From c5b16cea8b1685e3710a9f1a22cb14e7425291d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Fri, 25 Oct 2024 19:29:48 +0200
Subject: [PATCH] feat: allow webhook configuration (#143)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 .chainsaw.yaml                                | 14 ++++++++
 .../sidecar-injector/certificates.yaml        | 35 ++++++++++---------
 charts/kyverno-envoy-plugin/values.yaml       | 20 +++++++++++
 .../{ => injected}/chainsaw-test.yaml         |  6 +++-
 .../{ => injected}/pod-assert.yaml            |  2 --
 .../sidecar-injector/{ => injected}/pod.yaml  |  2 --
 .../not-injected/chainsaw-test.yaml           | 15 ++++++++
 .../not-injected/pod-assert.yaml              |  6 ++++
 .../sidecar-injector/not-injected/pod.yaml    | 11 ++++++
 9 files changed, 89 insertions(+), 22 deletions(-)
 create mode 100755 .chainsaw.yaml
 rename tests/e2e-test/sidecar-injector/{ => injected}/chainsaw-test.yaml (63%)
 rename tests/e2e-test/sidecar-injector/{ => injected}/pod-assert.yaml (75%)
 rename tests/e2e-test/sidecar-injector/{ => injected}/pod.yaml (71%)
 create mode 100644 tests/e2e-test/sidecar-injector/not-injected/chainsaw-test.yaml
 create mode 100644 tests/e2e-test/sidecar-injector/not-injected/pod-assert.yaml
 create mode 100644 tests/e2e-test/sidecar-injector/not-injected/pod.yaml

diff --git a/.chainsaw.yaml b/.chainsaw.yaml
new file mode 100755
index 00000000..d45e2b69
--- /dev/null
+++ b/.chainsaw.yaml
@@ -0,0 +1,14 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/configuration-chainsaw-v1alpha2.json
+apiVersion: chainsaw.kyverno.io/v1alpha2
+kind: Configuration
+metadata:
+  name: configuration
+spec:
+  cleanup:
+    delayBeforeCleanup: 3s
+  discovery:
+    fullName: true
+  execution:
+    failFast: true
+    forceTerminationGracePeriod: 5s
+    parallel: 1
diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml
index a58c684a..e4de8944 100644
--- a/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml
+++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml
@@ -25,6 +25,10 @@ metadata:
   name: {{ template "kyverno.sidecar-injector.name" . }}
   labels:
     {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
+  {{- with .Values.sidecarInjector.webhook.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 webhooks:
   - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc
     clientConfig:
@@ -33,24 +37,21 @@ webhooks:
         namespace: {{ template "kyverno.namespace" . }}
         path: "/mutate"
       caBundle: {{ $ca.Cert | b64enc }}
-    failurePolicy: Fail
+    failurePolicy: {{ .Values.sidecarInjector.webhook.failurePolicy }}
     sideEffects: None
-    admissionReviewVersions:
-    - v1
+    admissionReviewVersions: [ v1 ]
     rules:
-      - apiGroups:
-          - ''
-        apiVersions:
-          - v1
-        resources:
-          - pods
-        operations:
-          - CREATE
-        scope: '*'  
+      - apiGroups: [ '' ]
+        apiVersions: [ v1 ]
+        resources: [ pods ]
+        operations: [ CREATE ]
+        scope: '*'
+    {{- with .Values.sidecarInjector.webhook.objectSelector }}
     objectSelector:
-      matchExpressions:
-        - key: kyverno-envoy-sidecar/injection
-          operator: In
-          values:
-          - enabled
+      {{- tpl (toYaml .) $ | nindent 6 }}
+    {{- end }}
+    {{- with .Values.sidecarInjector.webhook.namespaceSelector }}
+    namespaceSelector:
+      {{- tpl (toYaml .) $ | nindent 6 }}
+    {{- end }}
 {{- end -}}
diff --git a/charts/kyverno-envoy-plugin/values.yaml b/charts/kyverno-envoy-plugin/values.yaml
index 1498e31b..dfdc4937 100644
--- a/charts/kyverno-envoy-plugin/values.yaml
+++ b/charts/kyverno-envoy-plugin/values.yaml
@@ -26,6 +26,7 @@ sidecarInjector:
     create: true
 
     serviceAccount:
+
       # -- The ServiceAccount name
       name:
 
@@ -119,6 +120,7 @@ sidecarInjector:
     nodeAffinity: {}
 
   containers:
+
     injector:
 
       image:
@@ -232,4 +234,22 @@ sidecarInjector:
 
   webhook:
 
+    # -- Webhook annotations
+    annotations: {}
+      # example.com/annotation: value
+
+    # -- Webhook object selector
+    objectSelector: ~
+
+    # -- Webhook failure policy
+    failurePolicy: Fail
+
+    # -- Webhook namespace selector
+    namespaceSelector:
+      matchExpressions:
+        - key: kyverno-injection
+          operator: In
+          values:
+          - enabled
+
   pdb:
diff --git a/tests/e2e-test/sidecar-injector/chainsaw-test.yaml b/tests/e2e-test/sidecar-injector/injected/chainsaw-test.yaml
similarity index 63%
rename from tests/e2e-test/sidecar-injector/chainsaw-test.yaml
rename to tests/e2e-test/sidecar-injector/injected/chainsaw-test.yaml
index 965c74af..67e0b0f7 100644
--- a/tests/e2e-test/sidecar-injector/chainsaw-test.yaml
+++ b/tests/e2e-test/sidecar-injector/injected/chainsaw-test.yaml
@@ -1,8 +1,12 @@
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
-  name: sidecar-injector
+  name: injected
 spec:
+  namespaceTemplate:
+    metadata:
+      labels:
+        kyverno-injection: enabled
   steps: 
   - try:
     - create:
diff --git a/tests/e2e-test/sidecar-injector/pod-assert.yaml b/tests/e2e-test/sidecar-injector/injected/pod-assert.yaml
similarity index 75%
rename from tests/e2e-test/sidecar-injector/pod-assert.yaml
rename to tests/e2e-test/sidecar-injector/injected/pod-assert.yaml
index 71a7fdc9..2e95514f 100644
--- a/tests/e2e-test/sidecar-injector/pod-assert.yaml
+++ b/tests/e2e-test/sidecar-injector/injected/pod-assert.yaml
@@ -2,8 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: pod
-  labels:
-    kyverno-envoy-sidecar/injection: enabled
 spec:
   containers:
   - name: busybox
diff --git a/tests/e2e-test/sidecar-injector/pod.yaml b/tests/e2e-test/sidecar-injector/injected/pod.yaml
similarity index 71%
rename from tests/e2e-test/sidecar-injector/pod.yaml
rename to tests/e2e-test/sidecar-injector/injected/pod.yaml
index 0c627153..f193a147 100644
--- a/tests/e2e-test/sidecar-injector/pod.yaml
+++ b/tests/e2e-test/sidecar-injector/injected/pod.yaml
@@ -2,8 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: pod
-  labels:
-    kyverno-envoy-sidecar/injection: enabled
 spec:
   containers:
   - name: busybox
diff --git a/tests/e2e-test/sidecar-injector/not-injected/chainsaw-test.yaml b/tests/e2e-test/sidecar-injector/not-injected/chainsaw-test.yaml
new file mode 100644
index 00000000..638c6e0e
--- /dev/null
+++ b/tests/e2e-test/sidecar-injector/not-injected/chainsaw-test.yaml
@@ -0,0 +1,15 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: not-injected
+spec:
+  namespaceTemplate:
+    metadata:
+      labels:
+        kyverno-injection: disabled
+  steps: 
+  - try:
+    - create:
+        file: ./pod.yaml
+    - assert:
+        file: ./pod-assert.yaml
diff --git a/tests/e2e-test/sidecar-injector/not-injected/pod-assert.yaml b/tests/e2e-test/sidecar-injector/not-injected/pod-assert.yaml
new file mode 100644
index 00000000..5bbed48d
--- /dev/null
+++ b/tests/e2e-test/sidecar-injector/not-injected/pod-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  (length(containers)): 1
diff --git a/tests/e2e-test/sidecar-injector/not-injected/pod.yaml b/tests/e2e-test/sidecar-injector/not-injected/pod.yaml
new file mode 100644
index 00000000..f193a147
--- /dev/null
+++ b/tests/e2e-test/sidecar-injector/not-injected/pod.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+  - name: busybox
+    image: busybox
+    args:
+    - sleep
+    - 1d