fix: only set matchConditions on webhook when not empty (#3412)

Signed-off-by: martijnvdp <m.vanderploeg@nl.ccv.eu> Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
open-policy-agent · Jul 16, 2024 · 0f20484 · 0f20484
1 parent 1acf89a
commit 0f20484
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go
@@ -109,14 +109,14 @@ func (ks *kindSet) Write() error {
 
 			if name == "validation.gatekeeper.sh" {
 				matchConditions := "  matchConditions: {{ toYaml .Values.validatingWebhookMatchConditions | nindent 4 }}"
-				replace := fmt.Sprintf("  {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}\n%s\n  {{- end }}", matchConditions)
+				replace := fmt.Sprintf("  {{- if .Values.validatingWebhookMatchConditions }}\n  {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}\n%s\n  {{- end }}\n  {{- end }}", matchConditions)
 				obj = "{{- if not .Values.disableValidatingWebhook }}\n" + strings.Replace(obj, matchConditions, replace, 1) + end + "\n"
 				fileName = fmt.Sprintf("gatekeeper-validating-webhook-configuration-%s.yaml", strings.ToLower(kind))
 			}
 
 			if name == "mutation.gatekeeper.sh" {
 				matchConditions := "  matchConditions: {{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }}"
-				replace := fmt.Sprintf("  {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}\n%s\n  {{- end }}", matchConditions)
+				replace := fmt.Sprintf("  {{- if .Values.mutatingWebhookMatchConditions }}\n  {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}\n%s\n  {{- end }}\n  {{- end }}", matchConditions)
 				obj = "{{- if not .Values.disableMutation }}\n" + strings.Replace(obj, matchConditions, replace, 1) + end + "\n"
 				fileName = fmt.Sprintf("gatekeeper-mutating-webhook-configuration-%s.yaml", strings.ToLower(kind))
 			}

diff --git a/...per/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/...per/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
@@ -24,9 +24,11 @@ webhooks:
       path: /v1/mutate
     {{- end }}
   failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }}
+  {{- if .Values.mutatingWebhookMatchConditions }}
   {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}
   matchConditions: {{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }}
   {{- end }}
+  {{- end }}
   matchPolicy: Exact
   name: mutation.gatekeeper.sh
   namespaceSelector:

diff --git a/...templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/...templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
@@ -24,9 +24,11 @@ webhooks:
       path: /v1/admit
     {{- end }}
   failurePolicy: {{ .Values.validatingWebhookFailurePolicy }}
+  {{- if .Values.validatingWebhookMatchConditions }}
   {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}
   matchConditions: {{ toYaml .Values.validatingWebhookMatchConditions | nindent 4 }}
   {{- end }}
+  {{- end }}
   matchPolicy: Exact
   name: validation.gatekeeper.sh
   namespaceSelector: