diff --git a/extensions/pkg/webhook/certificates/reconciler.go b/extensions/pkg/webhook/certificates/reconciler.go index c9d79b892f9..e888dcd4902 100644 --- a/extensions/pkg/webhook/certificates/reconciler.go +++ b/extensions/pkg/webhook/certificates/reconciler.go @@ -31,8 +31,9 @@ import ( logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/reconcile" + "sigs.k8s.io/controller-runtime/pkg/webhook" - "github.com/gardener/gardener/extensions/pkg/webhook" + extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook" extensionsshootwebhook "github.com/gardener/gardener/extensions/pkg/webhook/shoot" "github.com/gardener/gardener/pkg/controllerutils" kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes" @@ -85,7 +86,7 @@ type reconciler struct { // AddToManager generates webhook CA and server cert if it doesn't exist on the cluster yet. Then it adds reconciler to // the given manager in order to periodically regenerate the webhook secrets. func (r *reconciler) AddToManager(ctx context.Context, mgr manager.Manager) error { - r.serverPort = mgr.GetWebhookServer().Port + r.serverPort = mgr.GetWebhookServer().(*webhook.DefaultServer).Options.Port r.client = mgr.GetClient() present, err := isWebhookServerSecretPresent(ctx, mgr.GetAPIReader(), r.ServerSecretName, r.Namespace, r.Identity) @@ -179,7 +180,7 @@ func (r *reconciler) Reconcile(ctx context.Context, _ reconcile.Request) (reconc if r.ShootWebhookConfig != nil { // update shoot webhook config object (in memory) with the freshly created CA bundle which is also used by the // ControlPlane actuator - if err := webhook.InjectCABundleIntoWebhookConfig(r.ShootWebhookConfig, caBundleSecret.Data[secretsutils.DataKeyCertificateBundle]); err != nil { + if err := extensionswebhook.InjectCABundleIntoWebhookConfig(r.ShootWebhookConfig, caBundleSecret.Data[secretsutils.DataKeyCertificateBundle]); err != nil { return reconcile.Result{}, err } r.AtomicShootWebhookConfig.Store(r.ShootWebhookConfig.DeepCopy()) @@ -206,7 +207,7 @@ func (r *reconciler) reconcileSourceWebhookConfig(ctx context.Context, sourceWeb } patch := client.MergeFromWithOptions(config.DeepCopyObject().(client.Object), client.MergeFromWithOptimisticLock{}) - if err := webhook.InjectCABundleIntoWebhookConfig(config, caBundleSecret.Data[secretsutils.DataKeyCertificateBundle]); err != nil { + if err := extensionswebhook.InjectCABundleIntoWebhookConfig(config, caBundleSecret.Data[secretsutils.DataKeyCertificateBundle]); err != nil { return err } return r.client.Patch(ctx, config, patch) diff --git a/extensions/pkg/webhook/certificates/reloader.go b/extensions/pkg/webhook/certificates/reloader.go index 826ab89d704..8f532269a32 100644 --- a/extensions/pkg/webhook/certificates/reloader.go +++ b/extensions/pkg/webhook/certificates/reloader.go @@ -28,6 +28,7 @@ import ( logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/reconcile" + "sigs.k8s.io/controller-runtime/pkg/webhook" "github.com/gardener/gardener/pkg/controllerutils" secretsutils "github.com/gardener/gardener/pkg/utils/secrets" @@ -58,7 +59,7 @@ type reloader struct { // manager in order to periodically reload the secret from the cluster. func (r *reloader) AddToManager(ctx context.Context, mgr manager.Manager) error { r.reader = mgr.GetClient() - r.certDir = mgr.GetWebhookServer().CertDir + r.certDir = mgr.GetWebhookServer().(*webhook.DefaultServer).Options.CertDir // initial retrieval of server cert, needed in order for the webhook server to start successfully found, _, serverCert, serverKey, err := r.getServerCert(ctx, mgr.GetAPIReader()) diff --git a/extensions/pkg/webhook/cmd/options.go b/extensions/pkg/webhook/cmd/options.go index a04dbc7d43f..56866fe0f91 100644 --- a/extensions/pkg/webhook/cmd/options.go +++ b/extensions/pkg/webhook/cmd/options.go @@ -25,6 +25,7 @@ import ( "k8s.io/utils/clock" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/manager" + "sigs.k8s.io/controller-runtime/pkg/webhook" extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook" "github.com/gardener/gardener/extensions/pkg/webhook/certificates" @@ -245,7 +246,7 @@ func (c *AddToManagerConfig) AddToManager(ctx context.Context, mgr manager.Manag } webhookServer := mgr.GetWebhookServer() - servicePort := webhookServer.Port + servicePort := webhookServer.(*webhook.DefaultServer).Options.Port if (c.Server.Mode == extensionswebhook.ModeService || c.Server.Mode == extensionswebhook.ModeURLWithServiceName) && c.Server.ServicePort > 0 { servicePort = c.Server.ServicePort } @@ -280,7 +281,7 @@ func (c *AddToManagerConfig) AddToManager(ctx context.Context, mgr manager.Manag mgr.GetLogger().Info("Running webhooks with unmanaged certificates (i.e., the webhook CA will not be rotated automatically). " + "This mode is supposed to be used for development purposes only. Make sure to configure --webhook-config-namespace in production.") - caBundle, err := certificates.GenerateUnmanagedCertificates(c.extensionName, webhookServer.CertDir, c.Server.Mode, c.Server.URL) + caBundle, err := certificates.GenerateUnmanagedCertificates(c.extensionName, webhookServer.(*webhook.DefaultServer).Options.CertDir, c.Server.Mode, c.Server.URL) if err != nil { return nil, fmt.Errorf("error generating new certificates for webhook server: %w", err) } @@ -356,7 +357,7 @@ func (c *AddToManagerConfig) reconcileShootWebhookConfigs(mgr manager.Manager, s if err := extensionswebhook.InjectCABundleIntoWebhookConfig(shootWebhookConfig, caBundle); err != nil { return err } - if err := extensionsshootwebhook.ReconcileWebhooksForAllNamespaces(ctx, mgr.GetClient(), c.Server.Namespace, c.extensionName, c.shootWebhookManagedResourceName, c.shootNamespaceSelector, mgr.GetWebhookServer().Port, shootWebhookConfig); err != nil { + if err := extensionsshootwebhook.ReconcileWebhooksForAllNamespaces(ctx, mgr.GetClient(), c.Server.Namespace, c.extensionName, c.shootWebhookManagedResourceName, c.shootNamespaceSelector, mgr.GetWebhookServer().(*webhook.DefaultServer).Options.Port, shootWebhookConfig); err != nil { return fmt.Errorf("error reconciling all shoot webhook configs: %w", err) } } diff --git a/pkg/provider-local/controller/controlplane/add.go b/pkg/provider-local/controller/controlplane/add.go index d96731164b0..e608bc4e7ba 100644 --- a/pkg/provider-local/controller/controlplane/add.go +++ b/pkg/provider-local/controller/controlplane/add.go @@ -19,6 +19,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/controller" "sigs.k8s.io/controller-runtime/pkg/manager" + "sigs.k8s.io/controller-runtime/pkg/webhook" extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller" "github.com/gardener/gardener/extensions/pkg/controller/controlplane" @@ -49,7 +50,7 @@ func AddToManagerWithOptions(mgr manager.Manager, opts AddOptions) error { return controlplane.Add(mgr, controlplane.AddArgs{ Actuator: genericactuator.NewActuator(local.Name, getSecretConfigs, nil, nil, nil, nil, nil, controlPlaneShootChart, nil, storageClassChart, nil, NewValuesProvider(), extensionscontroller.ChartRendererFactoryFunc(util.NewChartRendererForShoot), - imagevector.ImageVector(), "", opts.ShootWebhookConfig, opts.WebhookServerNamespace, mgr.GetWebhookServer().Port), + imagevector.ImageVector(), "", opts.ShootWebhookConfig, opts.WebhookServerNamespace, mgr.GetWebhookServer().(*webhook.DefaultServer).Options.Port), ControllerOptions: opts.Controller, Predicates: controlplane.DefaultPredicates(opts.IgnoreOperationAnnotation), Type: local.Type, diff --git a/test/integration/extensions/webhook/certificates/certificates_test.go b/test/integration/extensions/webhook/certificates/certificates_test.go index 2a9cc250715..74f8f8ececc 100644 --- a/test/integration/extensions/webhook/certificates/certificates_test.go +++ b/test/integration/extensions/webhook/certificates/certificates_test.go @@ -39,6 +39,7 @@ import ( "k8s.io/utils/pointer" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/manager" + "sigs.k8s.io/controller-runtime/pkg/webhook" extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook" "github.com/gardener/gardener/extensions/pkg/webhook/certificates" @@ -198,11 +199,11 @@ var _ = Describe("Certificates tests", func() { By("Verify certificates exist on disk") Eventually(func(g Gomega) { - serverCert, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().CertDir, "tls.crt")) + serverCert, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().(*webhook.DefaultServer).Options.CertDir, "tls.crt")) g.Expect(err).NotTo(HaveOccurred()) g.Expect(serverCert).NotTo(BeEmpty()) - serverKey, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().CertDir, "tls.key")) + serverKey, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().(*webhook.DefaultServer).Options.CertDir, "tls.key")) g.Expect(err).NotTo(HaveOccurred()) g.Expect(serverKey).NotTo(BeEmpty()) }).Should(Succeed()) @@ -267,13 +268,13 @@ var _ = Describe("Certificates tests", func() { By("Read generated server certificate from disk") Eventually(func(g Gomega) []byte { - serverCert1, err = os.ReadFile(filepath.Join(mgr.GetWebhookServer().CertDir, "tls.crt")) + serverCert1, err = os.ReadFile(filepath.Join(mgr.GetWebhookServer().(*webhook.DefaultServer).Options.CertDir, "tls.crt")) g.Expect(err).NotTo(HaveOccurred()) return serverCert1 }).Should(Not(BeEmpty())) Eventually(func(g Gomega) []byte { - serverKey1, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().CertDir, "tls.key")) + serverKey1, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().(*webhook.DefaultServer).Options.CertDir, "tls.key")) g.Expect(err).NotTo(HaveOccurred()) return serverKey1 }).Should(Not(BeEmpty())) @@ -288,7 +289,7 @@ var _ = Describe("Certificates tests", func() { By("Read re-generated server certificate from disk") Eventually(func(g Gomega) []byte { - serverCert2, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().CertDir, "tls.crt")) + serverCert2, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().(*webhook.DefaultServer).Options.CertDir, "tls.crt")) g.Expect(err).NotTo(HaveOccurred()) return serverCert2 }).Should(And( @@ -365,11 +366,11 @@ var _ = Describe("Certificates tests", func() { By("Verify certificates exist on disk") Eventually(func(g Gomega) { - serverCert, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().CertDir, "tls.crt")) + serverCert, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().(*webhook.DefaultServer).Options.CertDir, "tls.crt")) g.Expect(err).NotTo(HaveOccurred()) g.Expect(serverCert).NotTo(BeEmpty()) - serverKey, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().CertDir, "tls.key")) + serverKey, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().(*webhook.DefaultServer).Options.CertDir, "tls.key")) g.Expect(err).NotTo(HaveOccurred()) g.Expect(serverKey).NotTo(BeEmpty()) }).Should(Succeed()) @@ -459,13 +460,13 @@ var _ = Describe("Certificates tests", func() { By("Read generated server certificate from disk") Eventually(func(g Gomega) []byte { - serverCert1, err = os.ReadFile(filepath.Join(mgr.GetWebhookServer().CertDir, "tls.crt")) + serverCert1, err = os.ReadFile(filepath.Join(mgr.GetWebhookServer().(*webhook.DefaultServer).Options.CertDir, "tls.crt")) g.Expect(err).NotTo(HaveOccurred()) return serverCert1 }).Should(Not(BeEmpty())) Eventually(func(g Gomega) []byte { - serverKey1, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().CertDir, "tls.key")) + serverKey1, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().(*webhook.DefaultServer).Options.CertDir, "tls.key")) g.Expect(err).NotTo(HaveOccurred()) return serverKey1 }).Should(Not(BeEmpty())) @@ -492,7 +493,7 @@ var _ = Describe("Certificates tests", func() { By("Read re-generated server certificate from disk") Eventually(func(g Gomega) []byte { - serverCert2, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().CertDir, "tls.crt")) + serverCert2, err := os.ReadFile(filepath.Join(mgr.GetWebhookServer().(*webhook.DefaultServer).Options.CertDir, "tls.crt")) g.Expect(err).NotTo(HaveOccurred()) return serverCert2 }).Should(And(