diff --git a/config/operator/managers.yaml b/config/operator/managers.yaml index d416bfd3f..f38e8606a 100644 --- a/config/operator/managers.yaml +++ b/config/operator/managers.yaml @@ -30,7 +30,11 @@ spec: - /manager env: - name: ENABLE_WEBHOOKS +{{ if eq $operatorName "infra" }} + value: 'true' +{{ else }} value: 'false' +{{ end }} image: {{ $operatorImage }} livenessProbe: httpGet: @@ -54,6 +58,12 @@ spec: memory: 128Mi securityContext: allowPrivilegeEscalation: false +{{ if eq $operatorName "infra" }} + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true +{{ end }} - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -78,5 +88,12 @@ spec: runAsNonRoot: true serviceAccountName: {{ $operatorName }}-operator-controller-manager terminationGracePeriodSeconds: 10 +{{ if eq $operatorName "infra" }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: {{ $operatorName }}-operator-serving-cert +{{ end }} --- {{ end }} diff --git a/hack/sync-bindata.sh b/hack/sync-bindata.sh index fc128c84f..f4cfcbbe1 100755 --- a/hack/sync-bindata.sh +++ b/hack/sync-bindata.sh @@ -5,6 +5,12 @@ # -TODO: role data set -ex +OUT_DATA=bindata +EXTRACT_DIR=tmp/bindata + +mkdir -p "$EXTRACT_DIR" +mkdir -p "$OUT_DATA/crds" + function extract_bundle { local IN_DIR=$1 local OUT_DIR=$2 @@ -13,11 +19,105 @@ function extract_bundle { done } -OUT_DATA=bindata -EXTRACT_DIR=tmp/bindata -mkdir -p "$EXTRACT_DIR" -mkdir -p "$OUT_DATA/crds" +function extract_webhooks { +local CSV_FILENAME=$1 +local OPERATOR_NAME=$2 +local TYPE=$3 + +cat $CSV_FILENAME | yq -r ".spec.webhookdefinitions.[] | select(.type == \"$TYPE\")" | \ + sed -e '/^containerPort:/d' | \ + sed -e '/^deploymentName:/d' | \ + sed -e '/^targetPort:/d' | \ + sed -e '/^type:/d' | \ + sed -e 's|^| |' | sed -e 's|.*admissionReviewVersions:|- admissionReviewVersions:|' | \ + sed -e 's|.*generateName:| name:|' | \ + sed -e 's| - v1| - v1|' | \ + sed -e "s|.*webhookPath:| clientConfig:\n service:\n name: ${OPERATOR_NAME}-webhook-service\n namespace: '{{ .OperatorNamespace }}'\n path:|" + +} + + +function write_webhooks { +local CSV_FILENAME=$1 +local OPERATOR_NAME=$2 + +local MUTATING_WEBHOOKS=$(extract_webhooks "$CSV_FILENAME" "$OPERATOR_NAME" "MutatingAdmissionWebhook") +local VALIDATING_WEBHOOKS=$(extract_webhooks "$CSV_FILENAME" "$OPERATOR_NAME" "ValidatingAdmissionWebhook") + +cat > operator/$OPERATOR_NAME-webhooks.yaml < rbac/$OPERATOR_NAME-rbac.yaml <