Unconditionally sync CA cert for Controller webhooks (#3421)

Webhooks are used by other features besided AntreaPolicy. At the moment, if someone tries to disable AnteraPolicy and enable Egress for example, the webhooks would not be using the correct CA cert and the Egress API would not be usable. Given that we unconditionally create these webhooks in the Antrea deployment manifest, it makes sense to unconditionally sync the CA cert for them. Signed-off-by: Antonin Bas <abas@vmware.com>
antrea-io · Mar 9, 2022 · 4a0d68d · 4a0d68d
1 parent 0e7e0ba
commit 4a0d68d
Showing 1 changed file with 9 additions and 11 deletions.
diff --git a/pkg/apiserver/certificate/cacert_controller.go b/pkg/apiserver/certificate/cacert_controller.go
@@ -34,7 +34,6 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 
-	"antrea.io/antrea/pkg/features"
 	"antrea.io/antrea/pkg/util/env"
 )
 
@@ -118,17 +117,16 @@ func (c *CACertController) syncCACert() error {
 		return err
 	}
 
-	if features.DefaultFeatureGate.Enabled(features.AntreaPolicy) {
-		if err := c.syncMutatingWebhooks(caCert); err != nil {
-			return err
-		}
-		if err := c.syncValidatingWebhooks(caCert); err != nil {
-			return err
-		}
-		if err := c.syncConversionWebhooks(caCert); err != nil {
-			return err
-		}
+	if err := c.syncMutatingWebhooks(caCert); err != nil {
+		return err
+	}
+	if err := c.syncValidatingWebhooks(caCert); err != nil {
+		return err
 	}
+	if err := c.syncConversionWebhooks(caCert); err != nil {
+		return err
+	}
+
 	return nil
 }