feat: add support for CONNECT operations (open-policy-agent#3459)

Signed-off-by: Thomas Chaplin <thomaschaplin@outlook.com>
Co-authored-by: Anlan Du <adu47249@gmail.com>
Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
Co-authored-by: Jaydipkumar Arvindbhai Gabani <gabanijaydip@gmail.com>

cmd/build/helmify/replacements.go

@@ -221,6 +221,9 @@ var replacements = map[string]string{
  {{- if .Values.enableDeleteOperations }}
  - DELETE
  {{- end }}
+ {{- if .Values.enableConnectOperations }}
+ - CONNECT
+ {{- end }}
  resources:
  - '*'
  # Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper).

cmd/build/helmify/static/README.md

@@ -148,6 +148,7 @@ information._
 | validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
 | validatingWebhookURL | Custom URL for Kubernetes API server to use to reach the validating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
 | enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` |
+| enableConnectOperations | Enable validating webhook for connect operations. | `false` |
 | enableExternalData | Enable external data | `true` |
 | enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` |
 | enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` |

cmd/build/helmify/static/values.yaml

@@ -19,6 +19,7 @@ validatingWebhookCheckIgnoreFailurePolicy: Fail
 validatingWebhookCustomRules: {}
 validatingWebhookURL: null
 enableDeleteOperations: false
+enableConnectOperations: false
 enableExternalData: true
 enableGeneratorResourceExpansion: true
 enableTLSHealthcheck: false

manifest_staging/charts/gatekeeper/README.md

@@ -148,6 +148,7 @@ information._
 | validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
 | validatingWebhookURL | Custom URL for Kubernetes API server to use to reach the validating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
 | enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` |
+| enableConnectOperations | Enable validating webhook for connect operations. | `false` |
 | enableExternalData | Enable external data | `true` |
 | enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` |
 | enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` |

manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml

@@ -64,6 +64,9 @@ webhooks:
  {{- if .Values.enableDeleteOperations }}
  - DELETE
  {{- end }}
+ {{- if .Values.enableConnectOperations }}
+ - CONNECT
+ {{- end }}
  resources:
  - '*'
  # Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper).

manifest_staging/charts/gatekeeper/values.yaml

@@ -19,6 +19,7 @@ validatingWebhookCheckIgnoreFailurePolicy: Fail
 validatingWebhookCustomRules: {}
 validatingWebhookURL: null
 enableDeleteOperations: false
+enableConnectOperations: false
 enableExternalData: true
 enableGeneratorResourceExpansion: true
 enableTLSHealthcheck: false