From baf7762342e5402441a89f05208a28dd85750c88 Mon Sep 17 00:00:00 2001
From: Travis Glenn Hansen <travisghansen@yahoo.com>
Date: Tue, 2 Aug 2022 11:52:52 -0600
Subject: [PATCH] better support for the validatingWebhook

Signed-off-by: Travis Glenn Hansen <travisghansen@yahoo.com>
---
 stable/snapshot-controller/Chart.yaml         |  2 +-
 .../templates/rbac-snapshot-controller.yaml   |  2 +-
 .../templates/rbac-snapshot-webhook.yaml      | 36 +++++++++++++++++++
 .../templates/setup-snapshot-controller.yaml  |  2 +-
 .../templates/webhook.yaml                    |  3 ++
 stable/snapshot-controller/values.yaml        |  9 +++--
 6 files changed, 48 insertions(+), 6 deletions(-)
 create mode 100644 stable/snapshot-controller/templates/rbac-snapshot-webhook.yaml

diff --git a/stable/snapshot-controller/Chart.yaml b/stable/snapshot-controller/Chart.yaml
index adf781a..ddfe6eb 100644
--- a/stable/snapshot-controller/Chart.yaml
+++ b/stable/snapshot-controller/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.4
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/stable/snapshot-controller/templates/rbac-snapshot-controller.yaml b/stable/snapshot-controller/templates/rbac-snapshot-controller.yaml
index 3132cdd..56e2301 100644
--- a/stable/snapshot-controller/templates/rbac-snapshot-controller.yaml
+++ b/stable/snapshot-controller/templates/rbac-snapshot-controller.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.enabled }}
+{{- if .Values.controller.rbac.enabled }}
 # RBAC file for the snapshot controller.
 #
 # The snapshot controller implements the control loop for CSI snapshot functionality.
diff --git a/stable/snapshot-controller/templates/rbac-snapshot-webhook.yaml b/stable/snapshot-controller/templates/rbac-snapshot-webhook.yaml
new file mode 100644
index 0000000..fc4fe10
--- /dev/null
+++ b/stable/snapshot-controller/templates/rbac-snapshot-webhook.yaml
@@ -0,0 +1,36 @@
+{{- if .Values.validatingWebhook.rbac.enabled }}
+# RBAC file for the snapshot webhook.
+#
+# The snapshot webhook implements the validation and admission for CSI snapshot functionality.
+# It should be installed as part of the base Kubernetes distribution in an appropriate
+# namespace for components implementing base system functionality. For installing with
+# Vanilla Kubernetes, kube-system makes sense for the namespace.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: snapshot-webhook
+  namespace: {{ .Release.Namespace | quote }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: snapshot-webhook-runner
+rules:
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: snapshot-webhook-role
+subjects:
+  - kind: ServiceAccount
+    name: snapshot-webhook
+    namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  kind: ClusterRole
+  name: snapshot-webhook-runner
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/stable/snapshot-controller/templates/setup-snapshot-controller.yaml b/stable/snapshot-controller/templates/setup-snapshot-controller.yaml
index 3bfb97e..9b30965 100644
--- a/stable/snapshot-controller/templates/setup-snapshot-controller.yaml
+++ b/stable/snapshot-controller/templates/setup-snapshot-controller.yaml
@@ -33,7 +33,7 @@ spec:
       labels:
         app: snapshot-controller
     spec:
-      {{- if .Values.rbac.enabled }}
+      {{- if .Values.controller.rbac.enabled }}
       serviceAccount: snapshot-controller
       {{- end }}
       containers:
diff --git a/stable/snapshot-controller/templates/webhook.yaml b/stable/snapshot-controller/templates/webhook.yaml
index dbada2f..e035b5b 100644
--- a/stable/snapshot-controller/templates/webhook.yaml
+++ b/stable/snapshot-controller/templates/webhook.yaml
@@ -17,6 +17,9 @@ spec:
       labels:
         app: snapshot-validation
     spec:
+      {{- if .Values.validatingWebhook.rbac.enabled }}
+      serviceAccountName: snapshot-webhook
+      {{- end }}
       containers:
       - name: snapshot-validation
         image: {{ .Values.validatingWebhook.image.repository }}:{{ .Values.validatingWebhook.image.tag }}
diff --git a/stable/snapshot-controller/values.yaml b/stable/snapshot-controller/values.yaml
index 625d71b..2f10d4a 100644
--- a/stable/snapshot-controller/values.yaml
+++ b/stable/snapshot-controller/values.yaml
@@ -7,11 +7,12 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-rbac:
-  enabled: true
 
 controller:
   enabled: true
+  rbac:
+    enabled: true
+
   replicaCount: 3
   image:
     repository: k8s.gcr.io/sig-storage/snapshot-controller
@@ -27,10 +28,12 @@ controller:
 
 validatingWebhook:
   enabled: false
+  rbac:
+    enabled: true
   replicaCount: 3
   image:
     repository: k8s.gcr.io/sig-storage/snapshot-validation-webhook
     pullPolicy: IfNotPresent
     # Overrides the image tag whose default is the chart appVersion.
-    tag: v5.0.1
+    tag: v6.0.1