diff --git a/cmd/cainjector/app/start.go b/cmd/cainjector/app/start.go index df2bafee0..fe6fe32b9 100644 --- a/cmd/cainjector/app/start.go +++ b/cmd/cainjector/app/start.go @@ -64,9 +64,29 @@ type InjectorControllerOptions struct { // The profiler should never be exposed on a public address. PprofAddr string - // WatchCerts detemines whether cainjector's control loops will watch + // EnableCertificateDataSource detemines whether cainjector's control loops will watch // cert-manager Certificate resources as potential sources of CA data. - WatchCerts bool + EnableCertificateDataSource bool + + // EnableValidatingWebhookConfigurationsInjectable determines whether cainjector + // will spin up a control loop to inject CA data to annotated + // ValidatingWebhookConfigurations + EnableValidatingWebhookConfigurationsInjectable bool + + // EnableMutatingWebhookConfigurationsInjectable determines whether cainjector + // will spin up a control loop to inject CA data to annotated + // MutatingWebhookConfigurations + EnableMutatingWebhookConfigurationsInjectable bool + + // EnableMutatingWebhookConfigurationsInjectable determines whether cainjector + // will spin up a control loop to inject CA data to annotated + // CustomResourceDefinitions + EnableCustomResourceDefinitionsInjectable bool + + // EnableMutatingWebhookConfigurationsInjectable determines whether cainjector + // will spin up a control loop to inject CA data to annotated + // APIServices + EnableAPIServicesInjectable bool // logger to be used by this controller log logr.Logger @@ -98,7 +118,11 @@ func (o *InjectorControllerOptions) AddFlags(fs *pflag.FlagSet) { "of a leadership. This is only applicable if leader election is enabled.") fs.BoolVar(&o.EnablePprof, "enable-profiling", cmdutil.DefaultEnableProfiling, "Enable profiling for cainjector") - fs.BoolVar(&o.WatchCerts, "watch-certificates", true, "Watch cert-manager.io Certificate resources as potential sources for CA data. Requires cert-manager.io Certificate CRD to be installed. It is not required to watch Certificates if you only use cainjector as cert-manager's internal components and in that case setting this flag to false might slightly reduce memory consumption.") + fs.BoolVar(&o.EnableCertificateDataSource, "enable-certificates-data-source", true, "Enable configuring cert-manager.io Certificate resources as potential sources for CA data. Requires cert-manager.io Certificate CRD to be installed. It is not required to watch Certificates if you only use cainjector as cert-manager's internal components and in that case setting this flag to false might slightly reduce memory consumption") + fs.BoolVar(&o.EnableValidatingWebhookConfigurationsInjectable, "enable-validatingwebhookconfigurations-injectable", true, "Inject CA data to annotated ValidatingWebhookConfigurations. This functionality is required for cainjector to correctly function as cert-manager's internal component") + fs.BoolVar(&o.EnableMutatingWebhookConfigurationsInjectable, "enable-mutatingwebhookconfigurations-injectable", true, "Inject CA data to annotated MutatingWebhookConfigurations. This functionality is required for cainjector to work correctly as cert-manager's internal component") + fs.BoolVar(&o.EnableCustomResourceDefinitionsInjectable, "enable-customresourcedefinitions-injectable", true, "Inject CA data to annotated CustomResourceDefinitions. This functionality is not required if cainjecor is only used as cert-manager's internal component and setting it to false might slightly reduce memory consumption") + fs.BoolVar(&o.EnableAPIServicesInjectable, "enable-apiservices-injectable", true, "Inject CA data to annotated APIServices. This functionality is not required if cainjector is only used as cert-manager's internal component and setting it to false might reduce memory consumption") fs.StringVar(&o.PprofAddr, "profiler-address", cmdutil.DefaultProfilerAddr, "Address of the Go profiler (pprof) if enabled. This should never be exposed on a public interface.") utilfeature.DefaultMutableFeatureGate.AddFlag(fs) @@ -200,7 +224,7 @@ func (o InjectorControllerOptions) RunInjectorController(ctx context.Context) er // If cainjector has been configured to watch Certificate CRDs // (--watch-certificates=true), poll kubeapiserver for 5 minutes or till // certificate CRD is found. - if o.WatchCerts { + if o.EnableCertificateDataSource { directClient, err := client.New(mgr.GetConfig(), client.Options{ Scheme: mgr.GetScheme(), Mapper: mgr.GetRESTMapper(), @@ -228,8 +252,17 @@ func (o InjectorControllerOptions) RunInjectorController(ctx context.Context) er } } - // TODO: make the controllers to be started optional - err = cainjector.RegisterAllInjectors(gctx, mgr, o.Namespace, o.WatchCerts) + opts := cainjector.SetupOptions{ + Namespace: o.Namespace, + EnableCertificatesDataSource: o.EnableCertificateDataSource, + EnabledReconcilersFor: map[string]bool{ + cainjector.MutatingWebhookConfigurationName: o.EnableMutatingWebhookConfigurationsInjectable, + cainjector.ValidatingWebhookConfigurationName: o.EnableValidatingWebhookConfigurationsInjectable, + cainjector.APIServiceName: o.EnableAPIServicesInjectable, + cainjector.CustomResourceDefinitionName: o.EnableCustomResourceDefinitionsInjectable, + }, + } + err = cainjector.RegisterAllInjectors(gctx, mgr, opts) if err != nil { o.log.Error(err, "failed to register controllers", err) return err diff --git a/pkg/controller/cainjector/setup.go b/pkg/controller/cainjector/setup.go index 3ad5ce5c9..65a37fea9 100644 --- a/pkg/controller/cainjector/setup.go +++ b/pkg/controller/cainjector/setup.go @@ -40,6 +40,13 @@ import ( // this file contains the logic to set up the different reconcile loops run by cainjector // each reconciler corresponds to a type of injectable +const ( + MutatingWebhookConfigurationName = "mutatingwebhookconfiguration" + ValidatingWebhookConfigurationName = "validatingwebhookconfiguration" + APIServiceName = "apiservice" + CustomResourceDefinitionName = "customresourcedefinition" +) + // setup is setup for a reconciler for a particular injectable type type setup struct { resourceName string @@ -49,6 +56,12 @@ type setup struct { objType client.Object } +type SetupOptions struct { + Namespace string + EnableCertificatesDataSource bool + EnabledReconcilersFor map[string]bool +} + var ( MutatingWebhookSetup = setup{ resourceName: "mutatingwebhookconfiguration", @@ -83,7 +96,7 @@ var ( // registerAllInjectors registers all injectors and based on the // graduation state of the injector decides how to log no kind/resource match errors -func RegisterAllInjectors(ctx context.Context, mgr ctrl.Manager, namespace string, watchCerts bool) error { +func RegisterAllInjectors(ctx context.Context, mgr ctrl.Manager, opts SetupOptions) error { // TODO: refactor sds := &secretDataSource{ client: mgr.GetClient(), @@ -99,13 +112,18 @@ func RegisterAllInjectors(ctx context.Context, mgr ctrl.Manager, namespace strin kds := &kubeconfigDataSource{ apiserverCABundle: caBundle, } + injectorSetups := []setup{MutatingWebhookSetup, ValidatingWebhookSetup, APIServiceSetup, CRDSetup} // Registers a c/r controller for each of APIService, CustomResourceDefinition, Mutating/ValidatingWebhookConfiguration // TODO: add a flag to allow users to configure which of these controllers should be registered for _, setup := range injectorSetups { log := ctrl.Log.WithValues("kind", setup.resourceName) + if !opts.EnabledReconcilersFor[setup.resourceName] { + log.Info("Not registering a reconcile for injectable kind as it's disabled") + continue + } log.Info("Registering a reconciler for injectable") r := &reconciler{ - namespace: namespace, + namespace: opts.Namespace, resourceName: setup.resourceName, newInjectableTarget: setup.newInjectableTarget, log: log, @@ -156,7 +174,7 @@ func RegisterAllInjectors(ctx context.Context, mgr ctrl.Manager, namespace strin log: log, secretToInjectable: buildSecretToInjectableFunc(setup.listType, setup.resourceName), }).Map)) - if watchCerts { + if opts.EnableCertificatesDataSource { // Index injectable with a new field. If the injectable's CA is // to be sourced from a Certificate's Secret, the field's value will be the // namespaced name of the Certificate.