $webhookName -}}
+      {{- $caBundle = $webhook.clientConfig.caBundle -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- $caBundle -}}
+{{- end -}}
diff --git a/deploy/Chart/templates/controller/webhook.yaml b/deploy/Chart/templates/controller/webhook.yaml
@@ -7,6 +7,7 @@
 {{- $altName3 := printf "controller.%s.svc.cluster" .Release.Namespace }}
 {{- $altName4 := printf "controller.%s.svc.cluster.local" .Release.Namespace }}
 {{- $cert := genSignedCert $cn nil (list $altName1 $altName2 $altName3 $altName4) 3650 $ca }}
+{{- $validatingWebhookCaBundle := include "controller.getWebhookCaBundle" (dict "existingWebhook" $existingWebhook "webhookName" "recipe-webhook.radapp.io" "fallbackCa" $ca) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -32,7 +33,7 @@ webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
-    caBundle: {{ b64enc $ca.Cert }}
+    caBundle: {{ $validatingWebhookCaBundle }}
     service:
       name: controller
       namespace: {{ .Release.Namespace }}