[Bug]: NamespaceSelector is not correctly rendered for the validating webhook.

[jerome-blanche]

Describe the bug

When the validation webhook is enabled (trow:validationWebhook:enabled: true), and the webhook namespace selector is defined, helm generates an invalid ValidatingWebhookConfiguration resource.

To Reproduce

helm repo add trow https://trow-registry.github.io/trow
cat << EOF > values.yaml 
trow:
  validationWebhook:
    enabled: true

webhooks:
  namespaceSelector:
    matchLabels:
      webhook: "allowed"
EOF
helm template trow/trow --version 0.8.1 -f ./values.yaml --namespace trow > manifests.yaml

Expected behavior

A valid manifest for the ValidatingWebhookConfiguration resource:

• metadata.annotations property should be removed
• webhooks[0].namespaceSelector should be correctly formatted

Output/Logs

Rendered manifest:

# Source: trow/templates/webhooks/validatingwebhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: server-trow-validation
  labels:
    helm.sh/chart: trow-0.8.1
    app.kubernetes.io/part-of: trow
    app.kubernetes.io/instance: server
    app.kubernetes.io/version: "0.6.4"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  annotations:
webhooks:
  - name: validate.trow.io
    admissionReviewVersions: ["v1"]
    sideEffects: None
    
    namespaceSelector:      |-
        matchLabels:
          webhook: allowed
    rules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        operations: ["CREATE"]
        resources: ["pods"]
        scope: "Namespaced"
    # Patched by job-patchWebhook.yaml
    # At first deploy we have to set to "Ignore" otherwise Trow fails to deploy
    # because the Trow webhook doesn't exist yet :/
    failurePolicy: Ignore
    clientConfig:
      service:
        name: server-trow-admission
        path: "/validate-image"
        namespace: trow

Expected manifest:

# Source: trow/templates/webhooks/validatingwebhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: server-trow-validation
  labels:
    helm.sh/chart: trow-0.8.1
    app.kubernetes.io/part-of: trow
    app.kubernetes.io/instance: server
    app.kubernetes.io/version: "0.6.4"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
webhooks:
  - name: validate.trow.io
    admissionReviewVersions: ["v1"]
    sideEffects: None
    
    namespaceSelector:
      matchLabels:
        webhook: allowed
    rules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        operations: ["CREATE"]
        resources: ["pods"]
        scope: "Namespaced"
    # Patched by job-patchWebhook.yaml
    # At first deploy we have to set to "Ignore" otherwise Trow fails to deploy
    # because the Trow webhook doesn't exist yet :/
    failurePolicy: Ignore
    clientConfig:
      service:
        name: server-trow-admission
        path: "/validate-image"
        namespace: trow

Trow Info

Helm chart version 0.8.1

Kubernetes

helm version:
version.BuildInfo{Version:"v3.16.1", GitCommit:"5a5449dc42be07001fd5771d56429132984ab3ab", GitTreeState:"clean", GoVersion:"go1.22.7"}

Additional context

Add any other context about the problem here.