allow setting matchConditions for the injector webhook

templates/injector-mutating-webhook.yaml

@@ -41,5 +41,9 @@ webhooks:
     namespaceSelector:
 {{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
 {{ end }}
+{{- if (((.Values.injector.webhook)).matchConditions) }}
+    matchConditions:
+{{ toYaml ((.Values.injector.webhook)).matchConditions | indent 6}}
+{{ end }}
 {{- template "injector.objectSelector" . -}}
 {{ end }}

values.schema.json

@@ -584,6 +584,12 @@
                         "failurePolicy": {
                             "type": "string"
                         },
+                        "matchConditions": {
+                            "type": "array",
+                            "items": {
+                                "type": "object"
+                            }
+                        },
                         "matchPolicy": {
                             "type": "string"
                         },

values.yaml

@@ -171,6 +171,15 @@ injector:
     #
     timeoutSeconds: 30
 
+    # matchConditions is the selector for restricting the webhook fine-grained request filtering.
+    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions
+    # for more details.
+    # Example:
+    # matchConditions:
+    # - name: include-vault-pods
+    #   expression: "has(object.metadata.annotations) && 'vault.hashicorp.com/agent-inject' in object.metadata.annotations"
+    matchConditions: []
+
     # namespaceSelector is the selector for restricting the webhook to only
     # specific namespaces.
     # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector