From 64909f568801e66fa85fb34c0dbfb097eb8f65f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= <mail@jkroepke.de>
Date: Sat, 13 Jan 2024 10:27:27 +0100
Subject: [PATCH] [helm] Support custom spec.namespaceSelector for webhooks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
---
 .../templates/webhook-mutating-webhook.yaml           |  4 ++++
 .../templates/webhook-validating-webhook.yaml         |  6 ++++++
 deploy/charts/cert-manager/values.yaml                | 11 +++++++++++
 3 files changed, 21 insertions(+)

diff --git a/deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml b/deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml
index 26401a8e7..8eed00102 100644
--- a/deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml
+++ b/deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml
@@ -42,3 +42,7 @@ webhooks:
         namespace: {{ include "cert-manager.namespace" . }}
         path: /mutate
       {{- end }}
+    namespaceSelector:
+    {{- with .Values.webhook.webhookConfigurationNamespaceSelector }}
+    {{- toYaml . | nindent 6 }}
+    {{- end }}
diff --git a/deploy/charts/cert-manager/templates/webhook-validating-webhook.yaml b/deploy/charts/cert-manager/templates/webhook-validating-webhook.yaml
index ce33cc797..c01212b30 100644
--- a/deploy/charts/cert-manager/templates/webhook-validating-webhook.yaml
+++ b/deploy/charts/cert-manager/templates/webhook-validating-webhook.yaml
@@ -16,11 +16,17 @@ metadata:
 webhooks:
   - name: webhook.cert-manager.io
     namespaceSelector:
+      {{- with (omit .Values.webhook.webhookConfigurationNamespaceSelector "matchExpressions") }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
       matchExpressions:
       - key: "cert-manager.io/disable-validation"
         operator: "NotIn"
         values:
         - "true"
+      {{- with .Values.webhook.webhookConfigurationNamespaceSelector.matchExpressions }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
     rules:
       - apiGroups:
           - "cert-manager.io"
diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml
index 811e157a1..17c419dcc 100644
--- a/deploy/charts/cert-manager/values.yaml
+++ b/deploy/charts/cert-manager/values.yaml
@@ -401,6 +401,17 @@ webhook:
   # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
   # validatingWebhookConfigurationAnnotations: {}
 
+  # Configure spec.namespaceSelector for mutating and validating webhooks.
+  webhookConfigurationNamespaceSelector: {}
+  #  matchLabels:
+  #    key: value
+  #  matchExpressions:
+  #    - key: kubernetes.io/metadata.name
+  #      operator: NotIn
+  #      values:
+  #        - kube-system
+
+
   # Additional command line flags to pass to cert-manager webhook binary.
   # To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help
   extraArgs: []