From cef84da943e121dda3c9c91dc4bbf2790651ac16 Mon Sep 17 00:00:00 2001
From: Jeremy Facchetti <facchettos@gmail.com>
Date: Wed, 6 Dec 2023 13:07:07 +0100
Subject: [PATCH] added admission options to helm (#1396)

* added admission options to helm

* typo

* added the helm values to pkg/config

* changed type
---
 charts/eks/templates/syncer-deployment.yaml | 10 ++++++++++
 charts/eks/values.yaml                      |  6 ++++++
 charts/k0s/templates/statefulset.yaml       | 10 ++++++++++
 charts/k0s/values.yaml                      |  6 ++++++
 charts/k3s/templates/statefulset.yaml       | 10 ++++++++++
 charts/k3s/values.yaml                      |  6 ++++++
 charts/k8s/templates/syncer-deployment.yaml | 10 ++++++++++
 charts/k8s/values.yaml                      |  7 +++++++
 pkg/config/helmvalues/k3s.go                |  6 ++++++
 9 files changed, 71 insertions(+)

diff --git a/charts/eks/templates/syncer-deployment.yaml b/charts/eks/templates/syncer-deployment.yaml
index 499251483..f6e07bb2b 100644
--- a/charts/eks/templates/syncer-deployment.yaml
+++ b/charts/eks/templates/syncer-deployment.yaml
@@ -173,6 +173,16 @@ spec:
           {{- if .Values.coredns.integrated }}
           - --integrated-coredns=true
           {{- end }}
+          {{- if .Values.admission.validatingWebhooks }}
+          {{- range .Values.admission.validatingWebhooks }}
+          - --enforce-validating-hook={{ . | b64enc }}
+          {{- end }}
+          {{- end }}
+          {{- if .Values.admission.mutatingWebhooks }}
+          {{- range .Values.admission.mutatingWebhooks }}
+          - --enforce-mutating-hook={{ . | b64enc }}
+          {{- end }}
+          {{- end }}
           {{- if and .Values.coredns.integrated .Values.coredns.plugin.enabled }}
           - --use-coredns-plugin=true
           {{- end }}
diff --git a/charts/eks/values.yaml b/charts/eks/values.yaml
index 15bd09de1..82028337f 100644
--- a/charts/eks/values.yaml
+++ b/charts/eks/values.yaml
@@ -502,6 +502,12 @@ isolation:
 multiNamespaceMode:
   enabled: false
 
+# list of {validating/mutating}webhooks that the syncer should proxy.
+# This is a PRO only feature.
+admission:
+  validatingWebhooks: []
+  mutatingWebhooks: []
+
 telemetry:
   disabled: false
   instanceCreator: "helm"
diff --git a/charts/k0s/templates/statefulset.yaml b/charts/k0s/templates/statefulset.yaml
index 01ea6cfe2..f047c43f3 100644
--- a/charts/k0s/templates/statefulset.yaml
+++ b/charts/k0s/templates/statefulset.yaml
@@ -209,6 +209,16 @@ spec:
           {{- if and .Values.coredns.integrated .Values.coredns.plugin.enabled }}
           - --use-coredns-plugin=true
           {{- end }}
+          {{- if .Values.admission.validatingWebhooks }}
+          {{- range .Values.admission.validatingWebhooks }}
+          - --enforce-validating-hook={{ . | b64enc }}
+          {{- end }}
+          {{- end }}
+          {{- if .Values.admission.mutatingWebhooks }}
+          {{- range .Values.admission.mutatingWebhooks }}
+          - --enforce-mutating-hook={{ . | b64enc }}
+          {{- end }}
+          {{- end }}
           {{- range $f := .Values.syncer.extraArgs }}
           - {{ $f | quote }}
           {{- end }}
diff --git a/charts/k0s/values.yaml b/charts/k0s/values.yaml
index 93a15802f..69f3b05b5 100644
--- a/charts/k0s/values.yaml
+++ b/charts/k0s/values.yaml
@@ -488,6 +488,12 @@ init:
 multiNamespaceMode:
   enabled: false
 
+# list of {validating/mutating}webhooks that the syncer should proxy.
+# This is a PRO only feature.
+admission:
+  validatingWebhooks: []
+  mutatingWebhooks: []
+
 telemetry:
   disabled: false
   instanceCreator: "helm"
diff --git a/charts/k3s/templates/statefulset.yaml b/charts/k3s/templates/statefulset.yaml
index 48e55df08..b738cc6da 100644
--- a/charts/k3s/templates/statefulset.yaml
+++ b/charts/k3s/templates/statefulset.yaml
@@ -264,6 +264,16 @@ spec:
           - --sync-k8s-service=true
           {{- end }}
           {{- end }}
+          {{- if .Values.admission.validatingWebhooks }}
+          {{- range .Values.admission.validatingWebhooks }}
+          - --enforce-validating-hook={{ . | b64enc }}
+          {{- end }}
+          {{- end }}
+          {{- if .Values.admission.mutatingWebhooks }}
+          {{- range .Values.admission.mutatingWebhooks }}
+          - --enforce-mutating-hook={{ . | b64enc }}
+          {{- end }}
+          {{- end }}
           {{- range $f := .Values.syncer.extraArgs }}
           - {{ $f | quote }}
           {{- end }}
diff --git a/charts/k3s/values.yaml b/charts/k3s/values.yaml
index 2b5b89bcc..0e6641103 100644
--- a/charts/k3s/values.yaml
+++ b/charts/k3s/values.yaml
@@ -197,6 +197,12 @@ embeddedEtcd:
   # If embedded etcd should be enabled, this is a PRO only feature
   enabled: false
 
+# list of {validating/mutating}webhooks that the syncer should proxy.
+# This is a PRO only feature.
+admission:
+  validatingWebhooks: []
+  mutatingWebhooks: []
+
 # Storage settings for the vcluster
 storage:
   # If this is disabled, vcluster will use an emptyDir instead
diff --git a/charts/k8s/templates/syncer-deployment.yaml b/charts/k8s/templates/syncer-deployment.yaml
index 721f7e631..59e06bb62 100644
--- a/charts/k8s/templates/syncer-deployment.yaml
+++ b/charts/k8s/templates/syncer-deployment.yaml
@@ -209,6 +209,16 @@ spec:
           {{- if and .Values.coredns.integrated .Values.coredns.plugin.enabled }}
           - --use-coredns-plugin=true
           {{- end }}
+          {{- if .Values.admission.validatingWebhooks }}
+          {{- range .Values.admission.validatingWebhooks }}
+          - --enforce-validating-hook={{ . | b64enc }}
+          {{- end }}
+          {{- end }}
+          {{- if .Values.admission.mutatingWebhooks }}
+          {{- range .Values.admission.mutatingWebhooks }}
+          - --enforce-mutating-hook={{ . | b64enc }}
+          {{- end }}
+          {{- end }}
           {{- range $f := .Values.syncer.extraArgs }}
           - {{ $f | quote }}
           {{- end }}
diff --git a/charts/k8s/values.yaml b/charts/k8s/values.yaml
index 2d5a486a1..63ce74fdf 100644
--- a/charts/k8s/values.yaml
+++ b/charts/k8s/values.yaml
@@ -533,6 +533,13 @@ init:
 multiNamespaceMode:
   enabled: false
 
+
+# list of {validating/mutating}webhooks that the syncer should proxy.
+# This is a PRO only feature.
+admission:
+  validatingWebhooks: []
+  mutatingWebhooks: []
+
 telemetry:
   disabled: false
   instanceCreator: "helm"
diff --git a/pkg/config/helmvalues/k3s.go b/pkg/config/helmvalues/k3s.go
index 1024d9bb3..3640078e8 100644
--- a/pkg/config/helmvalues/k3s.go
+++ b/pkg/config/helmvalues/k3s.go
@@ -89,6 +89,7 @@ type BaseHelm struct {
 	Telemetry          TelemetryValues  `json:"telemetry,omitempty"`
 	NoopSyncer         NoopSyncerValues `json:"noopSyncer,omitempty"`
 	Monitoring         MonitoringValues `json:"monitoring,omitempty"`
+	Admission          AdmissionValues  `json:"admission,omitempty"`
 }
 
 type SyncerValues struct {
@@ -379,3 +380,8 @@ type NoopSyncerValues struct {
 		KubeConfig          string `json:"kubeConfig,omitempty"`
 	}
 }
+
+type AdmissionValues struct {
+	ValidatingWebhooks []string `json:"validatingWebhooks,omitempty"`
+	MutatingWebhooks   []string `json:"mutatingWebhooks,omitempty"`
+}