address comments

Author: Mengqi Yu

pkg/webhook/admission.go

@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"regexp"
 	"strings"
-	"sync"
 
 	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -44,8 +43,6 @@ type admissionWebhook struct {
 	// namespaceSelector maps to the namespaceSelector field in admissionregistrationv1beta1.admissionWebhook
 	// This optional.
 	namespaceSelector *metav1.LabelSelector
-
-	once sync.Once
 }
 
 func (w *admissionWebhook) setDefaults() {
@@ -69,25 +66,22 @@ func (w *admissionWebhook) setDefaults() {
 
 // GetName returns the name of the webhook.
 func (w *admissionWebhook) GetName() string {
-	w.once.Do(w.setDefaults)
 	return w.name
 }
 
 // GetPath returns the path that the webhook registered.
 func (w *admissionWebhook) GetPath() string {
-	w.once.Do(w.setDefaults)
+	w.setDefaults()
 	return w.path
 }
 
 // GetType returns the type of the webhook.
 func (w *admissionWebhook) GetType() webhookType {
-	w.once.Do(w.setDefaults)
 	return w.t
 }
 
 // Validate validates if the webhook is valid.
 func (w *admissionWebhook) Validate() error {
-	w.once.Do(w.setDefaults)
 	if len(w.rules) == 0 {
 		return errors.New("field rules should not be empty")
 	}

pkg/webhook/generator.go

@@ -122,7 +122,9 @@ func (o *generatorOptions) getClientConfig() (*admissionregistration.WebhookClie
 		return nil, errors.New("URL and service can't be set at the same time")
 	}
 	cc := &admissionregistration.WebhookClientConfig{
-		CABundle: []byte{},
+		// Put an non-empty and not harmful CABundle here.
+		// Not doing this will cause the field
+		CABundle: []byte(`\n`),
 	}
 	if o.host != nil {
 		u := url.URL{
@@ -224,7 +226,10 @@ func (o *generatorOptions) mutatingWHConfigs() (runtime.Object, error) {
 			ObjectMeta: metav1.ObjectMeta{
 				Name: o.mutatingWebhookConfigName,
 				Annotations: map[string]string{
-					"admissionwebhook.alpha.kubebuilder.io/ca-secret-name": "webhook-cert",
+					// The format is "namespace/secret-name"
+					// This annotation will be understood by cert-manager.
+					// TODO(mengqiy): point to the section in kubebuilder book when everything is ready.
+					"alpha.admissionwebhook.kubebuilder.io/ca-secret-name": o.secret.String(),
 				},
 			},
 			Webhooks: mutatingWebhooks,
@@ -262,7 +267,10 @@ func (o *generatorOptions) validatingWHConfigs() (runtime.Object, error) {
 			ObjectMeta: metav1.ObjectMeta{
 				Name: o.validatingWebhookConfigName,
 				Annotations: map[string]string{
-					"admission.alpha.kubebuilder.io/ca-secret-name": "webhook-cert",
+					// The format is "namespace/secret-name"
+					// This annotation will be understood by cert-manager.
+					// TODO(mengqiy): point to the section in kubebuilder book when everything is ready.
+					"alpha.admissionwebhook.kubebuilder.io/ca-secret-name": o.secret.String(),
 				},
 			},
 			Webhooks: validatingWebhooks,
@@ -288,11 +296,6 @@ func (o *generatorOptions) admissionWebhook(path string, wh *admissionWebhook) (
 		Rules:             wh.rules,
 		FailurePolicy:     wh.failurePolicy,
 		NamespaceSelector: wh.namespaceSelector,
-		ClientConfig: admissionregistration.WebhookClientConfig{
-			// The reason why we assign an empty byte array to CABundle is that
-			// CABundle field will be updated by the Provisioner.
-			CABundle: []byte{},
-		},
 	}
 	cc, err := o.getClientConfigWithPath(path)
 	if err != nil {
@@ -316,7 +319,10 @@ func (o *generatorOptions) getService() runtime.Object {
 			Name:      o.service.name,
 			Namespace: o.service.namespace,
 			Annotations: map[string]string{
-				"service.alpha.kubebuilder.io/serving-cert-secret-name": "webhook-cert",
+				// Secret here only need name, since it will be in the same namespace as the service.
+				// This annotation will be understood by cert-manager.
+				// TODO(mengqiy): point to the section in kubebuilder book when everything is ready.
+				"alpha.service.kubebuilder.io/serving-cert-secret-name": o.secret.Name,
 			},
 		},
 		Spec: corev1.ServiceSpec{

pkg/webhook/generator_test.go

@@ -28,11 +28,12 @@ var expected = map[string]string{
 kind: MutatingWebhookConfiguration
 metadata:
   annotations:
-    admissionwebhook.alpha.kubebuilder.io/ca-secret-name: webhook-cert
+    alpha.admissionwebhook.kubebuilder.io/ca-secret-name: test-system/webhook-secret
   creationTimestamp: null
   name: test-mutating-webhook-cfg
 webhooks:
 - clientConfig:
+    caBundle: XG4=
     service:
       name: webhook-service
       namespace: test-system
@@ -56,11 +57,12 @@ apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
-    admission.alpha.kubebuilder.io/ca-secret-name: webhook-cert
+    alpha.admissionwebhook.kubebuilder.io/ca-secret-name: test-system/webhook-secret
   creationTimestamp: null
   name: test-validating-webhook-cfg
 webhooks:
 - clientConfig:
+    caBundle: XG4=
     service:
       name: webhook-service
       namespace: test-system
@@ -85,7 +87,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    service.alpha.kubebuilder.io/serving-cert-secret-name: webhook-cert
+    alpha.service.kubebuilder.io/serving-cert-secret-name: webhook-secret
   creationTimestamp: null
   name: webhook-service
   namespace: test-system
@@ -107,8 +109,9 @@ spec:
     metadata:
       labels:
         app: webhook-server
+    spec:
       containers:
-      - name: webhook-server-container
+      - name: manager
         ports:
         - containerPort: 7890
           name: webhook-server

pkg/webhook/manifests.go

@@ -74,8 +74,9 @@ spec:
       labels:
 {{ toYaml . | indent 8 }}
 {{- end }}
+    spec:
       containers:
-      - name: webhook-server-container
+      - name: manager
         ports:
         - containerPort: {{ .Port }}
           name: webhook-server