From d03bedf261cf4f1bf1bac32af7ccb397d4ba6d0d Mon Sep 17 00:00:00 2001 From: Filipe Date: Thu, 9 Sep 2021 20:01:17 +1200 Subject: [PATCH] Fix API versions for k8s < 1.21 (#1413) --- charts/vault-secrets-webhook/Chart.yaml | 2 +- .../templates/_helpers.tpl | 42 +++++++++++++++++++ .../templates/apiservice-webhook.yaml | 26 ++++++------ .../templates/webhook-ingress.yaml | 4 +- .../templates/webhook-pdb.yaml | 2 +- .../templates/webhook-psp.yaml | 4 +- charts/vault-secrets-webhook/values.yaml | 3 ++ 7 files changed, 64 insertions(+), 19 deletions(-) diff --git a/charts/vault-secrets-webhook/Chart.yaml b/charts/vault-secrets-webhook/Chart.yaml index d01fddb99f..7deaf81426 100755 --- a/charts/vault-secrets-webhook/Chart.yaml +++ b/charts/vault-secrets-webhook/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: vault-secrets-webhook -version: 1.14.0 +version: 1.14.1 appVersion: 1.14.0 description: A Helm chart that deploys a mutating admission webhook that configures applications to request env vars from Vault Secrets home: https://banzaicloud.com/products/bank-vaults/ diff --git a/charts/vault-secrets-webhook/templates/_helpers.tpl b/charts/vault-secrets-webhook/templates/_helpers.tpl index 6732f1a02b..57d309c641 100644 --- a/charts/vault-secrets-webhook/templates/_helpers.tpl +++ b/charts/vault-secrets-webhook/templates/_helpers.tpl @@ -67,3 +67,45 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Return the target Kubernetes version. +https://github.com/bitnami/charts/blob/master/bitnami/common/templates/_capabilities.tpl +*/}} +{{- define "vault-secrets-webhook.capabilities.kubeVersion" -}} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for policy. +*/}} +{{- define "vault-secrets-webhook.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "vault-secrets-webhook.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} diff --git a/charts/vault-secrets-webhook/templates/apiservice-webhook.yaml b/charts/vault-secrets-webhook/templates/apiservice-webhook.yaml index f7782f5dab..078ff33c31 100644 --- a/charts/vault-secrets-webhook/templates/apiservice-webhook.yaml +++ b/charts/vault-secrets-webhook/templates/apiservice-webhook.yaml @@ -35,7 +35,7 @@ data: ca.crt: {{ $caCrt }} {{- end }} --- -{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.GitVersion }} +{{- if semverCompare ">=1.16-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} apiVersion: admissionregistration.k8s.io/v1 {{- else }} apiVersion: admissionregistration.k8s.io/v1beta1 @@ -53,7 +53,7 @@ metadata: {{- end }} webhooks: - name: pods.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com - {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }} + {{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} admissionReviewVersions: ["v1beta1"] {{- if .Values.timeoutSeconds }} timeoutSeconds: {{ .Values.timeoutSeconds }} @@ -92,7 +92,7 @@ webhooks: operator: NotIn values: - {{ .Release.Namespace }} -{{- if semverCompare ">=1.15-0" .Capabilities.KubeVersion.GitVersion }} +{{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} objectSelector: {{- if .Values.objectSelector.matchLabels }} matchLabels: @@ -107,11 +107,11 @@ webhooks: values: - skip {{- end }} -{{- if semverCompare ">=1.12-0" .Capabilities.KubeVersion.GitVersion }} +{{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} sideEffects: {{ .Values.apiSideEffectValue }} {{- end }} - name: secrets.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com - {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }} + {{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} admissionReviewVersions: ["v1beta1"] {{- if .Values.timeoutSeconds }} timeoutSeconds: {{ .Values.timeoutSeconds }} @@ -151,7 +151,7 @@ webhooks: operator: NotIn values: - {{ .Release.Namespace }} -{{- if semverCompare ">=1.15-0" .Capabilities.KubeVersion.GitVersion }} +{{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} objectSelector: {{- if .Values.objectSelector.matchLabels }} matchLabels: @@ -170,12 +170,12 @@ webhooks: values: - skip {{- end }} -{{- if semverCompare ">=1.12-0" .Capabilities.KubeVersion.GitVersion }} +{{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} sideEffects: {{ .Values.apiSideEffectValue }} {{- end }} {{- if .Values.configMapMutation }} - name: configmaps.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com - {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }} + {{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} admissionReviewVersions: ["v1beta1"] {{- if .Values.timeoutSeconds }} timeoutSeconds: {{ .Values.timeoutSeconds }} @@ -215,7 +215,7 @@ webhooks: operator: NotIn values: - {{ .Release.Namespace }} -{{- if semverCompare ">=1.15-0" .Capabilities.KubeVersion.GitVersion }} +{{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} objectSelector: {{- if .Values.objectSelector.matchLabels }} matchLabels: @@ -234,13 +234,13 @@ webhooks: values: - skip {{- end }} -{{- if semverCompare ">=1.12-0" .Capabilities.KubeVersion.GitVersion }} +{{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} sideEffects: {{ .Values.apiSideEffectValue }} {{- end }} {{- end }} {{- if .Values.customResourceMutations }} - name: objects.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com - {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }} + {{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} admissionReviewVersions: ["v1beta1"] {{- if .Values.timeoutSeconds }} timeoutSeconds: {{ .Values.timeoutSeconds }} @@ -280,7 +280,7 @@ webhooks: operator: NotIn values: - {{ .Release.Namespace }} -{{- if semverCompare ">=1.15-0" .Capabilities.KubeVersion.GitVersion }} +{{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} objectSelector: {{- if .Values.objectSelector.matchLabels }} matchLabels: @@ -295,7 +295,7 @@ webhooks: values: - skip {{- end }} -{{- if semverCompare ">=1.12-0" .Capabilities.KubeVersion.GitVersion }} +{{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} sideEffects: {{ .Values.apiSideEffectValue }} {{- end }} {{- end }} diff --git a/charts/vault-secrets-webhook/templates/webhook-ingress.yaml b/charts/vault-secrets-webhook/templates/webhook-ingress.yaml index 21c03a920d..8d06e975c6 100644 --- a/charts/vault-secrets-webhook/templates/webhook-ingress.yaml +++ b/charts/vault-secrets-webhook/templates/webhook-ingress.yaml @@ -1,6 +1,6 @@ {{- if .Values.ingress.enabled }} --- -apiVersion: networking.k8s.io/v1 +apiVersion: {{ include "vault-secrets-webhook.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ template "vault-secrets-webhook.fullname" . }} @@ -25,4 +25,4 @@ spec: name: {{ template "vault-secrets-webhook.fullname" . }} port: number: {{ .Values.service.externalPort }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/vault-secrets-webhook/templates/webhook-pdb.yaml b/charts/vault-secrets-webhook/templates/webhook-pdb.yaml index cc391339c8..b2734f6544 100644 --- a/charts/vault-secrets-webhook/templates/webhook-pdb.yaml +++ b/charts/vault-secrets-webhook/templates/webhook-pdb.yaml @@ -1,5 +1,5 @@ {{- if .Values.podDisruptionBudget.enabled }} -apiVersion: policy/v1 +apiVersion: {{ include "vault-secrets-webhook.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ template "vault-secrets-webhook.fullname" . }} diff --git a/charts/vault-secrets-webhook/templates/webhook-psp.yaml b/charts/vault-secrets-webhook/templates/webhook-psp.yaml index 808b2e1a5e..9fa6ab2e54 100644 --- a/charts/vault-secrets-webhook/templates/webhook-psp.yaml +++ b/charts/vault-secrets-webhook/templates/webhook-psp.yaml @@ -1,5 +1,5 @@ {{- if .Values.rbac.psp.enabled }} -{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.GitVersion }} +{{- if semverCompare ">=1.16-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} apiVersion: policy/v1beta1 {{- else }} apiVersion: extensions/v1beta1 @@ -35,7 +35,7 @@ spec: - emptyDir - configMap --- -{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.GitVersion }} +{{- if semverCompare ">=1.16-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }} apiVersion: policy/v1beta1 {{- else }} apiVersion: extensions/v1beta1 diff --git a/charts/vault-secrets-webhook/values.yaml b/charts/vault-secrets-webhook/values.yaml index c7f3964727..ce9a6a0fd7 100644 --- a/charts/vault-secrets-webhook/values.yaml +++ b/charts/vault-secrets-webhook/values.yaml @@ -173,3 +173,6 @@ podDisruptionBudget: timeoutSeconds: false hostNetwork: false + +# Override cluster version +kubeVersion: ""