kluster-api · anisurrahman75 · Jan 8, 2026 · Jan 8, 2026 · Jan 16, 2026 · Copilot
diff --git a/charts/aws-credential-manager/templates/_helpers.tpl b/charts/aws-credential-manager/templates/_helpers.tpl
@@ -88,3 +88,38 @@ Returns if ubi images are to be used
 {{- define "operator.ubi" -}}
 {{ ternary "-ubi" "" (list "operator" "all" | has .Values.distro.ubi) }}
 {{- end }}
+
+
+{{ define "aws-credential-manager.webhookServiceName" -}}
+{{- printf "%s-webhook" (include "aws-credential-manager.fullname" . ) | trunc 63 | trimPrefix "-" -}}
+{{- end -}}
+
+{{/*
+Prepare certs
+*/}}
+{{- define "aws-credential-manager.prepare-certs" -}}
+{{- if not ._caCrt }}
+{{- $caCrt := "" }}
+{{- $serverCrt := "" }}
+{{- $serverKey := "" }}
+{{- if .Values.apiserver.servingCerts.generate }}
+{{- $ca := genCA "ca" 3650 }}
+{{ $cn := include "aws-credential-manager.webhookServiceName" . -}}
+{{- $altName1 := printf "%s.%s" $cn .Release.Namespace }}
+{{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }}
+{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }}
+{{- $caCrt =  b64enc $ca.Cert }}
+{{- $serverCrt = b64enc $server.Cert }}
+{{- $serverKey = b64enc $server.Key }}
+{{- else }}
+{{- $caCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.caCrt }}
+{{- $serverCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverCrt }}
+{{- $serverKey = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverKey }}
+{{- end }}
+
+{{ $_ := set $ "_caCrt" $caCrt }}
+{{ $_ := set $ "_serverCrt" $serverCrt }}
+{{ $_ := set $ "_serverKey" $serverKey }}
+
+{{- end }}
+{{- end }}
diff --git a/charts/aws-credential-manager/templates/cert.yaml b/charts/aws-credential-manager/templates/cert.yaml
@@ -0,0 +1,16 @@
+{{ template "aws-credential-manager.prepare-certs" $ }}
+
+{{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "aws-credential-manager.fullname" . }}-apiserver-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "aws-credential-manager.labels" . | nindent 4 }}
+type: Opaque
+data:
+  ca.crt: {{ $._caCrt }}
+  tls.crt: {{ $._serverCrt }}
+  tls.key: {{ $._serverKey }}
+{{- end }}
diff --git a/charts/aws-credential-manager/templates/deployment.yaml b/charts/aws-credential-manager/templates/deployment.yaml
@@ -47,6 +47,9 @@ spec:
             - --metrics-bind-address=:8443
             - --leader-elect=false
             - --health-probe-bind-address=:{{ .Values.service.port }}
+            - --webhook-cert-path=/var/serving-cert
+            - --aws-max-interval-seconds={{ .Values.bucketAccessor.awsMaxIntervalSeconds }}
+            - --aws-max-wait-seconds={{ .Values.bucketAccessor.awsMaxWaitSeconds }}
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}
@@ -57,12 +60,18 @@ spec:
             {{- toYaml .Values.readinessProbe | nindent 12 }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- with .Values.volumeMounts }}
           volumeMounts:
+            - mountPath: /var/serving-cert
+              name: serving-cert
+          {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
-      {{- with .Values.volumes }}
       volumes:
+      - name: serving-cert
+        secret:
+          defaultMode: 420
+          secretName: {{ include "aws-credential-manager.fullname" . }}-apiserver-cert
+      {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.nodeSelector }}

diff --git a/charts/aws-credential-manager/templates/mutating-webhook.yaml b/charts/aws-credential-manager/templates/mutating-webhook.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.apiserver.enableMutatingWebhook }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ template "aws-credential-manager.fullname" . }}
+  labels:
+    {{- include "aws-credential-manager.labels" . | nindent 4 }}
+webhooks:
+  - name: vjob-v1.kb.io
+    admissionReviewVersions:
+      - v1
+    failurePolicy: {{ .Values.apiserver.webhook.failurePolicy }}
+    sideEffects: None
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        apiGroups:
+          - batch
+        apiVersions:
+          - v1
+        resources:
+          - jobs
+    clientConfig:
+      service:
+        namespace: {{ .Release.Namespace }}
+        name: {{ include "aws-credential-manager.fullname" . }}
+        path: /mutate-batch-v1-job
+      caBundle: {{ .Values.apiserver.ca | b64enc }}
+{{- end }}
diff --git a/charts/aws-credential-manager/templates/service.yaml b/charts/aws-credential-manager/templates/service.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "aws-credential-manager.fullname" . }}-stats
+  name: {{ include "aws-credential-manager.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aws-credential-manager.labels" . | nindent 4 }}

diff --git a/charts/aws-credential-manager/values.yaml b/charts/aws-credential-manager/values.yaml
@@ -87,3 +87,42 @@ distro:
   openshift: false
   # Set operator or all to use ubi images
   ubi: ""
+
+bucketAccessor:
+  awsMaxIntervalSeconds: "5"
+  awsMaxWaitSeconds: "300"
+
+apiserver:
+  # The minimum priority the webhook api group should have at least. Please see
+  # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64
+  # for more information on proper values of this field.
+  groupPriorityMinimum: 10000
+  # The ordering of the webhook api inside of the group. Please see
+  # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70
+  # for more information on proper values of this field
+  versionPriority: 15
+  # If true, mutating webhook is configured for Kubernetes workloads
+  enableMutatingWebhook: true
+  # If true, validating webhook is configured for Stash CRDss
+  enableValidatingWebhook: true
+  # CA certificate used by the Kubernetes api server. This field is automatically assigned by the operator.
+  ca: not-ca-cert
+  # If true, bypasses checks that validating webhook is actually enabled in the Kubernetes cluster.
+  bypassValidatingWebhookXray: false
+  # If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)
+  useKubeapiserverFqdnForAks: true
+  healthcheck:
+    # If true, enables the readiness and liveliness probes for the operator pod.
+    enabled: false
+  servingCerts:
+    # If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor)
+    # to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`.
+    generate: true
+    # CA certficate used by serving certificate of webhook server.
+    caCrt: ""
+    # Serving certficate used by webhook server.
+    serverCrt: ""
+    # Private key for the serving certificate used by webhook server.
+    serverKey: ""
+  webhook:
+    failurePolicy: Ignore