Update CA insert method in webhooks.

cmd/webhook-manager/app/server.go

@@ -67,7 +67,7 @@ func Run(config *options.Config) error {
 	broadcaster := record.NewBroadcaster()
 	broadcaster.StartRecordingToSink(&corev1.EventSinkImpl{Interface: kubeClient.CoreV1().Events("")})
 	recorder := broadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: commonutil.GenerateComponentName(config.SchedulerNames)})
-	router.ForEachAdmission(config, func(service *router.AdmissionService) {
+	if err := router.ForEachAdmission(config, func(service *router.AdmissionService) error {
 		if service.Config != nil {
 			service.Config.VolcanoClient = vClient
 			service.Config.KubeClient = kubeClient
@@ -78,11 +78,16 @@ func Run(config *options.Config) error {
 
 		klog.V(3).Infof("Registered '%s' as webhook.", service.Path)
 		http.HandleFunc(service.Path, service.Handler)
-	})
 
-	if err = addCaCertForWebhook(kubeClient, config.CaCertData); err != nil {
-		return fmt.Errorf("failed to add caCert for webhook %v", err)
+		klog.V(3).Infof("Add CaCert for webhook <%s>", service.Path)
+		if err = addCaCertForWebhook(kubeClient, service, config.CaCertData); err != nil {
+			return fmt.Errorf("failed to add caCert for webhook %v", err)
+		}
+		return nil
+	}); err != nil {
+		return err
 	}
+
 	klog.V(3).Infof("Successfully added caCert for all webhooks")
 
 	webhookServeError := make(chan struct{})

cmd/webhook-manager/app/util.go

@@ -22,6 +22,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"strings"
 	"time"
 
 	v1 "k8s.io/api/admissionregistration/v1"
@@ -34,24 +35,15 @@ import (
 
 	"volcano.sh/apis/pkg/client/clientset/versioned"
 	"volcano.sh/volcano/cmd/webhook-manager/app/options"
+	"volcano.sh/volcano/pkg/webhooks/router"
 )
 
-var (
-	validatingWebhooksName = []string{
-		"volcano-admission-service-jobs-validate",
-		"volcano-admission-service-pods-validate",
-		"volcano-admission-service-queues-validate",
-	}
-	mutatingWebhooksName = []string{
-		"volcano-admission-service-pods-mutate",
-		"volcano-admission-service-queues-mutate",
-		"volcano-admission-service-podgroups-mutate",
-		"volcano-admission-service-jobs-mutate",
-	}
-)
+const volcanoAdmissionPrefix = "volcano-admission-service"
 
-func addCaCertForWebhook(kubeClient *kubernetes.Clientset, caBundle []byte) error {
-	for _, mutatingWebhookName := range mutatingWebhooksName {
+func addCaCertForWebhook(kubeClient *kubernetes.Clientset, service *router.AdmissionService, caBundle []byte) error {
+	if service.MutatingConfig != nil {
+		// update MutatingWebhookConfigurations
+		var mutatingWebhookName = volcanoAdmissionPrefix + strings.ReplaceAll(service.Path, "/", "-")
 		var mutatingWebhook *v1.MutatingWebhookConfiguration
 		webhookChanged := false
 		if err := wait.Poll(time.Second, 5*time.Minute, func() (done bool, err error) {
@@ -82,7 +74,9 @@ func addCaCertForWebhook(kubeClient *kubernetes.Clientset, caBundle []byte) erro
 		}
 	}
 
-	for _, validatingWebhookName := range validatingWebhooksName {
+	if service.ValidatingConfig != nil {
+		// update ValidatingWebhookConfigurations
+		var validatingWebhookName = volcanoAdmissionPrefix + strings.ReplaceAll(service.Path, "/", "-")
 		var validatingWebhook *v1.ValidatingWebhookConfiguration
 		webhookChanged := false
 		if err := wait.Poll(time.Second, 5*time.Minute, func() (done bool, err error) {

installer/helm/chart/volcano/templates/admission.yaml

@@ -84,6 +84,7 @@ spec:
       {{- end }}
       containers:
         - args:
+            - --enabled-admission={{ .Values.custom.enabled_admissions }}
             - --tls-cert-file=/admission.local.config/certificates/tls.crt
             - --tls-private-key-file=/admission.local.config/certificates/tls.key
             - --ca-cert-file=/admission.local.config/certificates/ca.crt
@@ -154,4 +155,4 @@ spec:
           imagePullPolicy: IfNotPresent
           command: ["./gen-admission-secret.sh", "--service", "{{ .Release.Name }}-admission-service", "--namespace",
                     "{{ .Release.Namespace }}", "--secret", "{{.Values.basic.admission_secret_name}}"]
-{{- end }}
+{{- end }}

installer/helm/chart/volcano/templates/webhooks.yaml

@@ -1,6 +1,6 @@
 {{- if .Values.custom.admission_enable }}
 
-{{- if .Values.custom.pods_mutatingwebhook_enable }}
+{{- if .Values.custom.enabled_admissions | regexMatch "/pods/mutate" }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -42,7 +42,7 @@ webhooks:
 
 ---
 
-{{- if .Values.custom.queues_mutatingwebhook_enable }}
+{{- if .Values.custom.enabled_admissions | regexMatch "/queues/mutate" }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -84,7 +84,7 @@ webhooks:
 
 ---
 
-{{- if .Values.custom.podgroups_mutatingwebhook_enable }}
+{{- if .Values.custom.enabled_admissions | regexMatch "/podgroups/mutate" }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -126,7 +126,7 @@ webhooks:
 
 ---
 
-{{- if .Values.custom.jobs_mutatingwebhook_enable }}
+{{- if .Values.custom.enabled_admissions | regexMatch "/jobs/mutate" }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -168,7 +168,7 @@ webhooks:
 
 ---
 
-{{- if .Values.custom.jobs_validatingwebhook_enable }}
+{{- if .Values.custom.enabled_admissions | regexMatch "/jobs/validate" }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -210,7 +210,7 @@ webhooks:
 
 ---
 
-{{- if .Values.custom.pods_validatingwebhook_enable }}
+{{- if .Values.custom.enabled_admissions | regexMatch "/pods/validate" }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -251,7 +251,7 @@ webhooks:
 
 ---
 
-{{- if .Values.custom.queues_validatingwebhook_enable }}
+{{- if .Values.custom.enabled_admissions | regexMatch "/queues/validate" }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -291,4 +291,4 @@ webhooks:
     sideEffects: NoneOnDryRun
     timeoutSeconds: 10
 {{- end }}
-{{- end }}
+{{- end }}

installer/helm/chart/volcano/values.yaml

@@ -13,10 +13,4 @@ custom:
   admission_enable: true
   controller_enable: true
   scheduler_enable: true
-  pods_mutatingwebhook_enable: true
-  queues_mutatingwebhook_enable: true
-  podgroups_mutatingwebhook_enable: true
-  jobs_mutatingwebhook_enable: true
-  jobs_validatingwebhook_enable: true
-  pods_validatingwebhook_enable: true
-  queues_validatingwebhook_enable: true
+  enabled_admissions: "/jobs/mutate,/jobs/validate,/podgroups/mutate,/pods/validate,/pods/mutate,/queues/mutate,/queues/validate"

installer/volcano-development.yaml

@@ -134,6 +134,7 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
         - args:
+            - --enabled-admission=/jobs/mutate,/jobs/validate,/podgroups/mutate,/pods/validate,/pods/mutate,/queues/mutate,/queues/validate
             - --tls-cert-file=/admission.local.config/certificates/tls.crt
             - --tls-private-key-file=/admission.local.config/certificates/tls.key
             - --ca-cert-file=/admission.local.config/certificates/ca.crt

pkg/webhooks/router/admission.go

@@ -22,6 +22,8 @@ import (
 	"strings"
 	"sync"
 
+	"k8s.io/klog"
+
 	"volcano.sh/volcano/cmd/webhook-manager/app/options"
 )
 
@@ -48,11 +50,15 @@ func RegisterAdmission(service *AdmissionService) error {
 	return nil
 }
 
-func ForEachAdmission(config *options.Config, handler func(*AdmissionService)) {
+func ForEachAdmission(config *options.Config, handler func(*AdmissionService) error) error {
 	admissions := strings.Split(strings.TrimSpace(config.EnabledAdmission), ",")
+	klog.V(3).Infof("Enabled admissions are: %v, registered map are: %v", admissions, admissionMap)
 	for _, admission := range admissions {
 		if service, found := admissionMap[admission]; found {
-			handler(service)
+			if err := handler(service); err != nil {
+				return err
+			}
 		}
 	}
+	return nil
 }