/
main.go
110 lines (93 loc) 路 3.37 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package main
import (
"context"
"os"
"github.com/glasskube/glasskube/internal/certificates"
"github.com/go-logr/logr"
"github.com/spf13/cobra"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
arv1ac "k8s.io/client-go/applyconfigurations/admissionregistration/v1"
corev1ac "k8s.io/client-go/applyconfigurations/core/v1"
"k8s.io/client-go/kubernetes"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
)
var (
serviceName, secretName, webhookConfigName, webhookName, namespace, certDir string
log logr.Logger
fieldManager = "package-operator-cert-manager"
applyOptions = metav1.ApplyOptions{FieldManager: fieldManager, Force: true}
cmd = &cobra.Command{
Use: "cert-manager",
Run: func(cmd *cobra.Command, args []string) { run(cmd.Context()) },
}
)
func init() {
ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
log = ctrl.Log.WithName("cert-manager")
cmd.Flags().StringVar(&certDir, "cert-dir", "",
"directory for certificates (optional)")
cmd.Flags().StringVar(&serviceName, "service-name", "glasskube-webhook-service",
"name of the webhook service")
cmd.Flags().StringVar(&secretName, "secret-name", "glasskube-webhook-tls",
"name of the webhook TLS secret")
cmd.Flags().StringVar(&webhookConfigName, "webhook-config-name", "glasskube-validating-webhook-configuration",
"name of the ValidatingWebhookConfiguration to patch")
cmd.Flags().StringVar(&webhookName, "webhook-name", "vpackage.kb.io",
"name of the webhook to patch")
cmd.Flags().StringVar(&namespace, "namespace", "glasskube-system",
"namespace of the webhook service and TLS secret")
}
func main() {
if err := cmd.Execute(); err != nil {
log.Error(err, "command execution failed")
os.Exit(1)
}
}
func run(ctx context.Context) {
client, err := kubernetes.NewForConfig(ctrl.GetConfigOrDie())
if err != nil {
log.Error(err, "could not initialize kubernetes client")
os.Exit(1)
}
certificates, err := certificates.Generate(serviceName, namespace, certificates.DefaultValidity)
if err != nil {
log.Error(err, "could not generate certificates")
os.Exit(1)
}
webhookEnc, err := certificates.Webhook.Encoded()
if err != nil {
log.Error(err, "could not encode certificates")
os.Exit(1)
}
if len(certDir) > 0 {
if err := webhookEnc.SaveTo(certDir); err != nil {
log.Error(err, "could not save certificates")
os.Exit(1)
}
log.Info("cerificates saved", "dir", certDir)
} else {
secret := corev1ac.Secret(secretName, namespace).
WithData(webhookEnc.AsMap())
if _, err := client.CoreV1().Secrets(namespace).Apply(ctx, secret, applyOptions); err != nil {
log.Error(err, "could not encode certificates", "name", secretName)
os.Exit(1)
}
log.Info("Secret applied", "name", secretName)
}
caEnc, err := certificates.Ca.Encoded()
if err != nil {
log.Error(err, "could not encode certificates")
os.Exit(1)
}
webhookConfig := arv1ac.ValidatingWebhookConfiguration(webhookConfigName).WithWebhooks(
arv1ac.ValidatingWebhook().WithName(webhookName).
WithClientConfig(arv1ac.WebhookClientConfig().WithCABundle(caEnc.Cert...)),
)
if _, err := client.AdmissionregistrationV1().ValidatingWebhookConfigurations().
Apply(ctx, webhookConfig, applyOptions); err != nil {
log.Error(err, "could not apply ValidatingWebhookConfiguration", "name", webhookConfigName)
os.Exit(1)
}
log.Info("ValidatingWebhookConfiguration applied", "name", webhookConfigName)
}