Adding some options for webhook deployment:

* hostNetwork for webhook pod
 * FailurePolicy for validatingwebhook definition
 * Changed webhook port to a configurable value
 * Defined default value as 9443
Fixes #944

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

cmd/root.go

@@ -50,6 +50,7 @@ var (
 	controllerClass                       string
 	enableLeaderElection                  bool
 	concurrent                            int
+	port                                  int
 	loglevel                              string
 	namespace                             string
 	enableClusterStoreReconciler          bool

cmd/webhook.go

@@ -96,7 +96,7 @@ var webhookCmd = &cobra.Command{
 			Scheme:                 scheme,
 			MetricsBindAddress:     metricsAddr,
 			HealthProbeBindAddress: healthzAddr,
-			Port:                   9443,
+			Port:                   port,
 			CertDir:                certDir,
 		})
 		if err != nil {
@@ -171,6 +171,7 @@ func init() {
 	rootCmd.AddCommand(webhookCmd)
 	webhookCmd.Flags().StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
 	webhookCmd.Flags().StringVar(&healthzAddr, "healthz-addr", ":8081", "The address the health endpoint binds to.")
+	webhookCmd.Flags().IntVar(&port, "port", 9443, "The address the health endpoint binds to.")
 	webhookCmd.Flags().StringVar(&dnsName, "dns-name", "localhost", "DNS name to validate certificates with")
 	webhookCmd.Flags().StringVar(&certDir, "cert-dir", "/tmp/k8s-webhook-server/serving-certs", "path to check for certs")
 	webhookCmd.Flags().StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")

deploy/charts/external-secrets/README.md

@@ -103,7 +103,9 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
 | webhook.extraArgs | object | `{}` |  |
 | webhook.extraEnv | list | `[]` |  |
+| webhook.failurePolicy | string | `"Fail"` | specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
 | webhook.fullnameOverride | string | `""` |  |
+| webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
 | webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
 | webhook.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
 | webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
@@ -113,6 +115,7 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
 | webhook.podLabels | object | `{}` |  |
 | webhook.podSecurityContext | object | `{}` |  |
+| webhook.port | int | `443` | The port the webhook will listen to |
 | webhook.priorityClassName | string | `""` | Pod priority class name. |
 | webhook.prometheus.enabled | bool | `false` | Specifies whether to expose Service resource for collecting Prometheus metrics |
 | webhook.prometheus.service.port | int | `8080` |  |

deploy/charts/external-secrets/templates/validatingwebhook.yaml

@@ -65,4 +65,5 @@ webhooks:
   admissionReviewVersions: ["v1", "v1beta1"]
   sideEffects: None
   timeoutSeconds: 5
+  failurePolicy: {{ .Values.webhook.failurePolicy}}
 {{- end }}

deploy/charts/external-secrets/templates/webhook-deployment.yaml

@@ -31,6 +31,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      hostNetwork: {{ .Values.webhook.hostNetwork}}
       serviceAccountName: {{ include "external-secrets-webhook.serviceAccountName" . }}
       {{- with .Values.webhook.podSecurityContext }}
       securityContext:
@@ -46,6 +47,7 @@ spec:
           imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
           args:
           - webhook
+          - --port={{ .Values.webhook.port }}
           - --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
           - --cert-dir={{ .Values.webhook.certDir }}
           - --check-interval={{ .Values.webhook.certCheckInterval }}
@@ -60,7 +62,7 @@ spec:
             - containerPort: {{ .Values.webhook.prometheus.service.port }}
               protocol: TCP
               name: metrics
-            - containerPort: 9443
+            - containerPort: {{ .Values.webhook.port }}
               protocol: TCP
               name: webhook
           readinessProbe:

deploy/charts/external-secrets/templates/webhook-service.yaml

@@ -17,7 +17,7 @@ spec:
   type: ClusterIP
   ports:
   - port: 443
-    targetPort: 9443
+    targetPort: {{ .Values.webhook.port }}
     protocol: TCP
     name: webhook
   {{- if .Values.webhook.prometheus.enabled}}

deploy/charts/external-secrets/values.yaml

@@ -112,6 +112,10 @@ webhook:
   certCheckInterval: "5m"
   replicaCount: 1
   certDir: /tmp/certs
+  # -- specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
+  failurePolicy: Fail
+  # -- Specifies if webhook pod should use hostNetwork or not.
+  hostNetwork: false
   image:
     repository: ghcr.io/external-secrets/external-secrets
     pullPolicy: IfNotPresent
@@ -120,6 +124,8 @@ webhook:
   imagePullSecrets: []
   nameOverride: ""
   fullnameOverride: ""
+  # -- The port the webhook will listen to
+  port: 443
   rbac:
   # -- Specifies whether role and rolebinding resources should be created.
     create: true

e2e/framework/addon/eso.go

@@ -35,6 +35,10 @@ func NewESO(mutators ...MutationFunc) *ESO {
 					Key:   "image.repository",
 					Value: os.Getenv("IMAGE_REGISTRY"),
 				},
+				{
+					Key:   "webhook.port",
+					Value: "9443",
+				},
 				{
 					Key:   "webhook.image.repository",
 					Value: os.Getenv("IMAGE_REGISTRY"),