Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #100 from marun/crd-cabundle-injection
Enable injection of service CA bundle for CRDs
- Loading branch information
Showing
26 changed files
with
1,439 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
package cabundleinjector | ||
|
||
import ( | ||
"bytes" | ||
|
||
apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" | ||
apiextclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" | ||
apiextclientv1 "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1" | ||
apiextinformer "k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions" | ||
apiextlister "k8s.io/apiextensions-apiserver/pkg/client/listers/apiextensions/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/klog" | ||
) | ||
|
||
type crdCABundleInjector struct { | ||
client apiextclientv1.CustomResourceDefinitionInterface | ||
lister apiextlister.CustomResourceDefinitionLister | ||
caBundle []byte | ||
} | ||
|
||
func newCRDInjectorConfig(config *caBundleInjectorConfig) controllerConfig { | ||
client := apiextclient.NewForConfigOrDie(config.config) | ||
informers := apiextinformer.NewSharedInformerFactory(client, config.defaultResync) | ||
informer := informers.Apiextensions().V1().CustomResourceDefinitions() | ||
keySyncer := &crdCABundleInjector{ | ||
client: client.ApiextensionsV1().CustomResourceDefinitions(), | ||
lister: informer.Lister(), | ||
caBundle: config.caBundle, | ||
} | ||
return controllerConfig{ | ||
name: "CRDCABundleInjector", | ||
keySyncer: keySyncer, | ||
informerGetter: informer, | ||
startInformers: func(stopChan <-chan struct{}) { | ||
informers.Start(stopChan) | ||
}, | ||
} | ||
} | ||
|
||
func (bi *crdCABundleInjector) Key(namespace, name string) (metav1.Object, error) { | ||
return bi.lister.Get(name) | ||
} | ||
|
||
func (bi *crdCABundleInjector) Sync(obj metav1.Object) error { | ||
crd := obj.(*apiext.CustomResourceDefinition) | ||
|
||
if crd.Spec.Conversion == nil { | ||
klog.Warningf("customresourcedefinition %s is annotated for ca bundle injection but spec.conversion is not specified", crd.Name) | ||
return nil | ||
} | ||
if crd.Spec.Conversion.Strategy != apiext.WebhookConverter { | ||
klog.Warningf("customresourcedefinition %s is annotated for ca bundle injection but does not use strategy %q", crd.Name, apiext.WebhookConverter) | ||
return nil | ||
} | ||
if bytes.Equal(crd.Spec.Conversion.Webhook.ClientConfig.CABundle, bi.caBundle) { | ||
// up-to-date | ||
return nil | ||
} | ||
|
||
klog.Infof("updating customresourcedefinition %s conversion webhook config with the service signing CA bundle", crd.Name) | ||
|
||
// make a copy to avoid mutating cache state | ||
crdCopy := crd.DeepCopy() | ||
crdCopy.Spec.Conversion.Webhook.ClientConfig.CABundle = bi.caBundle | ||
_, err := bi.client.Update(crdCopy) | ||
return err | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
111 changes: 111 additions & 0 deletions
111
vendor/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/clientset.go
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
20 changes: 20 additions & 0 deletions
20
vendor/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/doc.go
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.