adding a few changes for webhook operator functionality

amagioss · Aug 20, 2024 · a3d1f99 · a3d1f99
1 parent ffcd237
commit a3d1f99
Show file tree

Hide file tree

Showing 12 changed files with 118 additions and 134 deletions.
diff --git a/internal/app/main.go b/internal/app/main.go
@@ -10,14 +10,12 @@ import (
 )
 
 const (
-	slvModeEnvar       = "SLV_MODE"
-	slvModeK8sOperator = "k8s_operator"
-	slvModeK8sJob      = "k8s_job"
+	slvModeK8sOperator = "K8S_OPERATOR"
+	slvModeK8sJob      = "K8S_JOB"
 )
 
 func main() {
-	slvMode := strings.ToLower(os.Getenv(slvModeEnvar))
-	switch slvMode {
+	switch strings.ToUpper(os.Getenv("SLV_MODE")) {
 	case slvModeK8sOperator:
 		operator.Run()
 	case slvModeK8sJob:

diff --git a/internal/cli/commands/cmdenv/new.go b/internal/cli/commands/cmdenv/new.go
@@ -56,7 +56,11 @@ func envNewServiceCommand() *cobra.Command {
 			env.AddTags(tags...)
 			ShowEnv(*env, true, false)
 			if secretKey != nil {
-				fmt.Println("\nSecret Key:\t", color.HiBlackString(secretKey.String()))
+				if skStr, err := secretKey.String(); err == nil {
+					fmt.Println("\nSecret Key:\t", color.HiBlackString(skStr))
+				} else {
+					utils.ExitOnError(err)
+				}
 			}
 			addToProfileFlag, _ := cmd.Flags().GetBool(envAddFlag.Name)
 			if addToProfileFlag {

diff --git a/internal/cli/commands/cmdvault/shell.go b/internal/cli/commands/cmdvault/shell.go
@@ -32,12 +32,12 @@ func vaultShellCommand() *cobra.Command {
 					utils.ExitOnErrorWithMessage("Not a supported shell")
 				}
 			}
-			envSecretKey, err := secretkey.Get()
+			vaultFile := cmd.Flag(vaultFileFlag.Name).Value.String()
+			vault, err := getVault(vaultFile)
 			if err != nil {
 				utils.ExitOnError(err)
 			}
-			vaultFile := cmd.Flag(vaultFileFlag.Name).Value.String()
-			vault, err := getVault(vaultFile)
+			envSecretKey, err := secretkey.Get()
 			if err != nil {
 				utils.ExitOnError(err)
 			}

diff --git a/internal/k8s/api/v1/slv_webhook.go b/internal/k8s/api/v1/slv_webhook.go
@@ -39,7 +39,7 @@ func (r *SLV) SetupWebhookWithManager(mgr ctrl.Manager) error {
 // TODO(user): EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 
 // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
-//+kubebuilder:webhook:path=/validate-slv-oss-amagi-com-v1-slv,mutating=false,failurePolicy=fail,sideEffects=None,groups=slv.oss.amagi.com,resources=slvs,verbs=create;update,versions=v1,name=vslv.kb.io,admissionReviewVersions=v1
+//+kubebuilder:webhook:path=/validate,mutating=false,failurePolicy=fail,sideEffects=None,groups=slv.oss.amagi.com,resources=slvs,verbs=create;update,versions=v1,name=vslv.oss.amagi.com,admissionReviewVersions=v1
 
 var _ webhook.Defaulter = &SLV{}
 

diff --git a/internal/k8s/config/crd/kustomization.yaml b/internal/k8s/config/crd/kustomization.yaml
@@ -13,7 +13,7 @@ patches:
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-#- path: patches/cainjection_in_slvs.yaml
+- path: patches/cainjection_in_slvs.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # [WEBHOOK] To enable webhook, uncomment the following section

diff --git a/internal/k8s/config/default/kustomization.yaml b/internal/k8s/config/default/kustomization.yaml
@@ -1,12 +1,12 @@
 # Adds namespace to all resources.
-namespace: operator-system
+namespace: slv
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: operator-
+namePrefix: slv-
 
 # Labels to add to all resources and selectors.
 #labels:
@@ -22,7 +22,7 @@ resources:
 # crd/kustomization.yaml
 - ../webhook
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-#- ../certmanager
+- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
 
@@ -39,104 +39,88 @@ patches:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
 # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
 # 'CERTMANAGER' needs to be enabled to use ca injection
-#- path: webhookcainjection_patch.yaml
+- path: webhookcainjection_patch.yaml
 
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
 # Uncomment the following replacements to add the cert-manager CA injection annotations
-#replacements:
-#  - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs
-#      kind: Certificate
-#      group: cert-manager.io
-#      version: v1
-#      name: serving-cert # this name should match the one in certificate.yaml
-#      fieldPath: .metadata.namespace # namespace of the certificate CR
-#    targets:
-#      - select:
-#          kind: ValidatingWebhookConfiguration
-#        fieldPaths:
-#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#        options:
-#          delimiter: '/'
-#          index: 0
-#          create: true
-#      - select:
-#          kind: MutatingWebhookConfiguration
-#        fieldPaths:
-#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#        options:
-#          delimiter: '/'
-#          index: 0
-#          create: true
-#      - select:
-#          kind: CustomResourceDefinition
-#        fieldPaths:
-#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#        options:
-#          delimiter: '/'
-#          index: 0
-#          create: true
-#  - source:
-#      kind: Certificate
-#      group: cert-manager.io
-#      version: v1
-#      name: serving-cert # this name should match the one in certificate.yaml
-#      fieldPath: .metadata.name
-#    targets:
-#      - select:
-#          kind: ValidatingWebhookConfiguration
-#        fieldPaths:
-#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#        options:
-#          delimiter: '/'
-#          index: 1
-#          create: true
-#      - select:
-#          kind: MutatingWebhookConfiguration
-#        fieldPaths:
-#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#        options:
-#          delimiter: '/'
-#          index: 1
-#          create: true
-#      - select:
-#          kind: CustomResourceDefinition
-#        fieldPaths:
-#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-#        options:
-#          delimiter: '/'
-#          index: 1
-#          create: true
-#  - source: # Add cert-manager annotation to the webhook Service
-#      kind: Service
-#      version: v1
-#      name: webhook-service
-#      fieldPath: .metadata.name # namespace of the service
-#    targets:
-#      - select:
-#          kind: Certificate
-#          group: cert-manager.io
-#          version: v1
-#        fieldPaths:
-#          - .spec.dnsNames.0
-#          - .spec.dnsNames.1
-#        options:
-#          delimiter: '.'
-#          index: 0
-#          create: true
-#  - source:
-#      kind: Service
-#      version: v1
-#      name: webhook-service
-#      fieldPath: .metadata.namespace # namespace of the service
-#    targets:
-#      - select:
-#          kind: Certificate
-#          group: cert-manager.io
-#          version: v1
-#        fieldPaths:
-#          - .spec.dnsNames.0
-#          - .spec.dnsNames.1
-#        options:
-#          delimiter: '.'
-#          index: 1
-#          create: true
+replacements:
+ - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs
+     kind: Certificate
+     group: cert-manager.io
+     version: v1
+     name: serving-cert # this name should match the one in certificate.yaml
+     fieldPath: .metadata.namespace # namespace of the certificate CR
+   targets:
+     - select:
+         kind: ValidatingWebhookConfiguration
+       fieldPaths:
+         - .metadata.annotations.[cert-manager.io/inject-ca-from]
+       options:
+         delimiter: '/'
+         index: 0
+         create: true
+     - select:
+         kind: CustomResourceDefinition
+       fieldPaths:
+         - .metadata.annotations.[cert-manager.io/inject-ca-from]
+       options:
+         delimiter: '/'
+         index: 0
+         create: true
+ - source:
+     kind: Certificate
+     group: cert-manager.io
+     version: v1
+     name: serving-cert # this name should match the one in certificate.yaml
+     fieldPath: .metadata.name
+   targets:
+     - select:
+         kind: ValidatingWebhookConfiguration
+       fieldPaths:
+         - .metadata.annotations.[cert-manager.io/inject-ca-from]
+       options:
+         delimiter: '/'
+         index: 1
+         create: true
+     - select:
+         kind: CustomResourceDefinition
+       fieldPaths:
+         - .metadata.annotations.[cert-manager.io/inject-ca-from]
+       options:
+         delimiter: '/'
+         index: 1
+         create: true
+ - source: # Add cert-manager annotation to the webhook Service
+     kind: Service
+     version: v1
+     name: webhook-service
+     fieldPath: .metadata.name # namespace of the service
+   targets:
+     - select:
+         kind: Certificate
+         group: cert-manager.io
+         version: v1
+       fieldPaths:
+         - .spec.dnsNames.0
+         - .spec.dnsNames.1
+       options:
+         delimiter: '.'
+         index: 0
+         create: true
+ - source:
+     kind: Service
+     version: v1
+     name: webhook-service
+     fieldPath: .metadata.namespace # namespace of the service
+   targets:
+     - select:
+         kind: Certificate
+         group: cert-manager.io
+         version: v1
+       fieldPaths:
+         - .spec.dnsNames.0
+         - .spec.dnsNames.1
+       options:
+         delimiter: '.'
+         index: 1
+         create: true
diff --git a/internal/k8s/config/default/webhookcainjection_patch.yaml b/internal/k8s/config/default/webhookcainjection_patch.yaml
@@ -1,20 +1,6 @@
 # This patch add annotation to admission webhook config and
 # CERTIFICATE_NAMESPACE and CERTIFICATE_NAME will be substituted by kustomize
 apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-  labels:
-    app.kubernetes.io/name: mutatingwebhookconfiguration
-    app.kubernetes.io/instance: mutating-webhook-configuration
-    app.kubernetes.io/component: webhook
-    app.kubernetes.io/created-by: operator
-    app.kubernetes.io/part-of: operator
-    app.kubernetes.io/managed-by: kustomize
-  name: mutating-webhook-configuration
-  annotations:
-    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
----
-apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:

diff --git a/internal/k8s/config/manager/kustomization.yaml b/internal/k8s/config/manager/kustomization.yaml
@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: ttl.sh/slv-controller
-  newTag: 1h
+  newName: ghcr.io/amagioss/slv
+  newTag: latest
diff --git a/internal/k8s/config/manager/manager.yaml b/internal/k8s/config/manager/manager.yaml
@@ -66,11 +66,14 @@ spec:
         # seccompProfile:
         #   type: RuntimeDefault
       containers:
-      - command:
-        - /manager
-        args:
+      - args:
         - --leader-elect
         image: controller:latest
+        env:
+          - name: SLV_MODE
+            value: "k8s_operator"
+          - name: SLV_K8S_ENABLE_WEBHOOKS
+            value: "true"
         name: manager
         securityContext:
           allowPrivilegeEscalation: false

diff --git a/internal/k8s/config/webhook/manifests.yaml b/internal/k8s/config/webhook/manifests.yaml
@@ -10,9 +10,9 @@ webhooks:
     service:
       name: webhook-service
       namespace: system
-      path: /validate-slv-oss-amagi-com-v1-slv
+      path: /validate
   failurePolicy: Fail
-  name: vslv.kb.io
+  name: vslv.oss.amagi.com
   rules:
   - apiGroups:
     - slv.oss.amagi.com

diff --git a/internal/k8s/deploy/operator.yaml b/internal/k8s/deploy/operator.yaml
@@ -78,6 +78,8 @@ spec:
         env:
           - name: SLV_MODE
             value: "k8s_operator"
+          # - name: SLV_K8S_ENABLE_WEBHOOKS
+          #   value: "true"
           # - name: SLV_ENV_SECRET_KEY
           #   valueFrom: # SLV Environment Secret Key from K8s Secret
           #     secretKeyRef:

diff --git a/internal/k8s/operator/operator.go b/internal/k8s/operator/operator.go
@@ -42,6 +42,11 @@ import (
 	//+kubebuilder:scaffold:imports
 )
 
+const (
+	envar_SLV_K8S_ENABLE_WEBHOOKS = "SLV_K8S_ENABLE_WEBHOOKS"
+	envar_ENABLE_WEBHOOKS         = "ENABLE_WEBHOOKS"
+)
+
 var (
 	scheme   = runtime.NewScheme()
 	setupLog = ctrl.Log.WithName("setup")
@@ -140,7 +145,9 @@ func Run() {
 		setupLog.Error(err, "unable to create controller", "controller", slvv1.Kind)
 		os.Exit(1)
 	}
-	if strings.ToLower(os.Getenv("ENABLE_WEBHOOKS")) == "true" {
+	if strings.ToLower(os.Getenv(envar_SLV_K8S_ENABLE_WEBHOOKS)) == "true" ||
+		strings.ToLower(os.Getenv(envar_ENABLE_WEBHOOKS)) == "true" {
+		setupLog.Info("setting up webhooks")
 		if err = (&slvv1.SLV{}).SetupWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", slvv1.Kind)
 			os.Exit(1)