kyverno/charts/kyverno/templates/cleanup-controller/secret.yaml

{{- if .Values.cleanupController.enabled -}}
{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
{{- $svcName := (printf "%s.%s.svc" (include "kyverno.cleanup-controller.deploymentName" .) (include "kyverno.namespace" .)) -}}
{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
apiVersion: v1
kind: Secret
metadata:
  name: {{ template "kyverno.cleanup-controller.deploymentName" . }}-ca
  labels:
    {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
  namespace: {{ template "kyverno.namespace" . }}
type: kubernetes.io/tls
data:
  tls.key: {{ $ca.Key | b64enc }}
  tls.crt: {{ $ca.Cert | b64enc }}
---
apiVersion: v1
kind: Secret
metadata:
  name: {{ template "kyverno.cleanup-controller.deploymentName" . }}-tls
  labels:
    {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
  namespace: {{ template "kyverno.namespace" . }}
type: kubernetes.io/tls
data:
  tls.key: {{ $cert.Key | b64enc }}
  tls.crt: {{ $cert.Cert | b64enc }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: {{ template "kyverno.cleanup-controller.deploymentName" . }}
  labels:
    {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
webhooks:
- admissionReviewVersions:
  - v1beta1
  clientConfig:
    caBundle:  {{ $ca.Cert | b64enc }}
    service:
      name: {{ template "kyverno.cleanup-controller.deploymentName" . }}
      namespace: {{ template "kyverno.namespace" . }}
      path: /todo
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: {{ printf "%s.%s.svc" (include "kyverno.cleanup-controller.deploymentName" .) (include "kyverno.namespace" .) }}
  rules:
  - apiGroups:
    - kyverno.io
    apiVersions:
    - v1alpha1
    operations:
    - CREATE
    - UPDATE
    resources:
    - clustercleanuppolicies/*
    - cleanuppolicies/*
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10
{{- end -}}