add ValidatingWebhookConfiguration

Signed-off-by: Carlos Panato <[email protected]>

charts/cosigned/templates/webhook/clusterrole_webhook.yaml

@@ -11,11 +11,11 @@ rules:
     verbs: ["create"]
   # Allow the reconciliation of exactly our validating webhook.
   - apiGroups: ["admissionregistration.k8s.io"]
-    resources: ["validatingwebhookconfigurations"]
+    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
     verbs: ["list", "watch"]
 
   - apiGroups: ["admissionregistration.k8s.io"]
-    resources: ["validatingwebhookconfigurations"]
+    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
     verbs: ["get", "update"]
     resourceNames: ["cosigned.sigstore.dev"]
 

charts/cosigned/templates/webhook/webhook_mutating.yaml

@@ -0,0 +1,19 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: cosigned.sigstore.dev
+webhooks:
+- name: cosigned.sigstore.dev
+  namespaceSelector:
+    # The webhook should only apply to things that opt-in
+    matchExpressions:
+    - key: cosigned.sigstore.dev/include
+      operator: In
+      values: ["true"]
+  admissionReviewVersions: [v1]
+  clientConfig:
+    service:
+      name: webhook
+      namespace: {{ .Release.Namespace }}
+  failurePolicy: Fail
+  sideEffects: None

charts/cosigned/values.yaml

@@ -26,7 +26,7 @@ webhook:
   podSecurityContext:
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: true
-    runAsNonRoot: true
+    runAsUser: 1000
     capabilities:
       drop:
       - all