Merge pull request #3031 from cliveseldon/3024_openshift_mwc

Delete mutating webhook if exists when operator creates resources
SeldonIO · Mar 15, 2021 · 39f5386 · 39f5386
2 parents c663fc5 + 6911476
commit 39f5386
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 14 deletions.
diff --git a/helm-charts/seldon-core-operator/templates/clusterrole_seldon-webhook-role.yaml b/helm-charts/seldon-core-operator/templates/clusterrole_seldon-webhook-role.yaml
@@ -14,6 +14,7 @@ rules:
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
+  - mutatingwebhookconfigurations
   - validatingwebhookconfigurations
   verbs:
   - get

diff --git a/helm-charts/seldon-core-operator/templates/webhook.yaml b/helm-charts/seldon-core-operator/templates/webhook.yaml
@@ -4,20 +4,6 @@
 {{- $cert := genSignedCert "seldon-webhook-service" nil $altNames 365 $ca -}}
 ---
 
-{{- if not .Values.certManager.enabled -}}
-apiVersion: v1
-data:
-  ca.crt: '{{ $ca.Cert | b64enc }}'
-  tls.crt: '{{ $cert.Cert | b64enc }}'
-  tls.key: '{{ $cert.Key | b64enc }}'
-kind: Secret
-metadata:
-  name: seldon-webhook-server-cert
-  namespace: '{{ include "seldon.namespace" . }}'
-type: kubernetes.io/tls
-{{- end }}
----
-
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -184,5 +170,19 @@ webhooks:
     resources:
     - seldondeployments
   sideEffects: None
+---
+
+{{- if not .Values.certManager.enabled -}}
+apiVersion: v1
+data:
+  ca.crt: '{{ $ca.Cert | b64enc }}'
+  tls.crt: '{{ $cert.Cert | b64enc }}'
+  tls.key: '{{ $cert.Key | b64enc }}'
+kind: Secret
+metadata:
+  name: seldon-webhook-server-cert
+  namespace: '{{ include "seldon.namespace" . }}'
+type: kubernetes.io/tls
+{{- end }}
 
 {{- end }}
diff --git a/operator/config/lite/role_webhook.yaml b/operator/config/lite/role_webhook.yaml
@@ -7,6 +7,7 @@ rules:
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
+  - mutatingwebhookconfigurations
   - validatingwebhookconfigurations
   verbs:
   - get

diff --git a/operator/config/openshift/role_webhook.yaml b/operator/config/openshift/role_webhook.yaml
@@ -7,6 +7,7 @@ rules:
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
+  - mutatingwebhookconfigurations
   - validatingwebhookconfigurations
   verbs:
   - get

diff --git a/operator/utils/k8s/initializer.go b/operator/utils/k8s/initializer.go
@@ -83,6 +83,12 @@ func InitializeOperator(ctx context.Context, config *rest.Config, namespace stri
 		return err
 	}
 
+	//Delete mutating webhook if existing
+	err = wc.DeleteMutatingWebhook(ctx)
+	if err != nil {
+		return err
+	}
+
 	//Create/Update Validating Webhook
 	bytes, err = LoadBytesFromFile(ResourceFolder, ValidatingWebhookFilename)
 	if err != nil {

diff --git a/operator/utils/k8s/webhook.go b/operator/utils/k8s/webhook.go
@@ -17,6 +17,8 @@ import (
 	"strings"
 )
 
+const MutatingWebhookName = "seldon-mutating-webhook-configuration"
+
 type WebhookCreator struct {
 	clientset    kubernetes.Interface
 	certs        *Cert
@@ -60,6 +62,24 @@ func NewWebhookCreator(client kubernetes.Interface, certs *Cert, logger logr.Log
 	}, nil
 }
 
+func (wc *WebhookCreator) DeleteMutatingWebhook(ctx context.Context) error {
+	client := wc.clientset.AdmissionregistrationV1beta1().MutatingWebhookConfigurations()
+
+	// Try to delete clusterwide webhook config if available (older versions of seldon core)
+	_, err := client.Get(ctx, MutatingWebhookName, v1.GetOptions{})
+	if err != nil && errors.IsNotFound(err) {
+		wc.logger.Info("existing clusterwide mwc not found", "name", MutatingWebhookName)
+	} else {
+		client.Delete(ctx, MutatingWebhookName, v1.DeleteOptions{})
+		if err != nil {
+			return err
+		}
+		wc.logger.Info("Deleted clusterwide mwc", "name", MutatingWebhookName)
+	}
+
+	return nil
+}
+
 func (wc *WebhookCreator) CreateValidatingWebhookConfigurationFromFile(ctx context.Context, rawYaml []byte, namespace string, owner *apiextensionsv1beta1.CustomResourceDefinition, watchNamespace bool) error {
 	vwc := v1beta1.ValidatingWebhookConfiguration{}
 	err := yaml.Unmarshal(rawYaml, &vwc)