support gen-manifests and disable-installer

Author: Mengqi Yu

example/main.go

@@ -39,18 +39,26 @@ import (
 var log = logf.Log.WithName("example-controller")
 
 func main() {
+	var genManifests, disableInstaller bool
+	flag.BoolVar(&genManifests, "generate-manifests", false,
+		"generate manifests for webhook related resources")
+	flag.BoolVar(&disableInstaller, "disable-installer", false,
+		"disable the installer in the webhook server, so it won't install webhook related resources during bootstrapping")
+
 	flag.Parse()
 	logf.SetLogger(logf.ZapLogger(false))
 	entryLog := log.WithName("entrypoint")
 
 	// Setup a Manager
+	entryLog.Info("setting up manager")
 	mgr, err := manager.New(config.GetConfigOrDie(), manager.Options{})
 	if err != nil {
 		entryLog.Error(err, "unable to set up overall controller manager")
 		os.Exit(1)
 	}
 
 	// Setup a new controller to Reconciler ReplicaSets
+	entryLog.Info("Setting up controller")
 	c, err := controller.New("foo-controller", mgr, controller.Options{
 		Reconciler: &reconcileReplicaSet{client: mgr.GetClient(), log: log.WithName("reconciler")},
 	})
@@ -73,6 +81,7 @@ func main() {
 	}
 
 	// Setup webhooks
+	entryLog.Info("setting up webhooks")
 	mutatingWebhook, err := builder.NewWebhookBuilder().
 		Name("mutating.k8s.io").
 		Mutating().
@@ -99,9 +108,12 @@ func main() {
 		os.Exit(1)
 	}
 
+	entryLog.Info("setting up webhook server")
 	as, err := webhook.NewServer("foo-admission-server", mgr, webhook.ServerOptions{
-		Port:    9876,
-		CertDir: "/tmp/cert",
+		Port:              9876,
+		CertDir:           "/tmp/cert",
+		GenerateManifests: genManifests,
+		DisableInstaller:  disableInstaller,
 		BootstrapOptions: &webhook.BootstrapOptions{
 			Secret: &apitypes.NamespacedName{
 				Namespace: "default",
@@ -122,12 +134,15 @@ func main() {
 		entryLog.Error(err, "unable to create a new webhook server")
 		os.Exit(1)
 	}
+
+	entryLog.Info("registering webhooks to the webhook server")
 	err = as.Register(mutatingWebhook, validatingWebhook)
 	if err != nil {
 		entryLog.Error(err, "unable to register webhooks in the admission server")
 		os.Exit(1)
 	}
 
+	entryLog.Info("starting manager")
 	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
 		entryLog.Error(err, "unable to run manager")
 		os.Exit(1)

pkg/webhook/bootstrap.go

@@ -26,10 +26,9 @@ import (
 	"path"
 	"strconv"
 
-	"github.com/ghodss/yaml"
-
 	"k8s.io/api/admissionregistration/v1beta1"
 	admissionregistration "k8s.io/api/admissionregistration/v1beta1"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -93,6 +92,15 @@ func (s *Server) setBootstrappingDefault() {
 		s.Host = &varString
 	}
 
+	if s.Writer == nil {
+		s.Writer = os.Stdout
+	}
+	if s.GenerateManifests {
+		s.Client = &writerClient{
+			writer: s.Writer,
+		}
+	}
+
 	var certWriter writer.CertWriter
 	var err error
 	if s.Secret != nil {
@@ -114,12 +122,10 @@ func (s *Server) setBootstrappingDefault() {
 	s.certProvisioner = &cert.Provisioner{
 		CertWriter: certWriter,
 	}
-	if s.Writer == nil {
-		s.Writer = os.Stdout
-	}
 }
 
-// installWebhookConfig writes the configuration of admissionWebhookConfiguration in yaml format if dryrun is true.
+// installWebhookConfig writes the configuration of admissionWebhookConfiguration in yaml format
+// if GenerateManifests is true.
 // Otherwise, it creates the the admissionWebhookConfiguration objects and service if any.
 // It also provisions the certificate for the admission server.
 func (s *Server) installWebhookConfig() error {
@@ -129,6 +135,14 @@ func (s *Server) installWebhookConfig() error {
 		return s.err
 	}
 
+	if !s.GenerateManifests && s.DisableInstaller {
+		log.Info("webhook installer is disabled")
+		return nil
+	}
+	if s.GenerateManifests {
+		log.Info("generating webhook related manifests")
+	}
+
 	var err error
 	s.webhookConfigurations, err = s.whConfigs()
 	if err != nil {
@@ -145,40 +159,18 @@ func (s *Server) installWebhookConfig() error {
 	_, err = s.certProvisioner.Provision(cert.Options{
 		ClientConfig: cc,
 		Objects:      s.webhookConfigurations,
-		Dryrun:       s.Dryrun,
 	})
 	if err != nil {
 		return err
 	}
 
-	if s.Dryrun {
-		// TODO: print here
-		// if dryrun, return the AdmissionWebhookConfiguration in yaml format.
-		return s.genYamlConfig(objects)
+	if s.GenerateManifests {
+		objects = append(objects, s.deployment())
 	}
 
 	return batchCreateOrReplace(s.Client, objects...)
 }
 
-// genYamlConfig generates yaml config for admissionWebhookConfiguration
-func (s *Server) genYamlConfig(objs []runtime.Object) error {
-	for _, obj := range objs {
-		_, err := s.Writer.Write([]byte("---"))
-		if err != nil {
-			return err
-		}
-		b, err := yaml.Marshal(obj)
-		if err != nil {
-			return err
-		}
-		_, err = s.Writer.Write(b)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 func (s *Server) getClientConfig() (*admissionregistration.WebhookClientConfig, error) {
 	if s.Host != nil && s.Service != nil {
 		return nil, errors.New("URL and Service can't be set at the same time")
@@ -360,3 +352,100 @@ func (s *Server) service() runtime.Object {
 	}
 	return svc
 }
+
+func (s *Server) deployment() runtime.Object {
+	namespace := "default"
+	if s.Secret != nil {
+		namespace = s.Secret.Namespace
+	}
+
+	labels := map[string]string{
+		"app": "webhook-server",
+	}
+	if s.Service != nil {
+		for k, v := range s.Service.Selectors {
+			labels[k] = v
+		}
+	}
+
+	image := "webhook-server:latest"
+	if len(os.Getenv("IMG")) != 0 {
+		image = os.Getenv("IMG")
+	}
+
+	readOnly := false
+	if s.Service != nil {
+		readOnly = true
+	}
+
+	var volumeSource corev1.VolumeSource
+	if s.Secret != nil {
+		var mode int32 = 420
+		volumeSource = corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				DefaultMode: &mode,
+				SecretName:  s.Secret.Name,
+			},
+		}
+	} else {
+		volumeSource = corev1.VolumeSource{
+			EmptyDir: &corev1.EmptyDirVolumeSource{},
+		}
+	}
+
+	return &appsv1.Deployment{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "apps/v1",
+			Kind:       "Deployment",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "webhook-server",
+			Namespace: namespace,
+			Labels:    labels,
+		},
+		Spec: appsv1.DeploymentSpec{
+			Selector: &metav1.LabelSelector{
+				MatchLabels: labels,
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: labels,
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:            "webhook-server-container",
+							Image:           image,
+							ImagePullPolicy: corev1.PullAlways,
+							Command: []string{
+								"/bin/sh",
+								"-c",
+								"exec ./manager --disable-installer",
+							},
+							Ports: []corev1.ContainerPort{
+								{
+									Name:          "webhook-server",
+									Protocol:      corev1.ProtocolTCP,
+									ContainerPort: s.Port,
+								},
+							},
+							VolumeMounts: []corev1.VolumeMount{
+								{
+									Name:      "cert",
+									MountPath: s.CertDir,
+									ReadOnly:  readOnly,
+								},
+							},
+						},
+					},
+					Volumes: []corev1.Volume{
+						{
+							Name:         "cert",
+							VolumeSource: volumeSource,
+						},
+					},
+				},
+			},
+		},
+	}
+}

pkg/webhook/internal/cert/provisioner.go

@@ -46,8 +46,6 @@ type Options struct {
 	ClientConfig *admissionregistrationv1beta1.WebhookClientConfig
 	// Objects are the objects that will use the ClientConfig above.
 	Objects []runtime.Object
-	// Dryrun controls if the objects are sent to the API server or write to io.Writer
-	Dryrun bool
 }
 
 // Provision provisions certificates for for the WebhookClientConfig.
@@ -68,7 +66,7 @@ func (cp *Provisioner) Provision(options Options) (bool, error) {
 		return false, err
 	}
 
-	certs, changed, err := cp.CertWriter.EnsureCert(dnsName, options.Dryrun)
+	certs, changed, err := cp.CertWriter.EnsureCert(dnsName)
 	if err != nil {
 		return false, err
 	}

pkg/webhook/internal/cert/provisioner_test.go

@@ -211,7 +211,7 @@ type fakeCertWriter struct {
 
 var _ writer.CertWriter = &fakeCertWriter{}
 
-func (f *fakeCertWriter) EnsureCert(dnsName string, dryrun bool) (*generator.Artifacts, bool, error) {
+func (f *fakeCertWriter) EnsureCert(dnsName string) (*generator.Artifacts, bool, error) {
 	f.invokedEnsureCert = true
 	return &generator.Artifacts{}, true, nil
 }

pkg/webhook/internal/cert/writer/certwriter.go

@@ -41,7 +41,7 @@ const (
 // CertWriter provides method to handle webhooks.
 type CertWriter interface {
 	// EnsureCert provisions the cert for the webhookClientConfig.
-	EnsureCert(dnsName string, dryrun bool) (*generator.Artifacts, bool, error)
+	EnsureCert(dnsName string) (*generator.Artifacts, bool, error)
 	// Inject injects the necessary information given the objects.
 	// It supports MutatingWebhookConfiguration and ValidatingWebhookConfiguration.
 	Inject(objs ...runtime.Object) error

pkg/webhook/internal/cert/writer/fs.go

@@ -72,8 +72,7 @@ func NewFSCertWriter(ops FSCertWriterOptions) (CertWriter, error) {
 }
 
 // EnsureCert provisions certificates for a webhookClientConfig by writing the certificates in the filesystem.
-// fsCertWriter doesn't support dryrun.
-func (f *fsCertWriter) EnsureCert(dnsName string, _ bool) (*generator.Artifacts, bool, error) {
+func (f *fsCertWriter) EnsureCert(dnsName string) (*generator.Artifacts, bool, error) {
 	// create or refresh cert and write it to fs
 	f.dnsName = dnsName
 	return handleCommon(f.dnsName, f)

pkg/webhook/internal/cert/writer/fs_test.go

@@ -60,7 +60,7 @@ var _ = Describe("fsCertWriter", func() {
 	Context("Failed to EnsureCert", func() {
 		Describe("empty DNS name", func() {
 			It("should return error", func() {
-				_, _, err := certWriter.EnsureCert("", false)
+				_, _, err := certWriter.EnsureCert("")
 				Expect(err).To(MatchError("dnsName should not be empty"))
 			})
 		})
@@ -69,15 +69,15 @@ var _ = Describe("fsCertWriter", func() {
 	Context("Succeeded to EnsureCert", func() {
 		Context("CertGenerator is not set", func() {
 			It("should default it and return no error", func() {
-				_, _, err := certWriter.EnsureCert(dnsName, false)
+				_, _, err := certWriter.EnsureCert(dnsName)
 				Expect(err).NotTo(HaveOccurred())
 
 			})
 		})
 
 		Context("no existing certificate files", func() {
 			It("should create new certificate files", func() {
-				_, _, err := certWriter.EnsureCert(dnsName, false)
+				_, _, err := certWriter.EnsureCert(dnsName)
 				Expect(err).NotTo(HaveOccurred())
 				caBytes, err := ioutil.ReadFile(path.Join(testingDir, CACertName))
 				Expect(err).NotTo(HaveOccurred())
@@ -102,7 +102,7 @@ var _ = Describe("fsCertWriter", func() {
 						})
 
 						It("should replace with new certs", func() {
-							_, _, err := certWriter.EnsureCert(dnsName, false)
+							_, _, err := certWriter.EnsureCert(dnsName)
 							Expect(err).NotTo(HaveOccurred())
 							caBytes, err := ioutil.ReadFile(path.Join(testingDir, CACertName))
 							Expect(err).NotTo(HaveOccurred())
@@ -131,7 +131,7 @@ var _ = Describe("fsCertWriter", func() {
 						})
 
 						It("should replace with new certs", func() {
-							_, _, err := certWriter.EnsureCert(dnsName, false)
+							_, _, err := certWriter.EnsureCert(dnsName)
 							Expect(err).NotTo(HaveOccurred())
 							caBytes, err := ioutil.ReadFile(path.Join(testingDir, CACertName))
 							Expect(err).NotTo(HaveOccurred())
@@ -156,7 +156,7 @@ var _ = Describe("fsCertWriter", func() {
 						})
 
 						It("should replace with new certs", func() {
-							_, _, err := certWriter.EnsureCert(dnsName, false)
+							_, _, err := certWriter.EnsureCert(dnsName)
 							Expect(err).NotTo(HaveOccurred())
 							caBytes, err := ioutil.ReadFile(path.Join(testingDir, CACertName))
 							Expect(err).NotTo(HaveOccurred())
@@ -191,7 +191,7 @@ var _ = Describe("fsCertWriter", func() {
 						})
 
 						It("should replace with new certs", func() {
-							_, _, err := certWriter.EnsureCert(dnsName, false)
+							_, _, err := certWriter.EnsureCert(dnsName)
 							Expect(err).NotTo(HaveOccurred())
 							caBytes, err := ioutil.ReadFile(path.Join(testingDir, CACertName))
 							Expect(err).NotTo(HaveOccurred())
@@ -220,7 +220,7 @@ var _ = Describe("fsCertWriter", func() {
 					close(done)
 				})
 				It("should keep the secret", func() {
-					_, _, err := certWriter.EnsureCert(dnsName, false)
+					_, _, err := certWriter.EnsureCert(dnsName)
 					Expect(err).NotTo(HaveOccurred())
 					caBytes, err := ioutil.ReadFile(path.Join(testingDir, CACertName))
 					Expect(err).NotTo(HaveOccurred())