Skip to content

Commit

Permalink
Update v1beta1 to v1 for webhook cert manager (hashicorp#558)
Browse files Browse the repository at this point in the history
* Update v1beta1 to v1 for webhook cert manager
  • Loading branch information
kschoche authored Jul 9, 2021
1 parent b382bc4 commit e9d866d
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 41 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ IMPROVEMENTS:
* Add flags `-log-level`, `-log-json` to all subcommands to control log level and json formatting. [[GH-523](https://github.com/hashicorp/consul-k8s/pull/523)]

BUG FIXES:
* Connect: Use `AdmissionregistrationV1` instead of `AdmissionregistrationV1beta1` API as it was deprecated in k8s 1.16. [[GH-558](https://github.com/hashicorp/consul-k8s/pull/558)]
* Connect: Fix bug where environment variables `<NAME>_CONNECT_SERVICE_HOST` and
`<NAME>_CONNECT_SERVICE_PORT` weren't being set when the upstream annotation was used. [[GH-549](https://github.com/hashicorp/consul-k8s/issues/549)]

Expand Down
8 changes: 4 additions & 4 deletions subcommand/webhook-cert-manager/command.go
Original file line number Diff line number Diff line change
Expand Up @@ -318,7 +318,7 @@ func (c *Command) updateWebhookConfig(ctx context.Context, metaBundle cert.MetaB
}
value := base64.StdEncoding.EncodeToString(metaBundle.CACert)

webhookCfg, err := clientset.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Get(ctx, metaBundle.WebhookConfigName, metav1.GetOptions{})
webhookCfg, err := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, metaBundle.WebhookConfigName, metav1.GetOptions{})
if err != nil {
return err
}
Expand All @@ -335,7 +335,7 @@ func (c *Command) updateWebhookConfig(ctx context.Context, metaBundle cert.MetaB
return err
}

if _, err = clientset.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Patch(ctx, metaBundle.WebhookConfigName, types.JSONPatchType, patchesJson, metav1.PatchOptions{}); err != nil {
if _, err = clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Patch(ctx, metaBundle.WebhookConfigName, types.JSONPatchType, patchesJson, metav1.PatchOptions{}); err != nil {
return err
}
return nil
Expand All @@ -344,7 +344,7 @@ func (c *Command) updateWebhookConfig(ctx context.Context, metaBundle cert.MetaB
// webhookUpdated verifies if every caBundle on the specified webhook configuration matches the desired CA certificate.
// It returns true if the CA is up-to date and false if it needs to be updated.
func (c *Command) webhookUpdated(ctx context.Context, bundle cert.MetaBundle, clientset kubernetes.Interface) bool {
webhookCfg, err := clientset.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Get(ctx, bundle.WebhookConfigName, metav1.GetOptions{})
webhookCfg, err := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, bundle.WebhookConfigName, metav1.GetOptions{})
if err != nil {
return false
}
Expand All @@ -368,7 +368,7 @@ func (c webhookConfig) validate(ctx context.Context, client kubernetes.Interface
if c.Name == "" {
err = multierror.Append(err, errors.New(`config.Name cannot be ""`))
} else {
if _, err2 := client.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Get(ctx, c.Name, metav1.GetOptions{}); err2 != nil && k8serrors.IsNotFound(err2) {
if _, err2 := client.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, c.Name, metav1.GetOptions{}); err2 != nil && k8serrors.IsNotFound(err2) {
err = multierror.Append(err, errors.New(fmt.Sprintf("MutatingWebhookConfiguration with name \"%s\" must exist in cluster", c.Name)))
}
}
Expand Down
74 changes: 37 additions & 37 deletions subcommand/webhook-cert-manager/command_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (
"github.com/hashicorp/consul/sdk/testutil/retry"
"github.com/mitchellh/cli"
"github.com/stretchr/testify/require"
admissionv1beta1 "k8s.io/api/admissionregistration/v1beta1"
admissionv1 "k8s.io/api/admissionregistration/v1"
appsv1 "k8s.io/api/apps/v1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -46,33 +46,33 @@ func testSignalHandling(sig os.Signal) func(*testing.T) {
},
}

webhookOne := &admissionv1beta1.MutatingWebhookConfiguration{
webhookOne := &admissionv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: webhookConfigOneName,
},
Webhooks: []admissionv1beta1.MutatingWebhook{
Webhooks: []admissionv1.MutatingWebhook{
{
Name: "webhook-under-test",
ClientConfig: admissionv1beta1.WebhookClientConfig{
ClientConfig: admissionv1.WebhookClientConfig{
CABundle: caBundleOne,
},
},
},
}
webhookTwo := &admissionv1beta1.MutatingWebhookConfiguration{
webhookTwo := &admissionv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: webhookConfigTwoName,
},
Webhooks: []admissionv1beta1.MutatingWebhook{
Webhooks: []admissionv1.MutatingWebhook{
{
Name: "webhookOne-under-test",
ClientConfig: admissionv1beta1.WebhookClientConfig{
ClientConfig: admissionv1.WebhookClientConfig{
CABundle: caBundleTwo,
},
},
{
Name: "webhookTwo-under-test",
ClientConfig: admissionv1beta1.WebhookClientConfig{
ClientConfig: admissionv1.WebhookClientConfig{
CABundle: caBundleTwo,
},
},
Expand Down Expand Up @@ -169,33 +169,33 @@ func TestRun_SecretDoesNotExist(t *testing.T) {
},
}

webhookOne := &admissionv1beta1.MutatingWebhookConfiguration{
webhookOne := &admissionv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: webhookConfigOneName,
},
Webhooks: []admissionv1beta1.MutatingWebhook{
Webhooks: []admissionv1.MutatingWebhook{
{
Name: "webhook-under-test",
ClientConfig: admissionv1beta1.WebhookClientConfig{
ClientConfig: admissionv1.WebhookClientConfig{
CABundle: caBundleOne,
},
},
},
}
webhookTwo := &admissionv1beta1.MutatingWebhookConfiguration{
webhookTwo := &admissionv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: webhookConfigTwoName,
},
Webhooks: []admissionv1beta1.MutatingWebhook{
Webhooks: []admissionv1.MutatingWebhook{
{
Name: "webhookOne-under-test",
ClientConfig: admissionv1beta1.WebhookClientConfig{
ClientConfig: admissionv1.WebhookClientConfig{
CABundle: caBundleTwo,
},
},
{
Name: "webhookTwo-under-test",
ClientConfig: admissionv1beta1.WebhookClientConfig{
ClientConfig: admissionv1.WebhookClientConfig{
CABundle: caBundleTwo,
},
},
Expand Down Expand Up @@ -239,11 +239,11 @@ func TestRun_SecretDoesNotExist(t *testing.T) {
require.Equal(r, deploymentName, secretTwo.OwnerReferences[0].Name)
require.Equal(r, uid, secretTwo.OwnerReferences[0].UID)

webhookConfigOne, err := k8s.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Get(ctx, webhookConfigOneName, metav1.GetOptions{})
webhookConfigOne, err := k8s.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, webhookConfigOneName, metav1.GetOptions{})
require.NoError(r, err)
require.NotEqual(r, webhookConfigOne.Webhooks[0].ClientConfig.CABundle, caBundleOne)

webhookConfigTwo, err := k8s.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Get(ctx, webhookConfigTwoName, metav1.GetOptions{})
webhookConfigTwo, err := k8s.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, webhookConfigTwoName, metav1.GetOptions{})
require.NoError(r, err)
require.NotEqual(r, webhookConfigTwo.Webhooks[0].ClientConfig.CABundle, caBundleTwo)
require.NotEqual(r, webhookConfigTwo.Webhooks[1].ClientConfig.CABundle, caBundleTwo)
Expand Down Expand Up @@ -295,33 +295,33 @@ func TestRun_SecretExists(t *testing.T) {
Type: v1.SecretTypeTLS,
}

webhookOne := &admissionv1beta1.MutatingWebhookConfiguration{
webhookOne := &admissionv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: webhookConfigOneName,
},
Webhooks: []admissionv1beta1.MutatingWebhook{
Webhooks: []admissionv1.MutatingWebhook{
{
Name: "webhook-under-test",
ClientConfig: admissionv1beta1.WebhookClientConfig{
ClientConfig: admissionv1.WebhookClientConfig{
CABundle: caBundleOne,
},
},
},
}
webhookTwo := &admissionv1beta1.MutatingWebhookConfiguration{
webhookTwo := &admissionv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: webhookConfigTwoName,
},
Webhooks: []admissionv1beta1.MutatingWebhook{
Webhooks: []admissionv1.MutatingWebhook{
{
Name: "webhookOne-under-test",
ClientConfig: admissionv1beta1.WebhookClientConfig{
ClientConfig: admissionv1.WebhookClientConfig{
CABundle: caBundleTwo,
},
},
{
Name: "webhookTwo-under-test",
ClientConfig: admissionv1beta1.WebhookClientConfig{
ClientConfig: admissionv1.WebhookClientConfig{
CABundle: caBundleTwo,
},
},
Expand Down Expand Up @@ -367,11 +367,11 @@ func TestRun_SecretExists(t *testing.T) {
require.Equal(r, deploymentName, secretTwo.OwnerReferences[0].Name)
require.Equal(r, uid, secretTwo.OwnerReferences[0].UID)

webhookConfigOne, err := k8s.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Get(ctx, webhookConfigOneName, metav1.GetOptions{})
webhookConfigOne, err := k8s.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, webhookConfigOneName, metav1.GetOptions{})
require.NoError(r, err)
require.NotEqual(r, webhookConfigOne.Webhooks[0].ClientConfig.CABundle, caBundleOne)

webhookConfigTwo, err := k8s.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Get(ctx, webhookConfigTwoName, metav1.GetOptions{})
webhookConfigTwo, err := k8s.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, webhookConfigTwoName, metav1.GetOptions{})
require.NoError(r, err)
require.NotEqual(r, webhookConfigTwo.Webhooks[0].ClientConfig.CABundle, caBundleTwo)
require.NotEqual(r, webhookConfigTwo.Webhooks[1].ClientConfig.CABundle, caBundleTwo)
Expand Down Expand Up @@ -410,14 +410,14 @@ func TestRun_SecretUpdates(t *testing.T) {
Type: v1.SecretTypeTLS,
}

webhookOne := &admissionv1beta1.MutatingWebhookConfiguration{
webhookOne := &admissionv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: webhookConfigOne,
},
Webhooks: []admissionv1beta1.MutatingWebhook{
Webhooks: []admissionv1.MutatingWebhook{
{
Name: "webhook-under-test",
ClientConfig: admissionv1beta1.WebhookClientConfig{
ClientConfig: admissionv1.WebhookClientConfig{
CABundle: caBundleOne,
},
},
Expand Down Expand Up @@ -465,7 +465,7 @@ func TestRun_SecretUpdates(t *testing.T) {
certificate = secret1.Data[v1.TLSCertKey]
key = secret1.Data[v1.TLSPrivateKeyKey]

webhookConfig1, err := k8s.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Get(ctx, webhookConfigOne, metav1.GetOptions{})
webhookConfig1, err := k8s.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, webhookConfigOne, metav1.GetOptions{})
require.NoError(r, err)
require.NotEqual(r, webhookConfig1.Webhooks[0].ClientConfig.CABundle, caBundleOne)
})
Expand All @@ -492,14 +492,14 @@ func TestCertWatcher(t *testing.T) {
t.Parallel()

webhookName := "webhookOne"
webhook := &admissionv1beta1.MutatingWebhookConfiguration{
webhook := &admissionv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: webhookName,
},
Webhooks: []admissionv1beta1.MutatingWebhook{
Webhooks: []admissionv1.MutatingWebhook{
{
Name: "webhook-under-test",
ClientConfig: admissionv1beta1.WebhookClientConfig{},
ClientConfig: admissionv1.WebhookClientConfig{},
},
},
}
Expand Down Expand Up @@ -543,21 +543,21 @@ func TestCertWatcher(t *testing.T) {
ctx := context.Background()
timer := &retry.Timer{Timeout: 5 * time.Second, Wait: 500 * time.Millisecond}
retry.RunWith(timer, t, func(r *retry.R) {
webhookConfig, err := k8s.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Get(ctx, webhookName, metav1.GetOptions{})
webhookConfig, err := k8s.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, webhookName, metav1.GetOptions{})
require.NoError(r, err)
// Verify that the CA cert has been initally set on the MWC.
require.Contains(r, string(webhookConfig.Webhooks[0].ClientConfig.CABundle), "ca-certificate-string")
})
// Update the CA bundle on the MWC to `""` to replicate a helm upgrade
webhook.Webhooks[0].ClientConfig.CABundle = []byte("")
_, err = k8s.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Update(ctx, webhook, metav1.UpdateOptions{})
_, err = k8s.AdmissionregistrationV1().MutatingWebhookConfigurations().Update(ctx, webhook, metav1.UpdateOptions{})
require.NoError(t, err)

// If this test passes, it implies that the system has recovered from the MWC
// getting updated to have the correct CA within a reasonable time window
timer = &retry.Timer{Timeout: 5 * time.Second, Wait: 500 * time.Millisecond}
retry.RunWith(timer, t, func(r *retry.R) {
webhookConfig, err := k8s.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Get(ctx, webhookName, metav1.GetOptions{})
webhookConfig, err := k8s.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, webhookName, metav1.GetOptions{})
require.NoError(r, err)
// Verify that the CA cert has been updated with the correct CA.
require.Contains(r, string(webhookConfig.Webhooks[0].ClientConfig.CABundle), "ca-certificate-string")
Expand All @@ -566,7 +566,7 @@ func TestCertWatcher(t *testing.T) {

func TestValidate(t *testing.T) {
t.Parallel()
webhook := &admissionv1beta1.MutatingWebhookConfiguration{
webhook := &admissionv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: "webhook-config-name",
},
Expand Down

0 comments on commit e9d866d

Please sign in to comment.