}
                }
              ]
            }
        env:

		return fmt.Errorf("failed to apply tag webhook MutatingWebhookConfiguration to cluster: %v", err)
	}
	fmt.Fprintf(w, tagCreatedStr, tagName, revision, tagName)
	return nil
}

func analyzeWebhook(name, istioNamespace, wh, revision string, config *rest.Config) error {
	sa := local.NewSourceAnalyzer(analysis.Combine("webhook", &webhook.Analyzer{}), "", resource.Namespace(istioNamespace), nil)

					Reason:   "No matching namespace labels (istio.io/rev=1-16) or pod labels (istio.io/rev=1-16)",
				},
				{
					Name:     "istio-sidecar-injector-deactivated",
					Revision: "default",
					Reason:   "The injection webhook is deactivated, and will never match labels.",
				},
			},
		},
		{
			name: "default ns injection",
			pod:  podTestObject("test1", "test1", "", ""),
			ns:   nsTestObject("test1", "enabled", ""),

		LabelSelector: "app=sidecar-injector,istio.io/rev=default,istio.io/tag=default",
	})
	if err != nil {
		return err
	}
	// If there is no default webhook but a revisioned default webhook exists,
	// and we are installing a new IOP with default semantics, the default webhook shifts.
	if exists && len(mwhs.Items) == 0 && iop.Spec.GetRevision() == "" {

		},
		config.HelpKV{
			Key:             config.LoggerWebhookSubSys,
			Description:     "send server logs to webhook endpoints",
			MultipleTargets: true,
		},
		config.HelpKV{
			Key:             config.AuditWebhookSubSys,
			Description:     "send audit logs to webhook endpoints",
			MultipleTargets: true,
		},
		config.HelpKV{
			Key:             config.AuditKafkaSubSys,

{{- /* Core defines the common configuration used by all webhook segments */}}
{{/* Copy just what we need to avoid expensive deepCopy */}}
{{- $whv := dict
 "revision" .Values.revision
  "injectionPath" .Values.istiodRemote.injectionPath
  "injectionURL" .Values.istiodRemote.injectionURL
  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
  "caBundle" .Values.istiodRemote.injectionCABundle
  "namespace" .Release.Namespace }}

    omitSidecarInjectorConfigMap: true
    # Configure whether Operator manages webhook configurations. The current behavior
    # of Istiod is to manage its own webhook configurations.
    # When this option is set as true, Istio Operator, instead of webhooks, manages the
    # webhook configurations. When this option is set as false, webhooks manage their
    # own webhook configurations.
    operatorManageWebhooks: false

		},
		config.HelpKV{
			Key:         target.WebhookClientCert,
			Description: "client cert for Webhook mTLS auth",
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},
		config.HelpKV{
			Key:         target.WebhookClientKey,
			Description: "client cert key for Webhook mTLS auth",
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},
	}

		writeCustomErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigBadJSON), err.Error(), r.URL)
		return
	}

	// Check if subnet proxy being deleted and if so the value of proxy of subnet
	// target of logger webhook configuration also should be deleted
	loggerWebhookProxyDeleted := setLoggerWebhookSubnetProxy(subSys, cfg)

	if err = saveServerConfig(ctx, objectAPI, cfg); err != nil {

    - pods
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10
---
# same webhook but with different name, will result in a duplicate
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  labels:
    app: sidecar-injector
    istio.io/tag: default
  name: w2-istio-sidecar-injector-istio-system

webhooks:
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    service: