From fe6234c33bc978a2c74de77ceb0db6358f6d00c0 Mon Sep 17 00:00:00 2001 From: jiangkaihua Date: Fri, 26 Aug 2022 15:28:06 +0800 Subject: [PATCH] Update CA insert method in webhooks. Signed-off-by: jiangkaihua --- cmd/webhook-manager/app/server.go | 13 +++++++--- cmd/webhook-manager/app/util.go | 26 +++++++------------ .../chart/volcano/templates/admission.yaml | 3 ++- .../chart/volcano/templates/webhooks.yaml | 16 ++++++------ installer/helm/chart/volcano/values.yaml | 8 +----- installer/volcano-development.yaml | 1 + pkg/webhooks/router/admission.go | 10 +++++-- 7 files changed, 39 insertions(+), 38 deletions(-) diff --git a/cmd/webhook-manager/app/server.go b/cmd/webhook-manager/app/server.go index 7527e1fdc4..7a2e92dd0a 100644 --- a/cmd/webhook-manager/app/server.go +++ b/cmd/webhook-manager/app/server.go @@ -67,7 +67,7 @@ func Run(config *options.Config) error { broadcaster := record.NewBroadcaster() broadcaster.StartRecordingToSink(&corev1.EventSinkImpl{Interface: kubeClient.CoreV1().Events("")}) recorder := broadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: commonutil.GenerateComponentName(config.SchedulerNames)}) - router.ForEachAdmission(config, func(service *router.AdmissionService) { + if err := router.ForEachAdmission(config, func(service *router.AdmissionService) error { if service.Config != nil { service.Config.VolcanoClient = vClient service.Config.KubeClient = kubeClient @@ -78,11 +78,16 @@ func Run(config *options.Config) error { klog.V(3).Infof("Registered '%s' as webhook.", service.Path) http.HandleFunc(service.Path, service.Handler) - }) - if err = addCaCertForWebhook(kubeClient, config.CaCertData); err != nil { - return fmt.Errorf("failed to add caCert for webhook %v", err) + klog.V(3).Infof("Add CaCert for webhook <%s>", service.Path) + if err = addCaCertForWebhook(kubeClient, service, config.CaCertData); err != nil { + return fmt.Errorf("failed to add caCert for webhook %v", err) + } + return nil + }); err != nil { + return err } + klog.V(3).Infof("Successfully added caCert for all webhooks") webhookServeError := make(chan struct{}) diff --git a/cmd/webhook-manager/app/util.go b/cmd/webhook-manager/app/util.go index a8361d3558..7266468080 100644 --- a/cmd/webhook-manager/app/util.go +++ b/cmd/webhook-manager/app/util.go @@ -22,6 +22,7 @@ import ( "crypto/tls" "crypto/x509" "fmt" + "strings" "time" v1 "k8s.io/api/admissionregistration/v1" @@ -34,24 +35,15 @@ import ( "volcano.sh/apis/pkg/client/clientset/versioned" "volcano.sh/volcano/cmd/webhook-manager/app/options" + "volcano.sh/volcano/pkg/webhooks/router" ) -var ( - validatingWebhooksName = []string{ - "volcano-admission-service-jobs-validate", - "volcano-admission-service-pods-validate", - "volcano-admission-service-queues-validate", - } - mutatingWebhooksName = []string{ - "volcano-admission-service-pods-mutate", - "volcano-admission-service-queues-mutate", - "volcano-admission-service-podgroups-mutate", - "volcano-admission-service-jobs-mutate", - } -) +const volcanoAdmissionPrefix = "volcano-admission-service" -func addCaCertForWebhook(kubeClient *kubernetes.Clientset, caBundle []byte) error { - for _, mutatingWebhookName := range mutatingWebhooksName { +func addCaCertForWebhook(kubeClient *kubernetes.Clientset, service *router.AdmissionService, caBundle []byte) error { + if service.MutatingConfig != nil { + // update MutatingWebhookConfigurations + var mutatingWebhookName = volcanoAdmissionPrefix + strings.ReplaceAll(service.Path, "/", "-") var mutatingWebhook *v1.MutatingWebhookConfiguration webhookChanged := false if err := wait.Poll(time.Second, 5*time.Minute, func() (done bool, err error) { @@ -82,7 +74,9 @@ func addCaCertForWebhook(kubeClient *kubernetes.Clientset, caBundle []byte) erro } } - for _, validatingWebhookName := range validatingWebhooksName { + if service.ValidatingConfig != nil { + // update ValidatingWebhookConfigurations + var validatingWebhookName = volcanoAdmissionPrefix + strings.ReplaceAll(service.Path, "/", "-") var validatingWebhook *v1.ValidatingWebhookConfiguration webhookChanged := false if err := wait.Poll(time.Second, 5*time.Minute, func() (done bool, err error) { diff --git a/installer/helm/chart/volcano/templates/admission.yaml b/installer/helm/chart/volcano/templates/admission.yaml index 50256f61d6..784aed49a1 100644 --- a/installer/helm/chart/volcano/templates/admission.yaml +++ b/installer/helm/chart/volcano/templates/admission.yaml @@ -84,6 +84,7 @@ spec: {{- end }} containers: - args: + - --enabled-admission={{ .Values.custom.enabled_admissions }} - --tls-cert-file=/admission.local.config/certificates/tls.crt - --tls-private-key-file=/admission.local.config/certificates/tls.key - --ca-cert-file=/admission.local.config/certificates/ca.crt @@ -154,4 +155,4 @@ spec: imagePullPolicy: IfNotPresent command: ["./gen-admission-secret.sh", "--service", "{{ .Release.Name }}-admission-service", "--namespace", "{{ .Release.Namespace }}", "--secret", "{{.Values.basic.admission_secret_name}}"] -{{- end }} \ No newline at end of file +{{- end }} diff --git a/installer/helm/chart/volcano/templates/webhooks.yaml b/installer/helm/chart/volcano/templates/webhooks.yaml index 1a292115e1..6221d4b4a6 100644 --- a/installer/helm/chart/volcano/templates/webhooks.yaml +++ b/installer/helm/chart/volcano/templates/webhooks.yaml @@ -1,6 +1,6 @@ {{- if .Values.custom.admission_enable }} -{{- if .Values.custom.pods_mutatingwebhook_enable }} +{{- if .Values.custom.enabled_admissions | regexMatch "/pods/mutate" }} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -42,7 +42,7 @@ webhooks: --- -{{- if .Values.custom.queues_mutatingwebhook_enable }} +{{- if .Values.custom.enabled_admissions | regexMatch "/queues/mutate" }} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -84,7 +84,7 @@ webhooks: --- -{{- if .Values.custom.podgroups_mutatingwebhook_enable }} +{{- if .Values.custom.enabled_admissions | regexMatch "/podgroups/mutate" }} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -126,7 +126,7 @@ webhooks: --- -{{- if .Values.custom.jobs_mutatingwebhook_enable }} +{{- if .Values.custom.enabled_admissions | regexMatch "/jobs/mutate" }} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -168,7 +168,7 @@ webhooks: --- -{{- if .Values.custom.jobs_validatingwebhook_enable }} +{{- if .Values.custom.enabled_admissions | regexMatch "/jobs/validate" }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -210,7 +210,7 @@ webhooks: --- -{{- if .Values.custom.pods_validatingwebhook_enable }} +{{- if .Values.custom.enabled_admissions | regexMatch "/pods/validate" }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -251,7 +251,7 @@ webhooks: --- -{{- if .Values.custom.queues_validatingwebhook_enable }} +{{- if .Values.custom.enabled_admissions | regexMatch "/queues/validate" }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -291,4 +291,4 @@ webhooks: sideEffects: NoneOnDryRun timeoutSeconds: 10 {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/installer/helm/chart/volcano/values.yaml b/installer/helm/chart/volcano/values.yaml index 8bdb067a53..d34a2d206f 100644 --- a/installer/helm/chart/volcano/values.yaml +++ b/installer/helm/chart/volcano/values.yaml @@ -13,10 +13,4 @@ custom: admission_enable: true controller_enable: true scheduler_enable: true - pods_mutatingwebhook_enable: true - queues_mutatingwebhook_enable: true - podgroups_mutatingwebhook_enable: true - jobs_mutatingwebhook_enable: true - jobs_validatingwebhook_enable: true - pods_validatingwebhook_enable: true - queues_validatingwebhook_enable: true \ No newline at end of file + enabled_admissions: "/jobs/mutate,/jobs/validate,/podgroups/mutate,/pods/validate,/pods/mutate,/queues/mutate,/queues/validate" diff --git a/installer/volcano-development.yaml b/installer/volcano-development.yaml index aac3255496..1dda9064a0 100644 --- a/installer/volcano-development.yaml +++ b/installer/volcano-development.yaml @@ -134,6 +134,7 @@ spec: priorityClassName: system-cluster-critical containers: - args: + - --enabled-admission=/jobs/mutate,/jobs/validate,/podgroups/mutate,/pods/validate,/pods/mutate,/queues/mutate,/queues/validate - --tls-cert-file=/admission.local.config/certificates/tls.crt - --tls-private-key-file=/admission.local.config/certificates/tls.key - --ca-cert-file=/admission.local.config/certificates/ca.crt diff --git a/pkg/webhooks/router/admission.go b/pkg/webhooks/router/admission.go index 03426cdfe0..6b16e95b13 100644 --- a/pkg/webhooks/router/admission.go +++ b/pkg/webhooks/router/admission.go @@ -22,6 +22,8 @@ import ( "strings" "sync" + "k8s.io/klog" + "volcano.sh/volcano/cmd/webhook-manager/app/options" ) @@ -48,11 +50,15 @@ func RegisterAdmission(service *AdmissionService) error { return nil } -func ForEachAdmission(config *options.Config, handler func(*AdmissionService)) { +func ForEachAdmission(config *options.Config, handler func(*AdmissionService) error) error { admissions := strings.Split(strings.TrimSpace(config.EnabledAdmission), ",") + klog.V(3).Infof("Enabled admissions are: %v, registered map are: %v", admissions, admissionMap) for _, admission := range admissions { if service, found := admissionMap[admission]; found { - handler(service) + if err := handler(service); err != nil { + return err + } } } + return nil }