cecf
/
deploy


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148
							################################################################################
#  Licensed to the Apache Software Foundation (ASF) under one
#  or more contributor license agreements.  See the NOTICE file
#  distributed with this work for additional information
#  regarding copyright ownership.  The ASF licenses this file
#  to you under the Apache License, Version 2.0 (the
#  "License"); you may not use this file except in compliance
#  with the License.  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
# limitations under the License.
################################################################################
---
{{- if eq (include "flink-operator.webhook-enabled" .) "true" }}
---
apiVersion: v1
kind: Service
metadata:
  name: flink-operator-webhook-service
  namespace: {{ .Release.Namespace }}
spec:
  ports:
  - port: 443
    targetPort: 9443
  selector:
    app.kubernetes.io/name: {{ include "flink-operator.name" . }}
---
{{- if .Values.webhook.keystore.useDefaultPassword }}
apiVersion: v1
kind: Secret
metadata:
  name: flink-operator-webhook-secret
  namespace: {{ .Release.Namespace }}
type: Opaque
data:
  password: cGFzc3dvcmQxMjM0
{{- end }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: flink-operator-serving-cert
  namespace: {{ .Release.Namespace }}
spec:
  dnsNames:
  - flink-operator-webhook-service.{{ .Release.Namespace }}.svc
  - flink-operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
  keystores:
    pkcs12:
      create: true
      passwordSecretRef:
      {{- if .Values.webhook.keystore.useDefaultPassword }}
        name: flink-operator-webhook-secret
        key: password
      {{- else }}
        {{- with .Values.webhook.keystore.passwordSecretRef }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- end }}
  issuerRef:
    kind: Issuer
    name: flink-operator-selfsigned-issuer
  commonName: FlinkDeployment Validator
  secretName: webhook-server-cert
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: flink-operator-selfsigned-issuer
  namespace: {{ .Release.Namespace }}
spec:
  selfSigned: {}
{{- end }}
{{- if eq (include "flink-operator.validating-webhook-enabled" .) "true" }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  annotations:
    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert
  name: flink-operator-{{ .Release.Namespace }}-webhook-configuration
webhooks:
- name: validationwebhook.flink.apache.org
  admissionReviewVersions: ["v1"]
  clientConfig:
    service:
      name: flink-operator-webhook-service
      namespace: {{ .Release.Namespace }}
      path: /validate
  failurePolicy: Fail
  rules:
  - apiGroups: ["flink.apache.org"]
    apiVersions: ["*"]
    scope: "Namespaced"
    operations:
    - CREATE
    - UPDATE
    resources:
    - flinkdeployments
    - flinksessionjobs
  sideEffects: None
  {{- if .Values.watchNamespaces }}
  namespaceSelector:
    matchExpressions:
      - key: kubernetes.io/metadata.name
        operator: In
        values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}]
  {{- end }}
{{- end }}
{{- if eq (include "flink-operator.mutating-webhook-enabled" .) "true" }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  annotations:
    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/flink-operator-serving-cert
  name: flink-operator-{{ .Release.Namespace }}-webhook-configuration
webhooks:
  - name: mutationwebhook.flink.apache.org
    admissionReviewVersions: ["v1"]
    clientConfig:
      service:
        name: flink-operator-webhook-service
        namespace: {{ .Release.Namespace }}
        path: /mutate
    failurePolicy: Fail
    rules:
      - apiGroups: ["flink.apache.org"]
        apiVersions: ["*"]
        scope: "Namespaced"
        operations:
          - CREATE
        resources:
          - flinksessionjobs
    sideEffects: None
    {{- if .Values.watchNamespaces }}
    namespaceSelector:
      matchExpressions:
        - key: kubernetes.io/metadata.name
          operator: In
          values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}]
    {{- end }}
{{- end }}