Merge pull request #995 from spectrocloud/feat/webhook-service-account

cPu1 · web-flow · commit 47569d7e2c64 · 2025-12-30T19:28:59.000+05:30
[PCP-5713] Configure webhooks to run without a service account
diff --git a/main.go b/main.go
@@ -30,6 +30,7 @@ import (
 	"github.com/spf13/pflag"
 	"k8s.io/apimachinery/pkg/runtime"
 	cgscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
 	cgrecord "k8s.io/client-go/tools/record"
 	"k8s.io/component-base/logs"
@@ -42,6 +43,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	expclusterv1 "sigs.k8s.io/cluster-api/exp/api/v1beta1"
+	"sigs.k8s.io/cluster-api/util/flags"
+
 	// +kubebuilder:scaffold:imports
 	infrav1beta1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta1"
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
@@ -65,9 +70,6 @@ import (
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/logger"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/record"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/version"
-	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
-	expclusterv1 "sigs.k8s.io/cluster-api/exp/api/v1beta1"
-	"sigs.k8s.io/cluster-api/util/flags"
 )
 
 var (
@@ -171,36 +173,46 @@ func main() {
 
 	ctx := ctrl.SetupSignalHandler()
 
-	restConfig := ctrl.GetConfigOrDie()
-	restConfig.UserAgent = "cluster-api-provider-aws-controller"
-	mgr, err := ctrl.NewManager(restConfig, ctrl.Options{
-		Scheme:                     scheme,
-		Metrics:                    *metricsOptions,
-		LeaderElection:             enableLeaderElection,
-		LeaseDuration:              &leaderElectionLeaseDuration,
-		RenewDeadline:              &leaderElectionRenewDeadline,
-		RetryPeriod:                &leaderElectionRetryPeriod,
-		LeaderElectionResourceLock: resourcelock.LeasesResourceLock,
-		LeaderElectionID:           "controller-leader-elect-capa",
-		LeaderElectionNamespace:    leaderElectionNamespace,
-		Cache: cache.Options{
-			DefaultNamespaces: watchNamespaces,
-			SyncPeriod:        &syncPeriod,
-		},
+	ctrlOpts := ctrl.Options{
+		Scheme:  scheme,
+		Metrics: *metricsOptions,
 		WebhookServer: webhook.NewServer(webhook.Options{
 			Port:    webhookPort,
 			CertDir: webhookCertDir,
 		}),
 		EventBroadcaster:       broadcaster,
 		HealthProbeBindAddress: healthAddr,
-	})
+	}
+
+	var restConfig *rest.Config
+	if webhookPort == 0 {
+		restConfig = ctrl.GetConfigOrDie()
+		restConfig.UserAgent = "cluster-api-provider-aws-controller"
+		ctrlOpts.LeaderElection = enableLeaderElection
+		ctrlOpts.LeaseDuration = &leaderElectionLeaseDuration
+		ctrlOpts.RenewDeadline = &leaderElectionRenewDeadline
+		ctrlOpts.RetryPeriod = &leaderElectionRetryPeriod
+		ctrlOpts.Cache = cache.Options{
+			DefaultNamespaces: watchNamespaces,
+			SyncPeriod:        &syncPeriod,
+		}
+		ctrlOpts.LeaderElectionResourceLock = resourcelock.LeasesResourceLock
+		ctrlOpts.LeaderElectionID = "controller-leader-elect-capa"
+		ctrlOpts.LeaderElectionNamespace = leaderElectionNamespace
+	} else {
+		restConfig = &rest.Config{}
+	}
+
+	mgr, err := ctrl.NewManager(restConfig, ctrlOpts)
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
 		os.Exit(1)
 	}
 
 	// Initialize event recorder.
-	record.InitFromRecorder(mgr.GetEventRecorderFor("aws-controller"))
+	if webhookPort == 0 {
+		record.InitFromRecorder(mgr.GetEventRecorderFor("aws-controller"))
+	}
 
 	setupLog.Info(fmt.Sprintf("feature gates: %+v\n", feature.Gates))
 
@@ -326,30 +338,8 @@ func setupReconcilersAndWebhooks(ctx context.Context, mgr ctrl.Manager, awsServi
 			setupLog.Error(err, "unable to create controller", "controller", "AWSCluster")
 			os.Exit(1)
 		}
-	}
 
-	if feature.Gates.Enabled(feature.MachinePool) {
-		setupLog.Debug("enabling machine pool controller and webhook")
-		if webhookPort == 0 {
-			if err := (&expcontrollers.AWSMachinePoolReconciler{
-				Client:                       mgr.GetClient(),
-				Recorder:                     mgr.GetEventRecorderFor("awsmachinepool-controller"),
-				WatchFilterValue:             watchFilterValue,
-				TagUnmanagedNetworkResources: feature.Gates.Enabled(feature.TagUnmanagedNetworkResources),
-			}).SetupWithManager(ctx, mgr, controller.Options{MaxConcurrentReconciles: instanceStateConcurrency, RecoverPanic: ptr.To[bool](true)}); err != nil {
-				setupLog.Error(err, "unable to create controller", "controller", "AWSMachinePool")
-				os.Exit(1)
-			}
-		} else {
-			if err := (&expinfrav1.AWSMachinePool{}).SetupWebhookWithManager(mgr); err != nil {
-				setupLog.Error(err, "unable to create webhook", "webhook", "AWSMachinePool")
-				os.Exit(1)
-			}
-		}
-	}
-
-	if feature.Gates.Enabled(feature.EventBridgeInstanceState) {
-		if webhookPort == 0 {
+		if feature.Gates.Enabled(feature.EventBridgeInstanceState) {
 			setupLog.Info("EventBridge notifications enabled. enabling AWSInstanceStateController")
 			if err := (&instancestate.AwsInstanceStateReconciler{
 				Client:           mgr.GetClient(),
@@ -361,11 +351,9 @@ func setupReconcilersAndWebhooks(ctx context.Context, mgr ctrl.Manager, awsServi
 				os.Exit(1)
 			}
 		}
-	}
 
-	if feature.Gates.Enabled(feature.AutoControllerIdentityCreator) {
-		setupLog.Info("AutoControllerIdentityCreator enabled")
-		if webhookPort == 0 {
+		if feature.Gates.Enabled(feature.AutoControllerIdentityCreator) {
+			setupLog.Info("AutoControllerIdentityCreator enabled")
 			if err := (&controlleridentitycreator.AWSControllerIdentityReconciler{
 				Client:           mgr.GetClient(),
 				Log:              ctrl.Log.WithName("controllers").WithName("AWSControllerIdentity"),
@@ -376,9 +364,26 @@ func setupReconcilersAndWebhooks(ctx context.Context, mgr ctrl.Manager, awsServi
 				os.Exit(1)
 			}
 		}
-	}
-
-	if webhookPort != 0 {
+		if feature.Gates.Enabled(feature.MachinePool) {
+			setupLog.Debug("enabling machine pool controller and webhook")
+			if err := (&expcontrollers.AWSMachinePoolReconciler{
+				Client:                       mgr.GetClient(),
+				Recorder:                     mgr.GetEventRecorderFor("awsmachinepool-controller"),
+				WatchFilterValue:             watchFilterValue,
+				TagUnmanagedNetworkResources: feature.Gates.Enabled(feature.TagUnmanagedNetworkResources),
+			}).SetupWithManager(ctx, mgr, controller.Options{MaxConcurrentReconciles: instanceStateConcurrency, RecoverPanic: ptr.To[bool](true)}); err != nil {
+				setupLog.Error(err, "unable to create controller", "controller", "AWSMachinePool")
+				os.Exit(1)
+			}
+		}
+	} else {
+		if feature.Gates.Enabled(feature.MachinePool) {
+			setupLog.Debug("enabling machine pool controller and webhook")
+			if err := (&expinfrav1.AWSMachinePool{}).SetupWebhookWithManager(mgr); err != nil {
+				setupLog.Error(err, "unable to create webhook", "webhook", "AWSMachinePool")
+				os.Exit(1)
+			}
+		}
 		if err := (&infrav1.AWSMachineTemplateWebhook{}).SetupWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "AWSMachineTemplate")
 			os.Exit(1)
@@ -408,6 +413,7 @@ func setupReconcilersAndWebhooks(ctx context.Context, mgr ctrl.Manager, awsServi
 			os.Exit(1)
 		}
 	}
+
 }
 
 func setupEKSReconcilersAndWebhooks(ctx context.Context, mgr ctrl.Manager, awsServiceEndpoints []scope.ServiceEndpoint,
