feat: allow disabling validating webhooks

.husky/pre-commit

@@ -5,4 +5,5 @@ echo 'running helm unittest...'
 helm unittest .
 
 echo 'running helm schema generate...'
-helm schema -f values.yaml -o values.schema.json
+helm schema -f values.yaml -o values.schema.json
+git add values.schema.json

README.md

@@ -111,10 +111,11 @@ CRDs are located in `chart/crds/` and are installed automatically. The API group
 | `metricsService.ports[0].targetPort` | Container target port | `8443` |
 | `metricsService.ports[0].protocol` | Protocol | `TCP` |
 
-### Webhook Service
+### Webhooks
 
 | Parameter | Description | Default |
 |-----------|-------------|---------|
+| `webhooks.enabled` | Enable or disable all Kubernetes admission webhook resources (ValidatingWebhookConfiguration, webhook Service, TLS Certificate, Issuer, and NetworkPolicy). Also sets the `ENABLE_WEBHOOKS` env var on the controller. | `true` |
 | `webhookService.type` | Service type for the webhook endpoint | `ClusterIP` |
 | `webhookService.ports[0].port` | Service port | `443` |
 | `webhookService.ports[0].targetPort` | Container target port | `9443` |

templates/allow-webhook-traffic.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.webhooks.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -19,3 +20,4 @@ spec:
       control-plane: controller-manager
   policyTypes:
   - Ingress
+{{- end }}

templates/deployment.yaml

@@ -36,6 +36,8 @@ spec:
           value: {{ .Values.controllerManager.appCredentialsSecretNamespace | default .Release.Namespace | quote }}
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ quote .Values.kubernetesClusterDomain }}
+        - name: ENABLE_WEBHOOKS
+          value: {{ .Values.webhooks.enabled | quote }}
         envFrom:
         - configMapRef:
             name: {{ include "git-hubby.fullname" . }}-envs
@@ -54,10 +56,12 @@ spec:
           initialDelaySeconds: 15
           periodSeconds: 20
         name: manager
+        {{- if .Values.webhooks.enabled }}
         ports:
         - containerPort: 9443
           name: webhook-server
           protocol: TCP
+        {{- end }}
         readinessProbe:
           httpGet:
             path: /readyz
@@ -68,10 +72,12 @@ spec:
           }}
         securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext
           | nindent 10 }}
+        {{- if .Values.webhooks.enabled }}
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: webhook-certs
           readOnly: true
+        {{- end }}
       nodeSelector: {{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }}
       securityContext: {{- toYaml .Values.controllerManager.podSecurityContext | nindent
         8 }}
@@ -92,7 +98,9 @@ spec:
           {{- end }}
         {{- end }}
       {{- end }}
+      {{- if .Values.webhooks.enabled }}
       volumes:
       - name: webhook-certs
         secret:
           secretName: webhook-server-certificate
+      {{- end }}

templates/selfsigned-issuer.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.webhooks.enabled }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -6,3 +7,4 @@ metadata:
   {{- include "git-hubby.labels" . | nindent 4 }}
 spec:
   selfSigned: {}
+{{- end }}

templates/serving-cert.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.webhooks.enabled }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -30,4 +31,5 @@ spec:
   usages:
     {{- toYaml . | nindent 2 }}
   {{- end }}
+{{- end }}
 

templates/validating-webhook-configuration.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.webhooks.enabled }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -49,3 +50,4 @@ webhooks:
     resources:
     - repositories
   sideEffects: None
+{{- end }}

templates/webhook-service.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.webhooks.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -11,3 +12,4 @@ spec:
     {{- include "git-hubby.selectorLabels" . | nindent 4 }}
   ports:
   {{- .Values.webhookService.ports | toYaml | nindent 2 }}
+{{- end }}

values.schema.json

@@ -253,6 +253,14 @@
                     "type": "string"
                 }
             }
+        },
+        "webhooks": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean"
+                }
+            }
         }
     }
 }

values.yaml

@@ -1,3 +1,5 @@
+webhooks:
+  enabled: true
 controllerManager:
   podLabels: {}
   watchedNamespaces: