-
Notifications
You must be signed in to change notification settings - Fork 35
/
validatingwebhookconfiguration_controller.go
90 lines (80 loc) · 3.54 KB
/
validatingwebhookconfiguration_controller.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
package cainjection
import (
"context"
"strings"
"github.com/go-logr/logr"
"github.com/redhat-cop/cert-utils-operator/controllers/util"
outils "github.com/redhat-cop/operator-utils/pkg/util"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/builder"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
"sigs.k8s.io/controller-runtime/pkg/source"
)
// ValidatingWebhookConfigurationReconciler reconciles a Namespace object
type ValidatingWebhookConfigurationReconciler struct {
outils.ReconcilerBase
Log logr.Logger
controllerName string
}
// SetupWithManager sets up the controller with the Manager.
func (r *ValidatingWebhookConfigurationReconciler) SetupWithManager(mgr ctrl.Manager) error {
r.controllerName = "validating_webhook_ca_injection_controller"
return ctrl.NewControllerManagedBy(mgr).
For(&admissionregistrationv1.ValidatingWebhookConfiguration{
TypeMeta: v1.TypeMeta{
Kind: "ValidatingWebhookConfiguration",
},
}, builder.WithPredicates(util.IsAnnotatedForSecretCAInjection)).
Watches(&source.Kind{Type: &corev1.Secret{
TypeMeta: v1.TypeMeta{
Kind: "Secret",
},
}}, util.NewEnqueueRequestForReferecingObject(r.GetRestConfig(), schema.FromAPIVersionAndKind("admissionregistration.k8s.io/v1", "ValidatingWebhookConfiguration")), builder.WithPredicates(util.IsCAContentChanged)).
Complete(r)
}
// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;update;patch
// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
// +kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;patch
func (r *ValidatingWebhookConfigurationReconciler) Reconcile(context context.Context, req ctrl.Request) (reconcile.Result, error) {
log := r.Log.WithValues("validatingwebhookconfiguration", req.NamespacedName)
// Fetch the ValidatingWebhookConfiguration instance
instance := &admissionregistrationv1.ValidatingWebhookConfiguration{}
err := r.GetClient().Get(context, req.NamespacedName, instance)
if err != nil {
if errors.IsNotFound(err) {
// Request object not found, could have been deleted after reconcile request.
// Owned objects are automatically garbage collected. For additional cleanup logic use finalizers.
// Return and don't requeue
return reconcile.Result{}, nil
}
// Error reading the object - requeue the request.
return reconcile.Result{}, err
}
caBundle := []byte{}
if secretNamespacedName, ok := instance.GetAnnotations()[util.CertAnnotationSecret]; ok {
err = util.ValidateSecretName(secretNamespacedName)
if err != nil {
log.Error(err, "invalid ca secret name", "secret", secretNamespacedName)
return r.ManageError(context, instance, err)
}
//we need to inject the secret ca
caBundle, err = util.GetSecretCA(r.GetClient(), secretNamespacedName[strings.Index(secretNamespacedName, "/")+1:], secretNamespacedName[:strings.Index(secretNamespacedName, "/")])
if err != nil {
log.Error(err, "unable to retrive ca from secret", "secret", secretNamespacedName)
return r.ManageError(context, instance, err)
}
}
for i := range instance.Webhooks {
instance.Webhooks[i].ClientConfig.CABundle = caBundle
}
err = r.GetClient().Update(context, instance)
if err != nil {
return r.ManageError(context, instance, err)
}
return r.ManageSuccess(context, instance)
}