support disable installer

Author: Mengqi Yu

example/main.go

@@ -39,18 +39,24 @@ import (
 var log = logf.Log.WithName("example-controller")
 
 func main() {
+	var enableInstaller bool
+	flag.BoolVar(&enableInstaller, "enable-installer", false,
+		"enable the installer in the webhook server, so it will install webhook related resources during bootstrapping")
+
 	flag.Parse()
 	logf.SetLogger(logf.ZapLogger(false))
 	entryLog := log.WithName("entrypoint")
 
 	// Setup a Manager
+	entryLog.Info("setting up manager")
 	mgr, err := manager.New(config.GetConfigOrDie(), manager.Options{})
 	if err != nil {
 		entryLog.Error(err, "unable to set up overall controller manager")
 		os.Exit(1)
 	}
 
 	// Setup a new controller to Reconciler ReplicaSets
+	entryLog.Info("Setting up controller")
 	c, err := controller.New("foo-controller", mgr, controller.Options{
 		Reconciler: &reconcileReplicaSet{client: mgr.GetClient(), log: log.WithName("reconciler")},
 	})
@@ -73,6 +79,7 @@ func main() {
 	}
 
 	// Setup webhooks
+	entryLog.Info("setting up webhooks")
 	mutatingWebhook, err := builder.NewWebhookBuilder().
 		Name("mutating.k8s.io").
 		Mutating().
@@ -99,9 +106,11 @@ func main() {
 		os.Exit(1)
 	}
 
+	entryLog.Info("setting up webhook server")
 	as, err := webhook.NewServer("foo-admission-server", mgr, webhook.ServerOptions{
-		Port:    9876,
-		CertDir: "/tmp/cert",
+		Port:            9876,
+		CertDir:         "/tmp/cert",
+		EnableInstaller: enableInstaller,
 		BootstrapOptions: &webhook.BootstrapOptions{
 			Secret: &apitypes.NamespacedName{
 				Namespace: "default",
@@ -122,12 +131,15 @@ func main() {
 		entryLog.Error(err, "unable to create a new webhook server")
 		os.Exit(1)
 	}
+
+	entryLog.Info("registering webhooks to the webhook server")
 	err = as.Register(mutatingWebhook, validatingWebhook)
 	if err != nil {
 		entryLog.Error(err, "unable to register webhooks in the admission server")
 		os.Exit(1)
 	}
 
+	entryLog.Info("starting manager")
 	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
 		entryLog.Error(err, "unable to run manager")
 		os.Exit(1)

pkg/webhook/bootstrap.go

@@ -22,12 +22,9 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	"os"
 	"path"
 	"strconv"
 
-	"github.com/ghodss/yaml"
-
 	"k8s.io/api/admissionregistration/v1beta1"
 	admissionregistration "k8s.io/api/admissionregistration/v1beta1"
 	corev1 "k8s.io/api/core/v1"
@@ -114,15 +111,11 @@ func (s *Server) setBootstrappingDefault() {
 	s.certProvisioner = &cert.Provisioner{
 		CertWriter: certWriter,
 	}
-	if s.Writer == nil {
-		s.Writer = os.Stdout
-	}
 }
 
-// installWebhookConfig writes the configuration of admissionWebhookConfiguration in yaml format if dryrun is true.
-// Otherwise, it creates the the admissionWebhookConfiguration objects and service if any.
+// InstallWebhookManifests creates the admissionWebhookConfiguration objects and service if any.
 // It also provisions the certificate for the admission server.
-func (s *Server) installWebhookConfig() error {
+func (s *Server) InstallWebhookManifests() error {
 	// do defaulting if necessary
 	s.once.Do(s.setDefault)
 	if s.err != nil {
@@ -145,40 +138,14 @@ func (s *Server) installWebhookConfig() error {
 	_, err = s.certProvisioner.Provision(cert.Options{
 		ClientConfig: cc,
 		Objects:      s.webhookConfigurations,
-		Dryrun:       s.Dryrun,
 	})
 	if err != nil {
 		return err
 	}
 
-	if s.Dryrun {
-		// TODO: print here
-		// if dryrun, return the AdmissionWebhookConfiguration in yaml format.
-		return s.genYamlConfig(objects)
-	}
-
 	return batchCreateOrReplace(s.Client, objects...)
 }
 
-// genYamlConfig generates yaml config for admissionWebhookConfiguration
-func (s *Server) genYamlConfig(objs []runtime.Object) error {
-	for _, obj := range objs {
-		_, err := s.Writer.Write([]byte("---"))
-		if err != nil {
-			return err
-		}
-		b, err := yaml.Marshal(obj)
-		if err != nil {
-			return err
-		}
-		_, err = s.Writer.Write(b)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 func (s *Server) getClientConfig() (*admissionregistration.WebhookClientConfig, error) {
 	if s.Host != nil && s.Service != nil {
 		return nil, errors.New("URL and Service can't be set at the same time")

pkg/webhook/server.go

@@ -54,10 +54,9 @@ type ServerOptions struct {
 	// Client will be injected by the manager if not set.
 	Client client.Client
 
-	// Dryrun controls if the server will install the webhookConfiguration and service if any.
-	// If true, it will print the objects in yaml format.
-	// If false, it will install the objects in the cluster.
-	Dryrun bool
+	// EnableInstaller controls if the server will automatically create webhook related objects
+	// during bootstrapping. e.g. webhookConfiguration, service and secret.
+	EnableInstaller bool
 
 	// BootstrapOptions contains the options for bootstrapping the admission server.
 	*BootstrapOptions
@@ -75,7 +74,8 @@ type BootstrapOptions struct {
 	// This is optional. If unspecified, it will write to the filesystem.
 	// It the secret already exists and is different from the desired, it will be replaced.
 	Secret *apitypes.NamespacedName
-	// Writer is used in dryrun mode for writing the objects in yaml format.
+
+	// Deprecated: Writer will not be used anywhere.
 	Writer io.Writer
 
 	// Service is k8s service fronting the webhook server pod(s).
@@ -187,13 +187,17 @@ func (s *Server) Handle(pattern string, handler http.Handler) {
 
 var _ manager.Runnable = &Server{}
 
-// Start runs the server if s.Dryrun is false.
-// Otherwise, it will print the objects in yaml format.
+// Start runs the server.
+// It will install the webhook related resources depend on the server configuration.
 func (s *Server) Start(stop <-chan struct{}) error {
-	err := s.installWebhookConfig()
-	// if encounter an error or it's in dryrun mode, return.
-	if err != nil || s.Dryrun {
-		return err
+	if s.EnableInstaller {
+		log.Info("webhook installer is enabled")
+		err := s.InstallWebhookManifests()
+		if err != nil {
+			return err
+		}
+	} else {
+		log.Info("webhook installer is disabled")
 	}
 
 	srv := &http.Server{

pkg/webhook/util.go

@@ -18,7 +18,6 @@ package webhook
 
 import (
 	"context"
-	"fmt"
 
 	admissionregistration "k8s.io/api/admissionregistration/v1beta1"
 	corev1 "k8s.io/api/core/v1"
@@ -27,29 +26,34 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-type mutateFn func(current, desired runtime.Object) error
+type mutateFn func(current, desired *runtime.Object) error
 
-var serviceFn = func(current, desired runtime.Object) error {
-	typedC := current.(*corev1.Service)
-	typedD := desired.(*corev1.Service)
+var serviceFn = func(current, desired *runtime.Object) error {
+	typedC := (*current).(*corev1.Service)
+	typedD := (*desired).(*corev1.Service)
 	typedC.Spec.Selector = typedD.Spec.Selector
 	return nil
 }
 
-var mutatingWebhookConfigFn = func(current, desired runtime.Object) error {
-	typedC := current.(*admissionregistration.MutatingWebhookConfiguration)
-	typedD := desired.(*admissionregistration.MutatingWebhookConfiguration)
+var mutatingWebhookConfigFn = func(current, desired *runtime.Object) error {
+	typedC := (*current).(*admissionregistration.MutatingWebhookConfiguration)
+	typedD := (*desired).(*admissionregistration.MutatingWebhookConfiguration)
 	typedC.Webhooks = typedD.Webhooks
 	return nil
 }
 
-var validatingWebhookConfigFn = func(current, desired runtime.Object) error {
-	typedC := current.(*admissionregistration.ValidatingWebhookConfiguration)
-	typedD := desired.(*admissionregistration.ValidatingWebhookConfiguration)
+var validatingWebhookConfigFn = func(current, desired *runtime.Object) error {
+	typedC := (*current).(*admissionregistration.ValidatingWebhookConfiguration)
+	typedD := (*desired).(*admissionregistration.ValidatingWebhookConfiguration)
 	typedC.Webhooks = typedD.Webhooks
 	return nil
 }
 
+var genericFn = func(current, desired *runtime.Object) error {
+	*current = *desired
+	return nil
+}
+
 // createOrReplaceHelper creates the object if it doesn't exist;
 // otherwise, it will replace it.
 // When replacing, fn  should know how to preserve existing fields in the object GET from the APIServer.
@@ -70,7 +74,7 @@ func createOrReplaceHelper(c client.Client, obj runtime.Object, fn mutateFn) err
 		if err != nil {
 			return err
 		}
-		err = fn(existing, obj)
+		err = fn(&existing, &obj)
 		if err != nil {
 			return err
 		}
@@ -83,6 +87,7 @@ func createOrReplaceHelper(c client.Client, obj runtime.Object, fn mutateFn) err
 // otherwise, it will replace it.
 // When replacing, it knows how to preserve existing fields in the object GET from the APIServer.
 // It currently only support MutatingWebhookConfiguration, ValidatingWebhookConfiguration and Service.
+// For other kinds, it uses genericFn to replace the whole object.
 func createOrReplace(c client.Client, obj runtime.Object) error {
 	if obj == nil {
 		return nil
@@ -95,7 +100,7 @@ func createOrReplace(c client.Client, obj runtime.Object) error {
 	case *corev1.Service:
 		return createOrReplaceHelper(c, obj, serviceFn)
 	default:
-		return fmt.Errorf("unsupported GroupVersionKind: %#v", obj.GetObjectKind().GroupVersionKind())
+		return createOrReplaceHelper(c, obj, genericFn)
 	}
 }