github.com/verrazzano/verrazzano@v1.7.0/platform-operator/internal/operatorinit/update_webhooks.go

github.com/verrazzano/verrazzano@v1.7.0/platform-operator/internal/operatorinit/update_webhooks.go (about)

     1  // Copyright (c) 2020, 2022, Oracle and/or its affiliates.
     2  // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
     3  
     4  package operatorinit
     5  
     6  import (
     7  	"context"
     8  
     9  	"github.com/verrazzano/verrazzano/platform-operator/internal/k8s/certificate"
    10  	adminv1 "k8s.io/api/admissionregistration/v1"
    11  	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
    12  	apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
    13  	"k8s.io/apimachinery/pkg/api/errors"
    14  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    15  	"k8s.io/client-go/kubernetes"
    16  )
    17  
    18  // deleteValidatingWebhookConfiguration deletes a validating webhook configuration
    19  func deleteValidatingWebhookConfiguration(kubeClient kubernetes.Interface, name string) error {
    20  	_, err := kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(context.TODO(), name, metav1.GetOptions{})
    21  	if err != nil {
    22  		if errors.IsNotFound(err) {
    23  			return nil
    24  		}
    25  		return err
    26  	}
    27  	return kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(context.TODO(), name, metav1.DeleteOptions{})
    28  }
    29  
    30  // updateValidatingWebhookConfiguration sets the CABundle
    31  func updateValidatingWebhookConfiguration(kubeClient kubernetes.Interface, name string) error {
    32  	validatingWebhook, err := kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(context.TODO(), name, metav1.GetOptions{})
    33  	if err != nil {
    34  		return err
    35  	}
    36  	caSecret, errX := kubeClient.CoreV1().Secrets(certificate.OperatorNamespace).Get(context.TODO(), certificate.OperatorCA, metav1.GetOptions{})
    37  	if errX != nil {
    38  		return errX
    39  	}
    40  
    41  	crt := caSecret.Data[certificate.CertKey]
    42  	for i := range validatingWebhook.Webhooks {
    43  		validatingWebhook.Webhooks[i].ClientConfig.CABundle = crt
    44  	}
    45  
    46  	_, err = kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations().Update(context.TODO(), validatingWebhook, metav1.UpdateOptions{})
    47  	return err
    48  }
    49  
    50  // updateConversionWebhookConfiguration sets the conversion webhook for the Verrazzano resource
    51  func updateConversionWebhookConfiguration(apiextClient apiextensionsv1client.ApiextensionsV1Interface, kubeClient kubernetes.Interface) error {
    52  	crd, err := apiextClient.CustomResourceDefinitions().Get(context.TODO(), certificate.CRDName, metav1.GetOptions{})
    53  	if err != nil {
    54  		return err
    55  	}
    56  	convertPath := "/convert"
    57  	var webhookPort int32 = 443
    58  	caSecret, err := kubeClient.CoreV1().Secrets(certificate.OperatorNamespace).Get(context.TODO(), certificate.OperatorCA, metav1.GetOptions{})
    59  	if err != nil {
    60  		return err
    61  	}
    62  
    63  	crt := caSecret.Data[certificate.CertKey]
    64  	crd.Spec.Conversion = &apiextensionsv1.CustomResourceConversion{
    65  		Strategy: apiextensionsv1.WebhookConverter,
    66  		Webhook: &apiextensionsv1.WebhookConversion{
    67  			ClientConfig: &apiextensionsv1.WebhookClientConfig{
    68  				Service: &apiextensionsv1.ServiceReference{
    69  					Name:      certificate.OperatorName,
    70  					Namespace: certificate.OperatorNamespace,
    71  					Path:      &convertPath,
    72  					Port:      &webhookPort,
    73  				},
    74  				CABundle: crt,
    75  			},
    76  			ConversionReviewVersions: []string{"v1beta1"},
    77  		},
    78  	}
    79  	_, err = apiextClient.CustomResourceDefinitions().Update(context.TODO(), crd, metav1.UpdateOptions{})
    80  	return err
    81  }
    82  
    83  // updateMutatingWebhookConfiguration sets the CABundle
    84  func updateMutatingWebhookConfiguration(kubeClient kubernetes.Interface, name string) error {
    85  	var webhook *adminv1.MutatingWebhookConfiguration
    86  	webhook, err := kubeClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(context.TODO(), name, metav1.GetOptions{})
    87  	if err != nil {
    88  		return err
    89  	}
    90  	caSecret, err := kubeClient.CoreV1().Secrets(certificate.OperatorNamespace).Get(context.TODO(), certificate.OperatorCA, metav1.GetOptions{})
    91  	if err != nil {
    92  		return err
    93  	}
    94  	crt := caSecret.Data[certificate.CertKey]
    95  	for i := range webhook.Webhooks {
    96  		webhook.Webhooks[i].ClientConfig.CABundle = crt
    97  	}
    98  	_, err = kubeClient.AdmissionregistrationV1().MutatingWebhookConfigurations().Update(context.TODO(), webhook, metav1.UpdateOptions{})
    99  	if err != nil {
   100  		return err
   101  	}
   102  	return nil
   103  }