✨ Move webhook generator #136
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
the
size/XXL
mengqiy
force-pushed
the
webhookgenerator
branch
from
216d2a9 to
f3c7b09
Compare
mengqiy
force-pushed
the
webhookgenerator
branch
4 times, most recently
from
7403182 to
a019e3a
Compare
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
mengqiy
force-pushed
the
webhookgenerator
branch
3 times, most recently
from
d1faaf1 to
2970c77
Compare
|
PTAL |
pkg/webhook/admission.go
Outdated
| // name is the name of the webhook | ||
| name string | ||
| // t is the webhook type, i.e. mutating, validating | ||
| t webhookType |
There was a problem hiding this comment.
Not sure if typ is better than using t or not.
It's a partial word which reads strange.
Why you think typ is better?
There was a problem hiding this comment.
Oh.. just wanted it be more descriptive from readability perspective. Suggested typ because type is probably reserved word.
pkg/webhook/admission.go
Outdated
| // This optional. | ||
| namespaceSelector *metav1.LabelSelector | ||
|
|
||
| once sync.Once |
pkg/webhook/generator.go
Outdated
| ObjectMeta: metav1.ObjectMeta{ | ||
| Name: o.mutatingWebhookConfigName, | ||
| Annotations: map[string]string{ | ||
| "admissionwebhook.alpha.kubebuilder.io/ca-secret-name": "webhook-cert", |
There was a problem hiding this comment.
Two comments:
- We should add a comment explaining (or linking to an issue/doc) why this annotation so readers understand it.
- annotation name "alpha" needs to come before admissionwebhooks ?
alpha.admissionwebhooks.kubebuilder.io/ca-secret-name - "webhook-cert" is hardcoded ?
There was a problem hiding this comment.
I now uses alpha.admissionwebhook.kubebuilder.io/ca-secret-name.
"webhook-cert" is hardcoded ?
fixed.
| - name: cert | ||
| secret: | ||
| defaultMode: 420 | ||
| secretName: webhook-secret |
There was a problem hiding this comment.
Two concerns:
- Looks like input for CA injections (secret-name, service name etc.) is split across the objects. It might make the cert controller implementation difficult. I am wondering if we can combine all these and apply it only on field. Annotation value could be then in JSON ?
- webhook-secret is hardcoded. We should think of a way to override it (by default ?)
There was a problem hiding this comment.
Looks like input for CA injections (secret-name, service name etc.) is split across the objects. It might make the cert controller implementation difficult.
For generating cert, everything it needs is in the service object.
For syncing CA, everything it needs is in the WebhookConfiguration object.
It should not make the controller hard to implement. Instead, it should be quite easy to implement it :)
webhook-secret is hardcoded.
This one is not.
There was a problem hiding this comment.
Got it. You are right, those are decoupled annotations, so it should be simpler :)
pkg/webhook/writer.go
Outdated
| return nil | ||
| } | ||
|
|
||
| func (o *WriterOptions) writeObjectsToDisk(objects ...runtime.Object) error { |
There was a problem hiding this comment.
This can probably go in a util pkg.
I wonder if we should have "k8s/ioutil" pkg which implements k8s object reader/writer :)
mengqiy
added
the
do-not-merge/hold
mengqiy
force-pushed
the
webhookgenerator
branch
2 times, most recently
from
b57747a to
6a27543
Compare
| - name: cert | ||
| secret: | ||
| defaultMode: 420 | ||
| secretName: webhook-secret |
There was a problem hiding this comment.
Got it. You are right, those are decoupled annotations, so it should be simpler :)
pkg/webhook/generator_test.go
Outdated
| kind: MutatingWebhookConfiguration | ||
| metadata: | ||
| annotations: | ||
| alpha.admissionwebhook.kubebuilder.io/ca-secret-name: test-system/webhook-secret |
There was a problem hiding this comment.
I am wondering how will these value in these annotations will play with kustomization ?
Kustomize by default doesn't know how to update the secret name in the annotation. |
|
Cherry-picker @DirectXMan12's commit which cleanup the vendor dir. |
Sounds good. |
mengqiy
force-pushed
the
webhookgenerator
branch
3 times, most recently
from
2a73501 to
54f2f6a
Compare
|
@droot @DirectXMan12 We need to decide what format the annotations should look like. I'm currently using Besides the annotation format, other code is ready for another round of review. |
mengqiy
force-pushed
the
webhookgenerator
branch
from
54f2f6a to
d1e8d55
Compare
mengqiy
force-pushed
the
webhookgenerator
branch
3 times, most recently
from
23c8932 to
5d22b6c
Compare
|
PTAL |
This removes the dependency on CR by marking the testData directory as ignored (it's moved so that we can make `go vet` ignore it). It also cleans up vendor by removing unecessary requires and adding prune-unused (we only need to keep around the dependencies in KB and possibly CR).
mengqiy
force-pushed
the
webhookgenerator
branch
from
5d22b6c to
cb5b319
Compare
|
Rebased. |
mengqiy
removed
the
do-not-merge/hold
droot
added
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: mengqiy The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR
controller-gen alldepperspective.Updating the annotation will be done in a separate PR, since it requires more than just updating the annotation.
Annotation format is at https://github.com/jetstack/cert-manager/blob/ccd2dd853321c3ac568736b0d66ab9d3ad494d7b/pkg/controller/cainjector/controller.go#L40