diff --git a/subcommand/injector/command.go b/subcommand/injector/command.go index b6b3225c..03210b71 100644 --- a/subcommand/injector/command.go +++ b/subcommand/injector/command.go @@ -32,6 +32,7 @@ import ( "k8s.io/client-go/informers" informerv1 "k8s.io/client-go/informers/core/v1" "k8s.io/client-go/kubernetes" + "k8s.io/client-go/listers/admissionregistration/v1" "k8s.io/client-go/rest" "k8s.io/client-go/tools/cache" ) @@ -357,7 +358,7 @@ func (c *Command) certWatcher(ctx context.Context, ch <-chan cert.Bundle, client <-timer.C } - err := c.updateWebhook(ctx, clientset, bundle, webhooksCache, leaderElector, log) + err := c.updateCertificate(ctx, clientset, bundle, webhooksCache, leaderElector, log) if err != nil { // retry after a delay timer.Reset(expBackoff.NextBackOff()) @@ -368,20 +369,11 @@ func (c *Command) certWatcher(ctx context.Context, ch <-chan cert.Bundle, client } } -func (c *Command) updateWebhook(ctx context.Context, clientset *kubernetes.Clientset, bundle cert.Bundle, webhooksCache cache.Store, leaderElector leader.Elector, log hclog.Logger) error { - item, exists, err := webhooksCache.GetByKey(c.flagAutoName) - if !exists { - log.Warn("Could not find webhook config in cache. Trying again...", "item", item) - return fmt.Errorf("could not find webhook config in cache") - } else if err != nil { - log.Warn(fmt.Sprintf("Could not find webhook config in cache: %s. Trying again...", err)) - return err - } - config, ok := item.(*adminv1.MutatingWebhookConfiguration) - if !ok { - log.Error("Got unknown object from cache; expected &MutatingWebhookConfiguration", "item", item) - } +func (c *Command) fetchWebhook(ctx context.Context, clientset *kubernetes.Clientset) (*adminv1.MutatingWebhookConfiguration, error) { + return clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, c.flagAutoName, metav1.GetOptions{}) +} +func (c *Command) updateCertificate(ctx context.Context, clientset *kubernetes.Clientset, bundle cert.Bundle, webhooksCache v1.MutatingWebhookConfigurationLister, leaderElector leader.Elector, log hclog.Logger) error { crt, err := tls.X509KeyPair(bundle.Cert, bundle.Key) if err != nil { log.Warn(fmt.Sprintf("Could not load TLS keypair: %s. Trying again...", err)) @@ -401,6 +393,16 @@ func (c *Command) updateWebhook(ctx context.Context, clientset *kubernetes.Clien // If there is an MWC name set, then update the CA bundle. if isLeader && c.flagAutoName != "" && len(bundle.CACert) > 0 { + config, err := webhooksCache.Get(c.flagAutoName) + if err != nil { + log.Warn("Getting webhook config from cache failed", "err", err) + config, err = c.fetchWebhook(ctx, clientset) + if err != nil { + log.Warn("Fetching webhook config directly failed; will try again", "err", err) + return err + } + } + // Check the current bundles and only update if necessary. if len(config.Webhooks) == 0 || !bytes.Equal(config.Webhooks[0].ClientConfig.CABundle, bundle.CACert) { err = c.updateCABundle(ctx, &bundle, clientset) @@ -418,7 +420,7 @@ func (c *Command) updateWebhook(ctx context.Context, clientset *kubernetes.Clien return nil } -func watchWebhooks(ctx context.Context, clientset *kubernetes.Clientset) (cache.Store, <-chan interface{}, error) { +func watchWebhooks(ctx context.Context, clientset *kubernetes.Clientset) (v1.MutatingWebhookConfigurationLister, <-chan interface{}, error) { factory := informers.NewSharedInformerFactoryWithOptions(clientset, 0) webhooks := factory.Admissionregistration().V1().MutatingWebhookConfigurations() go webhooks.Informer().Run(ctx.Done()) @@ -427,7 +429,7 @@ func watchWebhooks(ctx context.Context, clientset *kubernetes.Clientset) (cache. } notifyCh := make(webhookWatcher) webhooks.Informer().AddEventHandler(notifyCh) - return webhooks.Informer().GetStore(), notifyCh, nil + return webhooks.Lister(), notifyCh, nil } type webhookWatcher chan interface{}