Documentation
¶
Overview ¶
Package webhook provides the entry point for configuring Kubernetes admission webhooks for the Multigres Operator.
The package exposes a Setup function that registers all webhook handlers with the controller-runtime manager. It wires together:
Mutating Webhooks: Apply defaults to MultigresCluster resources before they are persisted (see pkg/webhook/handlers for implementation).
Validating Webhooks: Enforce semantic rules for MultigresCluster, template resources, and child resources that cannot be expressed in CRD schemas.
Configuration ¶
The Options struct controls webhook behavior:
- Namespace: Operator namespace for service account identity.
- ServiceAccountName: Used to construct the operator principal for child resource validation (only the operator can modify its managed resources).
TLS Certificates ¶
Certificate management is handled by the generic pkg/cert module. This package provides webhook-specific helpers (PatchWebhookCABundle, FindOperatorDeployment) that are wired into the cert module's hooks by main.go.
Index ¶
- Constants
- func FindOperatorDeployment(ctx context.Context, c client.Client, namespace string, ...) (*appsv1.Deployment, error)
- func HasCertAnnotation(ctx context.Context, c client.Client) bool
- func PatchWebhookCABundle(ctx context.Context, c client.Client, caBundle []byte) error
- func Setup(mgr ctrl.Manager, res *resolver.Resolver, opts Options) error
- type Options
Constants ¶
const ( // CASecretName is the name of the Secret that stores the CA certificate and key. CASecretName = "multigres-operator-ca-secret" //nolint:gosec // K8s resource name, not a credential // ServerSecretName is the name of the Secret that stores the webhook server certificate and key. ServerSecretName = "multigres-webhook-certs" //nolint:gosec // K8s resource name, not a credential // MutatingWebhookName is the name of the MutatingWebhookConfiguration resource. MutatingWebhookName = "multigres-operator-mutating-webhook-configuration" // ValidatingWebhookName is the name of the ValidatingWebhookConfiguration resource. ValidatingWebhookName = "multigres-operator-validating-webhook-configuration" // CertStrategyAnnotation marks how the webhook TLS certificates are managed. // The operator sets this to CertStrategySelfSigned when it manages its own PKI. CertStrategyAnnotation = "multigres.com/cert-strategy" // CertStrategySelfSigned indicates the operator manages its own CA and server certs. CertStrategySelfSigned = "self-signed" )
Variables ¶
This section is empty.
Functions ¶
func FindOperatorDeployment ¶
func FindOperatorDeployment( ctx context.Context, c client.Client, namespace string, labels map[string]string, name string, ) (*appsv1.Deployment, error)
FindOperatorDeployment locates the operator's own Deployment for use as an owner reference on cert secrets. It first tries a label selector match, then falls back to an explicit name lookup. Returns (nil, nil) when no deployment is found, meaning secrets will be created without an owner reference.
func HasCertAnnotation ¶
HasCertAnnotation returns true if either webhook configuration carries the cert-strategy annotation set by the operator. This is used during startup to detect that the operator previously managed its own certs, even when cert files exist on disk from surviving projected volumes.
func PatchWebhookCABundle ¶
PatchWebhookCABundle injects the CA bundle and cert-strategy annotation into both the Mutating and Validating webhook configurations using Server-Side Apply. Using SSA with a dedicated field owner ensures that user-side SSA upgrades (e.g. kubectl apply --server-side -f install.yaml) do not wipe caBundle, because different field managers own different fields.
Source Files
Directories