Merge pull request #785 from lakrass/main

csatib02 · web-flow · commit 9541b62727ed · 2025-09-16T10:30:32.000+02:00
feat(helm): added flag to enable mutations in deployment namespace
diff --git a/deploy/charts/vault-secrets-webhook/templates/apiservice-webhook.yaml b/deploy/charts/vault-secrets-webhook/templates/apiservice-webhook.yaml
@@ -175,10 +175,12 @@ webhooks:
     {{- if $podsNamespaceSelector.matchExpressions }}
 {{ toYaml $podsNamespaceSelector.matchExpressions | indent 4 }}
     {{- end }}
+    {{- if .Values.ignoreReleaseNamespace }}
     - key: kubernetes.io/metadata.name
       operator: NotIn
       values:
       - {{ .Release.Namespace }}
+    {{- end }}
 {{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
   objectSelector:
   {{- if $podsObjectSelector.matchLabels }}
@@ -243,10 +245,12 @@ webhooks:
     {{- if $secretsNamespaceSelector.matchExpressions }}
 {{ toYaml $secretsNamespaceSelector.matchExpressions | indent 4 }}
     {{- end }}
+    {{- if .Values.ignoreReleaseNamespace }}
     - key: kubernetes.io/metadata.name
       operator: NotIn
       values:
       - {{ .Release.Namespace }}
+    {{- end }}
 {{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
   objectSelector:
   {{- if $secretsObjectSelector.matchLabels }}
@@ -316,10 +320,12 @@ webhooks:
   {{- if $configmapsNamespaceSelector.matchExpressions }}
 {{ toYaml $configmapsNamespaceSelector.matchExpressions | indent 4 }}
   {{- end }}
+    {{- if .Values.ignoreReleaseNamespace }}
     - key: kubernetes.io/metadata.name
       operator: NotIn
       values:
       - {{ .Release.Namespace }}
+    {{- end }}
 {{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
   objectSelector:
   {{- if $configmapsObjectSelector.matchLabels }}
@@ -386,10 +392,12 @@ webhooks:
     {{- if $crNamespaceSelector.matchExpressions }}
 {{ toYaml $crNamespaceSelector.matchExpressions | indent 4 }}
     {{- end }}
+    {{- if .Values.ignoreReleaseNamespace }}
     - key: kubernetes.io/metadata.name
       operator: NotIn
       values:
       - {{ .Release.Namespace }}
+    {{- end }}
 {{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
   objectSelector:
   {{- if $crObjectSelector.matchLabels }}
diff --git a/deploy/charts/vault-secrets-webhook/values.yaml b/deploy/charts/vault-secrets-webhook/values.yaml
@@ -236,6 +236,10 @@ secretsFailurePolicy: Ignore
 # Check: <https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#side-effects>
 apiSideEffectValue: NoneOnDryRun
 
+# -- Enables the webhook to ignore resources in the namespace it is deployed to.
+# Set to `false` to enable mutations within the namespace the webhook runs in.
+ignoreReleaseNamespace: true
+
 # -- Namespace selector to use, will limit webhook scope (K8s version 1.15+)
 namespaceSelector:
   # @ignored
