################################################################################ # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ --- {{- if eq (include "flink-operator.webhook-enabled" .) "true" }} --- apiVersion: v1 kind: Service metadata: name: flink-operator-webhook-service namespace: {{ .Release.Namespace }} spec: ports: - port: 443 targetPort: 9443 selector: app.kubernetes.io/name: {{ include "flink-operator.name" . }} --- {{- if .Values.webhook.keystore.useDefaultPassword }} apiVersion: v1 kind: Secret metadata: name: flink-operator-webhook-secret namespace: {{ .Release.Namespace }} type: Opaque data: password: cGFzc3dvcmQxMjM0 {{- end }} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: flink-operator-serving-cert namespace: {{ .Release.Namespace }} spec: dnsNames: - flink-operator-webhook-service.{{ .Release.Namespace }}.svc - flink-operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local keystores: pkcs12: create: true passwordSecretRef: {{- if .Values.webhook.keystore.useDefaultPassword }} name: flink-operator-webhook-secret key: password {{- else }} {{- with .Values.webhook.keystore.passwordSecretRef }} {{- toYaml . | nindent 8 }} {{- end }} {{- end }} issuerRef: kind: Issuer name: flink-operator-selfsigned-issuer commonName: FlinkDeployment Validator secretName: webhook-server-cert --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: flink-operator-selfsigned-issuer namespace: {{ .Release.Namespace }} spec: selfSigned: {} {{- end }} {{- if eq (include "flink-operator.validating-webhook-enabled" .) "true" }} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert name: flink-operator-{{ .Release.Namespace }}-webhook-configuration webhooks: - name: validationwebhook.flink.apache.org admissionReviewVersions: ["v1"] clientConfig: service: name: flink-operator-webhook-service namespace: {{ .Release.Namespace }} path: /validate failurePolicy: Fail rules: - apiGroups: ["flink.apache.org"] apiVersions: ["*"] scope: "Namespaced" operations: - CREATE - UPDATE resources: - flinkdeployments - flinksessionjobs sideEffects: None {{- if .Values.watchNamespaces }} namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: In values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}] {{- end }} {{- end }} {{- if eq (include "flink-operator.mutating-webhook-enabled" .) "true" }} --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert name: flink-operator-{{ .Release.Namespace }}-webhook-configuration webhooks: - name: mutationwebhook.flink.apache.org admissionReviewVersions: ["v1"] clientConfig: service: name: flink-operator-webhook-service namespace: {{ .Release.Namespace }} path: /mutate failurePolicy: Fail rules: - apiGroups: ["flink.apache.org"] apiVersions: ["*"] scope: "Namespaced" operations: - CREATE resources: - flinksessionjobs sideEffects: None {{- if .Values.watchNamespaces }} namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: In values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}] {{- end }} {{- end }}