[Fix] argocd install

cmd/webhook/main.go

@@ -28,6 +28,7 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -52,6 +53,7 @@ import (
 	podwh "github.com/liqotech/liqo/pkg/webhooks/pod"
 	resourceslicewh "github.com/liqotech/liqo/pkg/webhooks/resourceslice"
 	routecfgwh "github.com/liqotech/liqo/pkg/webhooks/routeconfiguration"
+	"github.com/liqotech/liqo/pkg/webhooks/secretcontroller"
 	shadowpodswh "github.com/liqotech/liqo/pkg/webhooks/shadowpod"
 	virtualnodewh "github.com/liqotech/liqo/pkg/webhooks/virtualnode"
 )
@@ -76,6 +78,7 @@ func main() {
 	metricsAddr := pflag.String("metrics-address", ":8080", "The address the metric endpoint binds to")
 	probeAddr := pflag.String("health-probe-address", ":8081", "The address the health probe endpoint binds to")
 	leaderElection := pflag.Bool("enable-leader-election", false, "Enable leader election for the webhook pod")
+	secretName := pflag.String("secret-name", "", "The name of the secret containing the webhook certificates")
 
 	// Global parameters
 	clusterIDFlags := argsutils.NewClusterIDFlags(true, nil)
@@ -103,6 +106,34 @@ func main() {
 
 	config := restcfg.SetRateLimiter(ctrl.GetConfigOrDie())
 
+	// create a client used for configuration
+	cl, err := client.New(config, client.Options{Scheme: scheme})
+	if err != nil {
+		klog.Error(err)
+		os.Exit(1)
+	}
+
+	// forge secret for the webhook
+	if *secretName != "" {
+		var secret corev1.Secret
+		if err := cl.Get(ctx, client.ObjectKey{Namespace: *liqoNamespace, Name: *secretName}, &secret); err != nil {
+			klog.Error(err)
+			os.Exit(1)
+		}
+
+		if err := secretcontroller.HandleSecret(ctx, cl, &secret); err != nil {
+			klog.Error(err)
+			os.Exit(1)
+		}
+
+		if err := cl.Update(ctx, &secret); err != nil {
+			klog.Error(err)
+			os.Exit(1)
+		}
+
+		klog.Info("webhook secret correctly enforced")
+	}
+
 	// Create the main manager.
 	mgr, err := ctrl.NewManager(config, ctrl.Options{
 		MapperProvider: mapper.LiqoMapperProvider(scheme),
@@ -169,6 +200,14 @@ func main() {
 	mgr.GetWebhookServer().Register("/mutate/firewallconfigurations", fwcfgwh.NewMutator())
 	mgr.GetWebhookServer().Register("/validate/routeconfigurations", routecfgwh.NewValidator(mgr.GetClient()))
 
+	// Register the secret controller
+	secretReconciler := secretcontroller.NewSecretReconciler(mgr.GetClient(), mgr.GetScheme(),
+		mgr.GetEventRecorderFor("secret-controller"))
+	if err := secretReconciler.SetupWithManager(mgr); err != nil {
+		klog.Errorf("Unable to set up the secret controller: %v", err)
+		os.Exit(1)
+	}
+
 	if leaderElection != nil && *leaderElection {
 		leaderelection.LabelerOnElection(ctx, mgr, &leaderelection.PodInfo{
 			PodName:        os.Getenv("POD_NAME"),

deployments/liqo/files/liqo-webhook-ClusterRole.yaml

@@ -25,6 +25,28 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - apps
   resources:

deployments/liqo/templates/liqo-controller-manager-deployment.yaml

@@ -156,10 +156,6 @@ spec:
               {{- end }}
           {{- end }}
         resources: {{- toYaml .Values.controllerManager.pod.resources | nindent 10 }}
-        volumeMounts:
-          - name: webhook-certs
-            mountPath: /tmp/k8s-webhook-server/serving-certs/
-            readOnly: true
         ports:
         - name: webhook
           containerPort: {{ .Values.webhook.port }}
@@ -174,11 +170,6 @@ spec:
           httpGet:
             path: /readyz
             port: healthz
-      volumes:
-      - name: webhook-certs
-        secret:
-          secretName: {{ include "liqo.prefixedName" $webhookConfig }}-certs
-          defaultMode: 420
       {{- if ((.Values.common).nodeSelector) }}
       nodeSelector:
       {{- toYaml .Values.common.nodeSelector | nindent 8 }}

deployments/liqo/templates/liqo-webook-deployment.yaml → deployments/liqo/templates/liqo-webhook-deployment.yaml

@@ -52,6 +52,7 @@ spec:
           {{- end }}
           - --cluster-id=$(CLUSTER_ID)
           - --liqo-namespace=$(POD_NAMESPACE)
+          - --secret-name={{ include "liqo.prefixedName" $webhookConfig }}-certs
           - --podcidr={{ .Values.ipam.podCIDR }}
           - --vk-options-default-template={{ .Release.Namespace }}/{{ printf "%s-default" $kubeletConfig.name }}
           {{- if .Values.controllerManager.config.enableResourceEnforcement }}
@@ -83,10 +84,6 @@ spec:
           - name: DEPLOYMENT_NAME
             value: {{ include "liqo.prefixedName" $webhookConfig }}
         resources: {{- toYaml .Values.webhook.pod.resources | nindent 10 }}
-        volumeMounts:
-          - name: webhook-certs
-            mountPath: /tmp/k8s-webhook-server/serving-certs/
-            readOnly: true
         ports:
         - name: webhook
           containerPort: {{ .Values.webhook.port }}
@@ -101,11 +98,12 @@ spec:
           httpGet:
             path: /readyz
             port: healthz
+        volumeMounts:
+        - name: webhook-certs
+          mountPath: /tmp/k8s-webhook-server
       volumes:
       - name: webhook-certs
-        secret:
-          secretName: {{ include "liqo.prefixedName" $webhookConfig }}-certs
-          defaultMode: 420
+        emptyDir: {}
       {{- if ((.Values.common).nodeSelector) }}
       nodeSelector:
       {{- toYaml .Values.common.nodeSelector | nindent 8 }}

deployments/liqo/templates/webhooks/liqo-mutating-webhook.yaml

@@ -6,6 +6,7 @@ metadata:
   name: {{ include "liqo.prefixedName" $webhookConfig }}
   labels:
     {{- include "liqo.labels" $webhookConfig | nindent 4 }}
+    liqo.io/webhook: "true"
 webhooks:
   - name: pod.mutate.liqo.io
     admissionReviewVersions:

deployments/liqo/templates/webhooks/liqo-validating-webhook.yaml

@@ -6,6 +6,7 @@ metadata:
   name: {{ include "liqo.prefixedName" $webhookConfig }}
   labels:
     {{- include "liqo.labels" $webhookConfig | nindent 4 }}
+    liqo.io/webhook: "true"
 webhooks:
   - name: nsoff.validate.liqo.io
     admissionReviewVersions:

deployments/liqo/templates/webhooks/liqo-webhook-secret.yaml

@@ -0,0 +1,12 @@
+{{- $webhookConfig := (merge (dict "name" "webhook" "module" "webhook") .) -}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "liqo.prefixedName" $webhookConfig }}-certs
+  labels:
+    {{- include "liqo.labels" $webhookConfig | nindent 4 }}
+    liqo.io/webhook: "true"
+  annotations:
+    liqo.io/webhook-service-name: {{ include "liqo.prefixedName" $webhookConfig }}
+type: opaque

pkg/consts/annotations.go

@@ -45,4 +45,8 @@ const (
 	UninstallingAnnotationKey = "liqo.io/uninstalling"
 	// UninstallingAnnotationValue is the value of the annotation used to signal liqo is being uninstalled.
 	UninstallingAnnotationValue = "true"
+
+	// WebhookServiceNameAnnotationKey is the constant representing
+	// the key of the annotation containing the Webhook service name.
+	WebhookServiceNameAnnotationKey = "liqo.io/webhook-service-name"
 )

pkg/consts/controllers.go

@@ -26,6 +26,7 @@ const (
 	// Core.
 	CtrlForeignCluster      = "foreigncluster"
 	CtrlSecretCRDReplicator = "secret_crdreplicator" //nolint:gosec // not a credential
+	CtrlSecretWebhook       = "secret_webhook"
 
 	// Networking.
 	CtrlConfigurationExternal  = "configuration_external"