diff --git a/helm-charts/seldon-core-operator/templates/clusterrole_seldon-webhook-role.yaml b/helm-charts/seldon-core-operator/templates/clusterrole_seldon-webhook-role.yaml index 3caefed8f7..5a58e68d85 100644 --- a/helm-charts/seldon-core-operator/templates/clusterrole_seldon-webhook-role.yaml +++ b/helm-charts/seldon-core-operator/templates/clusterrole_seldon-webhook-role.yaml @@ -14,6 +14,7 @@ rules: - apiGroups: - admissionregistration.k8s.io resources: + - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - get diff --git a/helm-charts/seldon-core-operator/templates/webhook.yaml b/helm-charts/seldon-core-operator/templates/webhook.yaml index c8cb96f4a9..28209e44bc 100644 --- a/helm-charts/seldon-core-operator/templates/webhook.yaml +++ b/helm-charts/seldon-core-operator/templates/webhook.yaml @@ -4,20 +4,6 @@ {{- $cert := genSignedCert "seldon-webhook-service" nil $altNames 365 $ca -}} --- -{{- if not .Values.certManager.enabled -}} -apiVersion: v1 -data: - ca.crt: '{{ $ca.Cert | b64enc }}' - tls.crt: '{{ $cert.Cert | b64enc }}' - tls.key: '{{ $cert.Key | b64enc }}' -kind: Secret -metadata: - name: seldon-webhook-server-cert - namespace: '{{ include "seldon.namespace" . }}' -type: kubernetes.io/tls -{{- end }} ---- - apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: @@ -184,5 +170,19 @@ webhooks: resources: - seldondeployments sideEffects: None +--- + +{{- if not .Values.certManager.enabled -}} +apiVersion: v1 +data: + ca.crt: '{{ $ca.Cert | b64enc }}' + tls.crt: '{{ $cert.Cert | b64enc }}' + tls.key: '{{ $cert.Key | b64enc }}' +kind: Secret +metadata: + name: seldon-webhook-server-cert + namespace: '{{ include "seldon.namespace" . }}' +type: kubernetes.io/tls +{{- end }} {{- end }} diff --git a/operator/config/lite/role_webhook.yaml b/operator/config/lite/role_webhook.yaml index 06fed64d07..57f8e714e7 100644 --- a/operator/config/lite/role_webhook.yaml +++ b/operator/config/lite/role_webhook.yaml @@ -7,6 +7,7 @@ rules: - apiGroups: - admissionregistration.k8s.io resources: + - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - get diff --git a/operator/config/openshift/role_webhook.yaml b/operator/config/openshift/role_webhook.yaml index 06fed64d07..57f8e714e7 100644 --- a/operator/config/openshift/role_webhook.yaml +++ b/operator/config/openshift/role_webhook.yaml @@ -7,6 +7,7 @@ rules: - apiGroups: - admissionregistration.k8s.io resources: + - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - get diff --git a/operator/utils/k8s/initializer.go b/operator/utils/k8s/initializer.go index aa13f5a900..9966596d8b 100644 --- a/operator/utils/k8s/initializer.go +++ b/operator/utils/k8s/initializer.go @@ -83,6 +83,12 @@ func InitializeOperator(ctx context.Context, config *rest.Config, namespace stri return err } + //Delete mutating webhook if existing + err = wc.DeleteMutatingWebhook(ctx) + if err != nil { + return err + } + //Create/Update Validating Webhook bytes, err = LoadBytesFromFile(ResourceFolder, ValidatingWebhookFilename) if err != nil { diff --git a/operator/utils/k8s/webhook.go b/operator/utils/k8s/webhook.go index 6d101a091c..0bcef77e17 100644 --- a/operator/utils/k8s/webhook.go +++ b/operator/utils/k8s/webhook.go @@ -17,6 +17,8 @@ import ( "strings" ) +const MutatingWebhookName = "seldon-mutating-webhook-configuration" + type WebhookCreator struct { clientset kubernetes.Interface certs *Cert @@ -60,6 +62,24 @@ func NewWebhookCreator(client kubernetes.Interface, certs *Cert, logger logr.Log }, nil } +func (wc *WebhookCreator) DeleteMutatingWebhook(ctx context.Context) error { + client := wc.clientset.AdmissionregistrationV1beta1().MutatingWebhookConfigurations() + + // Try to delete clusterwide webhook config if available (older versions of seldon core) + _, err := client.Get(ctx, MutatingWebhookName, v1.GetOptions{}) + if err != nil && errors.IsNotFound(err) { + wc.logger.Info("existing clusterwide mwc not found", "name", MutatingWebhookName) + } else { + client.Delete(ctx, MutatingWebhookName, v1.DeleteOptions{}) + if err != nil { + return err + } + wc.logger.Info("Deleted clusterwide mwc", "name", MutatingWebhookName) + } + + return nil +} + func (wc *WebhookCreator) CreateValidatingWebhookConfigurationFromFile(ctx context.Context, rawYaml []byte, namespace string, owner *apiextensionsv1beta1.CustomResourceDefinition, watchNamespace bool) error { vwc := v1beta1.ValidatingWebhookConfiguration{} err := yaml.Unmarshal(rawYaml, &vwc)