Merge pull request #4135 from heliapb/fix/rollout_op

[rollout-operator] change: `namespaceSelector` in webooks

Author: tcp13equals2

charts/rollout-operator/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: rollout-operator
 description: "Grafana rollout-operator"
 type: application
-version: 0.43.0
+version: 0.44.0
 appVersion: v0.35.0
 home: https://github.com/grafana/rollout-operator
 kubeVersion: ^1.10.0-0

charts/rollout-operator/README.md

@@ -4,7 +4,7 @@ Helm chart for deploying [Grafana rollout-operator](https://github.com/grafana/r
 
 # rollout-operator
 
-![Version: 0.43.0](https://img.shields.io/badge/Version-0.43.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.35.0](https://img.shields.io/badge/AppVersion-v0.35.0-informational?style=flat-square)
+![Version: 0.44.0](https://img.shields.io/badge/Version-0.44.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.35.0](https://img.shields.io/badge/AppVersion-v0.35.0-informational?style=flat-square)
 
 Grafana rollout-operator
 
@@ -62,7 +62,7 @@ Manually applying these CRDs is only required if upgrading from a chart <= v0.32
 | imagePullSecrets | list | `[]` |  |
 | minReadySeconds | int | `10` |  |
 | nameOverride | string | `""` |  |
-| namespaceSelector.matchExpressions | list | `[]` | Namespace selector to filter which namespaces the webhooks apply to. See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector Example:     matchExpressions:       - key: team         operator: NotIn         values:           - team-a |
+| namespaceSelector | object | `{"matchExpressions":[]}` | Namespace selector applied to all webhooks. Defaults to restricting to the release namespace. See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` | Pod Annotations |
 | podLabels | object | `{}` | Pod (extra) Labels |

charts/rollout-operator/templates/no-downscale-webhook.yaml

@@ -28,13 +28,24 @@ webhooks:
         scope: Namespaced
     admissionReviewVersions:
       - v1
+    {{- if not (kindIs "invalid" .Values.namespaceSelector) }}
     namespaceSelector:
+      {{- if .Values.namespaceSelector.matchLabels }}
+      matchLabels:
+        {{- toYaml .Values.namespaceSelector.matchLabels | nindent 8 }}
+      {{- with .Values.namespaceSelector.matchExpressions }}
+      matchExpressions:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- else }}
       matchLabels:
         kubernetes.io/metadata.name: {{ .Release.Namespace | quote }}
       {{- with .Values.namespaceSelector.matchExpressions }}
       matchExpressions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- end }}
+    {{- end }}
     {{- with .Values.webhooks.objectSelector }}
     objectSelector:
       {{- toYaml . | nindent 6 }}

charts/rollout-operator/templates/pod-eviction-webhook.yaml

@@ -27,13 +27,20 @@ webhooks:
         scope: Namespaced
     admissionReviewVersions:
       - v1
+    {{- if not (kindIs "invalid" .Values.namespaceSelector) }}
     namespaceSelector:
+      {{- if .Values.namespaceSelector.matchLabels }}
+      matchLabels:
+        {{- toYaml .Values.namespaceSelector.matchLabels | nindent 8 }}
+      {{- else }}
       matchLabels:
         kubernetes.io/metadata.name: {{ .Release.Namespace | quote }}
+      {{- end }}
       {{- with .Values.namespaceSelector.matchExpressions }}
       matchExpressions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+    {{- end }}
     {{- with .Values.webhooks.objectSelector }}
     objectSelector:
       {{- toYaml . | nindent 6 }}

charts/rollout-operator/templates/prepare-downscale-webhook.yaml

@@ -28,13 +28,20 @@ webhooks:
         scope: Namespaced
     admissionReviewVersions:
       - v1
+    {{- if not (kindIs "invalid" .Values.namespaceSelector) }}
     namespaceSelector:
+      {{- if .Values.namespaceSelector.matchLabels }}
+      matchLabels:
+        {{- toYaml .Values.namespaceSelector.matchLabels | nindent 8 }}
+      {{- else }}
       matchLabels:
         kubernetes.io/metadata.name: {{ .Release.Namespace | quote }}
+      {{- end }}
       {{- with .Values.namespaceSelector.matchExpressions }}
       matchExpressions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+    {{- end }}
     {{- with .Values.webhooks.objectSelector }}
     objectSelector:
       {{- toYaml . | nindent 6 }}

charts/rollout-operator/templates/zone-aware-pod-disruption-budget-validating-webhook.yaml

@@ -27,13 +27,20 @@ webhooks:
           - zoneawarepoddisruptionbudgets
         scope: Namespaced
     admissionReviewVersions: ["v1"]
+    {{- if not (kindIs "invalid" .Values.namespaceSelector) }}
     namespaceSelector:
+      {{- if .Values.namespaceSelector.matchLabels }}
+      matchLabels:
+        {{- toYaml .Values.namespaceSelector.matchLabels | nindent 8 }}
+      {{- else }}
       matchLabels:
         kubernetes.io/metadata.name: {{ .Release.Namespace | quote }}
+      {{- end }}
       {{- with .Values.namespaceSelector.matchExpressions }}
       matchExpressions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+    {{- end }}
     {{- with .Values.webhooks.objectSelector }}
     objectSelector:
       {{- toYaml . | nindent 6 }}

charts/rollout-operator/values.yaml

@@ -125,13 +125,36 @@ webhooks:
   #         values:
   #           - production
 
+# -- Namespace selector applied to all webhooks. Defaults to restricting to the release namespace.
+# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
 namespaceSelector:
-  # -- Namespace selector to filter which namespaces the webhooks apply to.
-  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
-  # Example:
+  # Example 1 - matchExpressions only: merged with the default release namespace matchLabels.
+  #   values.yaml:
   #     matchExpressions:
   #       - key: team
   #         operator: NotIn
-  #         values:
-  #           - team-a
+  #         values: [team-a]
+  #   renders:
+  #     namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: <release-namespace>
+  #       matchExpressions:
+  #         - key: team
+  #           operator: NotIn
+  #           values: [team-a]
+  #
+  # Example 2 - matchLabels set: full selector is user-controlled (matchExpressions also supported).
+  #   values.yaml:
+  #     matchLabels:
+  #       kubernetes.io/metadata.name: logging
+  #   renders:
+  #     namespaceSelector:
+  #       matchLabels:
+  #         kubernetes.io/metadata.name: logging
+  #
+  # Example 3 - set to null: omits namespaceSelector entirely (e.g. when objectSelector alone is sufficient).
+  #   values.yaml:
+  #     namespaceSelector: null
+  #   renders:
+  #     (nothing)
   matchExpressions: []