From a08c9fe0c483a2c9092e86592d3e4d8bb440542c Mon Sep 17 00:00:00 2001
From: Bojan Zelic <bnzelic@gmail.com>
Date: Wed, 11 Dec 2024 11:41:08 -0700
Subject: [PATCH] allow setting matchConditions for the injector webhook

---
 templates/injector-mutating-webhook.yaml |  4 ++++
 values.schema.json                       |  6 ++++++
 values.yaml                              | 11 +++++++++++
 3 files changed, 21 insertions(+)

diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml
index d0cafa66f..9dc88279a 100644
--- a/templates/injector-mutating-webhook.yaml
+++ b/templates/injector-mutating-webhook.yaml
@@ -41,5 +41,9 @@ webhooks:
     namespaceSelector:
 {{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
 {{ end }}
+{{- if (((.Values.injector.webhook)).matchConditions) }}
+    matchConditions:
+{{ toYaml ((.Values.injector.webhook)).matchConditions | indent 6}}
+{{ end }}
 {{- template "injector.objectSelector" . -}}
 {{ end }}
diff --git a/values.schema.json b/values.schema.json
index 34506f97f..4e66169e9 100644
--- a/values.schema.json
+++ b/values.schema.json
@@ -584,6 +584,12 @@
                         "failurePolicy": {
                             "type": "string"
                         },
+                        "matchConditions": {
+                            "type": "array",
+                            "items": {
+                                "type": "object"
+                            }
+                        },
                         "matchPolicy": {
                             "type": "string"
                         },
diff --git a/values.yaml b/values.yaml
index 7d2c2dd44..27c1a1194 100644
--- a/values.yaml
+++ b/values.yaml
@@ -171,6 +171,17 @@ injector:
     #
     timeoutSeconds: 30
 
+    # matchConditions is the selector for restricting the webhook fine-grained request filtering.
+    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions
+    # for more details.
+    # Example:
+    # matchConditions:
+    # - name: include-vault-pods
+    #   expression: "has(object.metadata.annotations) && 'vault.hashicorp.com/agent-inject' in object.metadata.annotations"
+    matchConditions: 
+    - name: include-vault-pods
+      expression: "has(object.metadata.annotations) && 'vault.hashicorp.com/agent-inject' in object.metadata.annotations"
+
     # namespaceSelector is the selector for restricting the webhook to only
     # specific namespaces.
     # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector