Skip to content

Commit

Permalink
make replace optional
Browse files Browse the repository at this point in the history
Signed-off-by: Jorge Turrado <[email protected]>
  • Loading branch information
JorTurFer committed Feb 7, 2024
1 parent ab23e8f commit 944182b
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 7 deletions.
19 changes: 13 additions & 6 deletions pkg/rotator/rotator.go
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ func AddRotator(mgr manager.Manager, cr *CertRotator) error {
needLeaderElection: cr.RequireLeaderElection,
refreshCertIfNeededDelegate: cr.refreshCertIfNeeded,
fieldOwner: cr.FieldOwner,
removeInsecureSkipTLSVerify: cr.RemoveInsecureSkipTLSVerify,
}
if err := addController(mgr, reconciler); err != nil {
return err
Expand Down Expand Up @@ -247,6 +248,9 @@ type CertRotator struct {
// CertName and Keyname override certificate path
CertName string
KeyName string
// RemoveInsecureSkipTLSVerify sets if InsecureSkipTLSVerify has to
// be removed from apiservices during the patch process
RemoveInsecureSkipTLSVerify bool

certsMounted chan struct{}
certsNotMounted chan struct{}
Expand Down Expand Up @@ -387,7 +391,7 @@ func (cr *CertRotator) refreshCerts(refreshCA bool, secret *corev1.Secret) error
return nil
}

func injectCert(updatedResource *unstructured.Unstructured, certPem []byte, webhookType WebhookType) error {
func injectCert(updatedResource *unstructured.Unstructured, certPem []byte, webhookType WebhookType, removeInsecureSkipTLSVerify bool) error {
switch webhookType {
case Validating:
return injectCertToWebhook(updatedResource, certPem)
Expand All @@ -396,7 +400,7 @@ func injectCert(updatedResource *unstructured.Unstructured, certPem []byte, webh
case CRDConversion:
return injectCertToConversionWebhook(updatedResource, certPem)
case APIService:
return injectCertToApiService(updatedResource, certPem)
return injectCertToApiService(updatedResource, certPem, removeInsecureSkipTLSVerify)
case ExternalDataProvider:
return injectCertToExternalDataProvider(updatedResource, certPem)
}
Expand Down Expand Up @@ -442,16 +446,18 @@ func injectCertToConversionWebhook(crd *unstructured.Unstructured, certPem []byt
return nil
}

func injectCertToApiService(apiService *unstructured.Unstructured, certPem []byte) error {
func injectCertToApiService(apiService *unstructured.Unstructured, certPem []byte, removeInsecureSkipTLSVerify bool) error {
_, found, err := unstructured.NestedMap(apiService.Object, "spec")
if err != nil {
return err
}
if !found {
return errors.New("`spec` field not found in APIService")
}
if err := unstructured.SetNestedField(apiService.Object, false, "spec", "insecureSkipTLSVerify"); err != nil {
return err
if removeInsecureSkipTLSVerify {
if err := unstructured.SetNestedField(apiService.Object, false, "spec", "insecureSkipTLSVerify"); err != nil {
return err
}
}
if err := unstructured.SetNestedField(apiService.Object, base64.StdEncoding.EncodeToString(certPem), "spec", "caBundle"); err != nil {
return err
Expand Down Expand Up @@ -736,6 +742,7 @@ type ReconcileWH struct {
ctx context.Context
secretKey types.NamespacedName
webhooks []WebhookInfo
removeInsecureSkipTLSVerify bool
wasCAInjected *atomic.Bool
needLeaderElection bool
refreshCertIfNeededDelegate func() (bool, error)
Expand Down Expand Up @@ -829,7 +836,7 @@ func (r *ReconcileWH) ensureCerts(certPem []byte) error {
}

log.Info("Ensuring CA cert", "name", webhook.Name, "gvk", gvk)
if err := injectCert(updatedResource, certPem, webhook.Type); err != nil {
if err := injectCert(updatedResource, certPem, webhook.Type, r.removeInsecureSkipTLSVerify); err != nil {
log.Error(err, "Unable to inject cert to webhook.")
anyError = err
continue
Expand Down
3 changes: 2 additions & 1 deletion pkg/rotator/rotator_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -401,7 +401,8 @@ func TestReconcileWebhook(t *testing.T) {
Type: tt.webhookType,
},
},
FieldOwner: fieldOwner,
FieldOwner: fieldOwner,
RemoveInsecureSkipTLSVerify: true,
}
wh, ok := tt.webhookConfig.DeepCopyObject().(client.Object)
if !ok {
Expand Down

0 comments on commit 944182b

Please sign in to comment.