Improve installer (#50)

hack/deploy/vault-operator.sh

@@ -61,19 +61,19 @@ else
     # ref: https://stackoverflow.com/a/27776822/244009
     case "$(uname -s)" in
         Darwin)
-            curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.1.0/onessl-darwin-amd64
+            curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.3.0/onessl-darwin-amd64
             chmod +x onessl
             export ONESSL=./onessl
             ;;
 
         Linux)
-            curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.1.0/onessl-linux-amd64
+            curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.3.0/onessl-linux-amd64
             chmod +x onessl
             export ONESSL=./onessl
             ;;
 
         CYGWIN*|MINGW32*|MSYS*)
-            curl -fsSL -o onessl.exe https://github.com/kubepack/onessl/releases/download/0.1.0/onessl-windows-amd64.exe
+            curl -fsSL -o onessl.exe https://github.com/kubepack/onessl/releases/download/0.3.0/onessl-windows-amd64.exe
             chmod +x onessl.exe
             export ONESSL=./onessl.exe
             ;;
@@ -210,31 +210,6 @@ while test $# -gt 0; do
 done
 
 if [ "$VAULT_OPERATOR_UNINSTALL" -eq 1 ]; then
-    # delete webhooks and apiservices
-    kubectl delete validatingwebhookconfiguration -l app=vault-operator || true
-    kubectl delete mutatingwebhookconfiguration -l app=vault-operator || true
-    kubectl delete apiservice -l app=vault-operator
-    # delete vault-operator operator
-    kubectl delete deployment -l app=vault-operator --namespace $VAULT_OPERATOR_NAMESPACE
-    kubectl delete service -l app=vault-operator --namespace $VAULT_OPERATOR_NAMESPACE
-    kubectl delete secret -l app=vault-operator --namespace $VAULT_OPERATOR_NAMESPACE
-    # delete RBAC objects, if --rbac flag was used.
-    kubectl delete serviceaccount -l app=vault-operator --namespace $VAULT_OPERATOR_NAMESPACE
-    kubectl delete clusterrolebindings -l app=vault-operator
-    kubectl delete clusterrole -l app=vault-operator
-    kubectl delete rolebindings -l app=vault-operator --namespace $VAULT_OPERATOR_NAMESPACE
-    kubectl delete role -l app=vault-operator --namespace $VAULT_OPERATOR_NAMESPACE
-
-    echo "waiting for Vault operator pod to stop running"
-    for (( ; ; )); do
-       pods=($(kubectl get pods --all-namespaces -l app=vault-operator -o jsonpath='{range .items[*]}{.metadata.name} {end}'))
-       total=${#pods[*]}
-        if [ $total -eq 0 ] ; then
-            break
-        fi
-       sleep 2
-    done
-
     # https://github.com/kubernetes/kubernetes/issues/60538
     if [ "$VAULT_OPERATOR_PURGE" -eq 1 ]; then
         for crd in "${crds[@]}"; do
@@ -258,8 +233,36 @@ if [ "$VAULT_OPERATOR_UNINSTALL" -eq 1 ]; then
             # delete crd
             kubectl delete crd ${crd}.vault.soter.ac || true
         done
+
+        echo "waiting 5 seconds ..."
+        sleep 5;
     fi
 
+    # delete webhooks and apiservices
+    kubectl delete validatingwebhookconfiguration -l app=vault-operator || true
+    kubectl delete mutatingwebhookconfiguration -l app=vault-operator || true
+    kubectl delete apiservice -l app=vault-operator
+    # delete vault-operator operator
+    kubectl delete deployment -l app=vault-operator --namespace $VAULT_OPERATOR_NAMESPACE
+    kubectl delete service -l app=vault-operator --namespace $VAULT_OPERATOR_NAMESPACE
+    kubectl delete secret -l app=vault-operator --namespace $VAULT_OPERATOR_NAMESPACE
+    # delete RBAC objects, if --rbac flag was used.
+    kubectl delete serviceaccount -l app=vault-operator --namespace $VAULT_OPERATOR_NAMESPACE
+    kubectl delete clusterrolebindings -l app=vault-operator
+    kubectl delete clusterrole -l app=vault-operator
+    kubectl delete rolebindings -l app=vault-operator --namespace $VAULT_OPERATOR_NAMESPACE
+    kubectl delete role -l app=vault-operator --namespace $VAULT_OPERATOR_NAMESPACE
+
+    echo "waiting for Vault operator pod to stop running"
+    for (( ; ; )); do
+       pods=($(kubectl get pods --all-namespaces -l app=vault-operator -o jsonpath='{range .items[*]}{.metadata.name} {end}'))
+       total=${#pods[*]}
+        if [ $total -eq 0 ] ; then
+            break
+        fi
+       sleep 2
+    done
+
     echo
     echo "Successfully uninstalled Vault operator!"
     exit 0
@@ -269,6 +272,12 @@ echo "checking whether extended apiserver feature is enabled"
 $ONESSL has-keys configmap --namespace=kube-system --keys=requestheader-client-ca-file extension-apiserver-authentication || { echo "Set --requestheader-client-ca-file flag on Kubernetes apiserver"; exit 1; }
 echo ""
 
+export KUBE_CA=
+if [ "$PACKSERVER_ENABLE_VALIDATING_WEBHOOK" = true ] || [ "$PACKSERVER_ENABLE_MUTATING_WEBHOOK" = true ]; then
+    $ONESSL get kube-ca >/dev/null 2>&1 || { echo "Admission webhooks can't be used when kube apiserver is accesible without verifying its TLS certificate (insecure-skip-tls-verify : true)."; echo; exit 1; }
+    export KUBE_CA=$($ONESSL get kube-ca | $ONESSL base64)
+fi
+
 env | sort | grep VAULT_OPERATOR*
 echo ""
 
@@ -280,7 +289,6 @@ $ONESSL create server-cert server --domains=vault-operator.$VAULT_OPERATOR_NAMES
 export SERVICE_SERVING_CERT_CA=$(cat ca.crt | $ONESSL base64)
 export TLS_SERVING_CERT=$(cat server.crt | $ONESSL base64)
 export TLS_SERVING_KEY=$(cat server.key | $ONESSL base64)
-export KUBE_CA=$($ONESSL get kube-ca | $ONESSL base64)
 
 ${SCRIPT_LOCATION}hack/deploy/deployment.yaml | $ONESSL envsubst | kubectl apply -f -
 
@@ -320,4 +328,4 @@ for crd in "${crds[@]}"; do
 done
 
 echo
-echo "Successfully installed Vault operator!"
+echo "Successfully installed Vault operator in $PACKSERVER_NAMESPACE namespace!"