Support annotations on ValidatingWebhookConfigurations in order to su… (#4638)

* Support annotations on ValidatingWebhookConfigurations in order to support OCP servicing certs

Signed-off-by: David J. M. Karlsen <david@davidkarlsen.com>

* Update docs

Signed-off-by: David J. M. Karlsen <david@davidkarlsen.com>

* Update snapshots

Signed-off-by: David J. M. Karlsen <david@davidkarlsen.com>

---------

Signed-off-by: David J. M. Karlsen <david@davidkarlsen.com>

deploy/charts/external-secrets/README.md

@@ -169,6 +169,7 @@ The command removes all the Kubernetes components associated with the chart and
 | tolerations | list | `[]` |  |
 | topologySpreadConstraints | list | `[]` |  |
 | webhook.affinity | object | `{}` |  |
+| webhook.annotations | object | `{}` | Annotations to place on validating webhook configuration. |
 | webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
 | webhook.certDir | string | `"/tmp/certs"` |  |
 | webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |

deploy/charts/external-secrets/templates/validatingwebhook.yaml

@@ -6,9 +6,14 @@ metadata:
   labels:
     {{- include "external-secrets-webhook.labels" . | nindent 4 }}
     external-secrets.io/component: webhook
-  {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+  {{- if or .Values.webhook.annotations (and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations) }}
   annotations:
+    {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ template "external-secrets.namespace" . }}/{{ include "external-secrets.fullname" . }}-webhook
+    {{- end }}
+    {{- if .Values.webhook.annotations }}
+    {{- toYaml .Values.webhook.annotations | nindent 4 }}
+    {{- end }}
   {{- end }}
 webhooks:
 - name: "validate.secretstore.external-secrets.io"
@@ -50,9 +55,14 @@ metadata:
   labels:
     {{- include "external-secrets-webhook.labels" . | nindent 4 }}
     external-secrets.io/component: webhook
-  {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+  {{- if or .Values.webhook.annotations (and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations) }}
   annotations:
+    {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ template "external-secrets.namespace" . }}/{{ include "external-secrets.fullname" . }}-webhook
+    {{- end }}
+    {{- if .Values.webhook.annotations }}
+    {{- toYaml .Values.webhook.annotations | nindent 4 }}
+    {{- end }}
   {{- end }}
 webhooks:
 - name: "validate.externalsecret.external-secrets.io"

deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap

@@ -4,7 +4,7 @@ should match snapshot of default values:
     kind: CustomResourceDefinition
     metadata:
       annotations:
-        controller-gen.kubebuilder.io/version: v0.17.2
+        controller-gen.kubebuilder.io/version: v0.17.3
       labels:
         external-secrets.io/component: controller
       name: secretstores.external-secrets.io

deploy/charts/external-secrets/values.schema.json

@@ -629,6 +629,10 @@
                     "properties": {},
                     "type": "object"
                 },
+                "annotations": {
+                    "properties": {},
+                    "type": "object"
+                },
                 "certCheckInterval": {
                     "type": "string"
                 },

deploy/charts/external-secrets/values.yaml

@@ -250,6 +250,8 @@ podDisruptionBudget:
 hostNetwork: false
 
 webhook:
+  # -- Annotations to place on validating webhook configuration.
+  annotations: {}
   # -- Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
   create: true
   # -- Specifices the time to check if the cert is valid