Allows to modify configured injectable kinds for cainjector via flags

Also changes name of --watch-certs flag to --enable-certificate-data-source Signed-off-by: irbekrm <irbekrm@gmail.com>
2023-01-31 16:23:22 +00:00 · 2023-01-31 16:23:22 +00:00 · 56cf4dfd3c
commit 56cf4dfd3c
parent 0c64cebfc5
2 changed files with 60 additions and 9 deletions
--- a/cmd/cainjector/app/start.go
+++ b/cmd/cainjector/app/start.go
@ -64,9 +64,29 @@ type InjectorControllerOptions struct {
 	// The profiler should never be exposed on a public address.
 	PprofAddr string

-	// WatchCerts detemines whether cainjector's control loops will watch
+	// EnableCertificateDataSource detemines whether cainjector's control loops will watch
 	// cert-manager Certificate resources as potential sources of CA data.
-	WatchCerts bool
+	EnableCertificateDataSource bool
+
+	// EnableValidatingWebhookConfigurationsInjectable determines whether cainjector
+	// will spin up a control loop to inject CA data to annotated
+	// ValidatingWebhookConfigurations
+	EnableValidatingWebhookConfigurationsInjectable bool
+
+	// EnableMutatingWebhookConfigurationsInjectable determines whether cainjector
+	// will spin up a control loop to inject CA data to annotated
+	// MutatingWebhookConfigurations
+	EnableMutatingWebhookConfigurationsInjectable bool
+
+	// EnableMutatingWebhookConfigurationsInjectable determines whether cainjector
+	// will spin up a control loop to inject CA data to annotated
+	// CustomResourceDefinitions
+	EnableCustomResourceDefinitionsInjectable bool
+
+	// EnableMutatingWebhookConfigurationsInjectable determines whether cainjector
+	// will spin up a control loop to inject CA data to annotated
+	// APIServices
+	EnableAPIServicesInjectable bool

 	// logger to be used by this controller
 	log logr.Logger
@ -98,7 +118,11 @@ func (o *InjectorControllerOptions) AddFlags(fs *pflag.FlagSet) {
 		"of a leadership. This is only applicable if leader election is enabled.")

 	fs.BoolVar(&o.EnablePprof, "enable-profiling", cmdutil.DefaultEnableProfiling, "Enable profiling for cainjector")
-	fs.BoolVar(&o.WatchCerts, "watch-certificates", true, "Watch cert-manager.io Certificate resources as potential sources for CA data. Requires cert-manager.io Certificate CRD to be installed. It is not required to watch Certificates if you only use cainjector as cert-manager's internal components and in that case setting this flag to false might slightly reduce memory consumption.")
+	fs.BoolVar(&o.EnableCertificateDataSource, "enable-certificates-data-source", true, "Enable configuring cert-manager.io Certificate resources as potential sources for CA data. Requires cert-manager.io Certificate CRD to be installed. It is not required to watch Certificates if you only use cainjector as cert-manager's internal components and in that case setting this flag to false might slightly reduce memory consumption")
+	fs.BoolVar(&o.EnableValidatingWebhookConfigurationsInjectable, "enable-validatingwebhookconfigurations-injectable", true, "Inject CA data to annotated ValidatingWebhookConfigurations. This functionality is required for cainjector to correctly function as cert-manager's internal component")
+	fs.BoolVar(&o.EnableMutatingWebhookConfigurationsInjectable, "enable-mutatingwebhookconfigurations-injectable", true, "Inject CA data to annotated MutatingWebhookConfigurations. This functionality is required for cainjector to work correctly as cert-manager's internal component")
+	fs.BoolVar(&o.EnableCustomResourceDefinitionsInjectable, "enable-customresourcedefinitions-injectable", true, "Inject CA data to annotated CustomResourceDefinitions. This functionality is not required if cainjecor is only used as cert-manager's internal component and setting it to false might slightly reduce memory consumption")
+	fs.BoolVar(&o.EnableAPIServicesInjectable, "enable-apiservices-injectable", true, "Inject CA data to annotated APIServices. This functionality is not required if cainjector is only used as cert-manager's internal component and setting it to false might reduce memory consumption")
 	fs.StringVar(&o.PprofAddr, "profiler-address", cmdutil.DefaultProfilerAddr, "Address of the Go profiler (pprof) if enabled. This should never be exposed on a public interface.")

 	utilfeature.DefaultMutableFeatureGate.AddFlag(fs)
@ -200,7 +224,7 @@ func (o InjectorControllerOptions) RunInjectorController(ctx context.Context) er
 	// If cainjector has been configured to watch Certificate CRDs
 	// (--watch-certificates=true), poll kubeapiserver for 5 minutes or till
 	// certificate CRD is found.
-	if o.WatchCerts {
+	if o.EnableCertificateDataSource {
 		directClient, err := client.New(mgr.GetConfig(), client.Options{
 			Scheme: mgr.GetScheme(),
 			Mapper: mgr.GetRESTMapper(),
@ -228,8 +252,17 @@ func (o InjectorControllerOptions) RunInjectorController(ctx context.Context) er
 		}
 	}

-	// TODO: make the controllers to be started optional
-	err = cainjector.RegisterAllInjectors(gctx, mgr, o.Namespace, o.WatchCerts)
+	opts := cainjector.SetupOptions{
+		Namespace:                    o.Namespace,
+		EnableCertificatesDataSource: o.EnableCertificateDataSource,
+		EnabledReconcilersFor: map[string]bool{
+			cainjector.MutatingWebhookConfigurationName:   o.EnableMutatingWebhookConfigurationsInjectable,
+			cainjector.ValidatingWebhookConfigurationName: o.EnableValidatingWebhookConfigurationsInjectable,
+			cainjector.APIServiceName:                     o.EnableAPIServicesInjectable,
+			cainjector.CustomResourceDefinitionName:       o.EnableCustomResourceDefinitionsInjectable,
+		},
+	}
+	err = cainjector.RegisterAllInjectors(gctx, mgr, opts)
 	if err != nil {
 		o.log.Error(err, "failed to register controllers", err)
 		return err
--- a/pkg/controller/cainjector/setup.go
+++ b/pkg/controller/cainjector/setup.go
@ -40,6 +40,13 @@ import (
 // this file contains the logic to set up the different reconcile loops run by cainjector
 // each reconciler corresponds to a type of injectable

+const (
+	MutatingWebhookConfigurationName   = "mutatingwebhookconfiguration"
+	ValidatingWebhookConfigurationName = "validatingwebhookconfiguration"
+	APIServiceName                     = "apiservice"
+	CustomResourceDefinitionName       = "customresourcedefinition"
+)
+
 // setup is setup for a reconciler for a particular injectable type
 type setup struct {
 	resourceName string
@ -49,6 +56,12 @@ type setup struct {
 	objType             client.Object
 }

+type SetupOptions struct {
+	Namespace                    string
+	EnableCertificatesDataSource bool
+	EnabledReconcilersFor        map[string]bool
+}
+
 var (
 	MutatingWebhookSetup = setup{
 		resourceName:        "mutatingwebhookconfiguration",
@ -83,7 +96,7 @@ var (

 // registerAllInjectors registers all injectors and based on the
 // graduation state of the injector decides how to log no kind/resource match errors
-func RegisterAllInjectors(ctx context.Context, mgr ctrl.Manager, namespace string, watchCerts bool) error {
+func RegisterAllInjectors(ctx context.Context, mgr ctrl.Manager, opts SetupOptions) error {
 	// TODO: refactor
 	sds := &secretDataSource{
 		client: mgr.GetClient(),
@ -99,13 +112,18 @@ func RegisterAllInjectors(ctx context.Context, mgr ctrl.Manager, namespace strin
 	kds := &kubeconfigDataSource{
 		apiserverCABundle: caBundle,
 	}
+	injectorSetups := []setup{MutatingWebhookSetup, ValidatingWebhookSetup, APIServiceSetup, CRDSetup}
 	// Registers a c/r controller for each of APIService, CustomResourceDefinition, Mutating/ValidatingWebhookConfiguration
 	// TODO: add a flag to allow users to configure which of these controllers should be registered
 	for _, setup := range injectorSetups {
 		log := ctrl.Log.WithValues("kind", setup.resourceName)
+		if !opts.EnabledReconcilersFor[setup.resourceName] {
+			log.Info("Not registering a reconcile for injectable kind as it's disabled")
+			continue
+		}
 		log.Info("Registering a reconciler for injectable")
 		r := &reconciler{
-			namespace:           namespace,
+			namespace:           opts.Namespace,
 			resourceName:        setup.resourceName,
 			newInjectableTarget: setup.newInjectableTarget,
 			log:                 log,
@ -156,7 +174,7 @@ func RegisterAllInjectors(ctx context.Context, mgr ctrl.Manager, namespace strin
 				log:                log,
 				secretToInjectable: buildSecretToInjectableFunc(setup.listType, setup.resourceName),
 			}).Map))
-		if watchCerts {
+		if opts.EnableCertificatesDataSource {
 			// Index injectable with a new field. If the injectable's CA is
 			// to be sourced from a Certificate's Secret, the field's value will be the
 			// namespaced name of the Certificate.