Attempting to separate webhook in a new container

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

deploy/charts/external-secrets/templates/deployment.yaml

@@ -74,6 +74,46 @@ spec:
             - containerPort: {{ .Values.prometheus.service.port }}
               protocol: TCP
               name: metrics
+          {{- with .Values.extraEnv }}
+          env:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        - name: {{ .Chart.Name }}-webhook
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+          - --webhook=true
+          - --metrics-addr=:8081
+          {{- if or (.Values.leaderElect) (.Values.scopedNamespace) (.Values.concurrent) (.Values.extraArgs) }}
+          {{- if .Values.leaderElect }}
+          - --enable-leader-election=true
+          {{- end }}
+          {{- if .Values.scopedNamespace }}
+          - --namespace={{ .Values.scopedNamespace }}
+          {{- end }}
+          {{- if .Values.controllerClass }}
+          - --controller-class={{ .Values.controllerClass }}
+          {{- end }}
+          {{- if .Values.concurrent }}
+          - --concurrent={{ .Values.concurrent }}
+          {{- end }}
+          {{- range $key, $value := .Values.extraArgs }}
+            {{- if $value }}
+          - --{{ $key }}={{ $value }}
+            {{- else }}
+          - --{{ $key }}
+            {{- end }}
+          {{- end }}
+          {{- end }}
+          ports:
             - containerPort: 9443
               protocol: TCP
               name: webhook

main.go

@@ -57,12 +57,14 @@ func main() {
 	var concurrent int
 	var loglevel string
 	var namespace string
+	var webhook bool
 	var storeRequeueInterval time.Duration
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&controllerClass, "controller-class", "default", "the controller is instantiated with a specific controller name and filters ES based on this property")
 	flag.BoolVar(&enableLeaderElection, "enable-leader-election", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&webhook, "webhook", false, "Run as webhook") // Properly separate
 	flag.IntVar(&concurrent, "concurrent", 1, "The number of concurrent ExternalSecret reconciles.")
 	flag.StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")
 	flag.StringVar(&namespace, "namespace", "", "watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces")
@@ -90,80 +92,83 @@ func main() {
 		setupLog.Error(err, "unable to start manager")
 		os.Exit(1)
 	}
-	crds := &crds.Reconciler{
-		Client:                 mgr.GetClient(),
-		Log:                    ctrl.Log.WithName("controllers").WithName("CustomResourceDefinition"),
-		Scheme:                 mgr.GetScheme(),
-		SvcLabels:              map[string]string{"external-secrets.io/component": "webhook"},
-		SecretLabels:           map[string]string{"external-secrets.io/component": "webhook"},
-		CrdResources:           []string{"externalsecrets.external-secrets.io", "clustersecretstores.external-secrets.io", "secretstores.external-secrets.io"},
-		CertDir:                "/tmp/k8s-webhook-server/serving-certs",
-		CAName:                 "external-secrets",
-		CAOrganization:         "external-secrets",
-		RestartOnSecretRefresh: true,
-	}
-	if err := crds.SetupWithManager(mgr, controller.Options{
-		MaxConcurrentReconciles: concurrent,
-	}); err != nil {
-		setupLog.Error(err, errCreateController, "controller", "CustomResourceDefinition")
-		os.Exit(1)
-	}
-
-	if err = (&secretstore.StoreReconciler{
-		Client:          mgr.GetClient(),
-		Log:             ctrl.Log.WithName("controllers").WithName("SecretStore"),
-		Scheme:          mgr.GetScheme(),
-		ControllerClass: controllerClass,
-		RequeueInterval: storeRequeueInterval,
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, errCreateController, "controller", "SecretStore")
-		os.Exit(1)
-	}
-	if err = (&secretstore.ClusterStoreReconciler{
-		Client:          mgr.GetClient(),
-		Log:             ctrl.Log.WithName("controllers").WithName("ClusterSecretStore"),
-		Scheme:          mgr.GetScheme(),
-		ControllerClass: controllerClass,
-		RequeueInterval: storeRequeueInterval,
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, errCreateController, "controller", "ClusterSecretStore")
-		os.Exit(1)
-	}
-	if err = (&externalsecret.Reconciler{
-		Client:          mgr.GetClient(),
-		Log:             ctrl.Log.WithName("controllers").WithName("ExternalSecret"),
-		Scheme:          mgr.GetScheme(),
-		ControllerClass: controllerClass,
-		RequeueInterval: time.Hour,
-	}).SetupWithManager(mgr, controller.Options{
-		MaxConcurrentReconciles: concurrent,
-	}); err != nil {
-		setupLog.Error(err, errCreateController, "controller", "ExternalSecret")
-		os.Exit(1)
-	}
-	if crtsReady := crds.EnsureCertsMounted(); crtsReady {
-		if err = (&esv1beta1.ExternalSecret{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "ExternalSecret-v1beta1")
-			os.Exit(1)
+	if webhook {
+		crds := &crds.Reconciler{
+			Client:                 mgr.GetClient(),
+			Log:                    ctrl.Log.WithName("controllers").WithName("CustomResourceDefinition"),
+			Scheme:                 mgr.GetScheme(),
+			SvcLabels:              map[string]string{"external-secrets.io/component": "webhook"},
+			SecretLabels:           map[string]string{"external-secrets.io/component": "webhook"},
+			CrdResources:           []string{"externalsecrets.external-secrets.io", "clustersecretstores.external-secrets.io", "secretstores.external-secrets.io"},
+			CertDir:                "/tmp/k8s-webhook-server/serving-certs",
+			CAName:                 "external-secrets",
+			CAOrganization:         "external-secrets",
+			RestartOnSecretRefresh: true,
 		}
-		if err = (&esv1beta1.SecretStore{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "SecretStore-v1beta1")
+		if err := crds.SetupWithManager(mgr, controller.Options{
+			MaxConcurrentReconciles: concurrent,
+		}); err != nil {
+			setupLog.Error(err, errCreateController, "controller", "CustomResourceDefinition")
 			os.Exit(1)
 		}
-		if err = (&esv1beta1.ClusterSecretStore{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "ClusterSecretStore-v1beta1")
-			os.Exit(1)
+		if crtsReady := crds.EnsureCertsMounted(); crtsReady {
+			if err = (&esv1beta1.ExternalSecret{}).SetupWebhookWithManager(mgr); err != nil {
+				setupLog.Error(err, errCreateWebhook, "webhook", "ExternalSecret-v1beta1")
+				os.Exit(1)
+			}
+			if err = (&esv1beta1.SecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+				setupLog.Error(err, errCreateWebhook, "webhook", "SecretStore-v1beta1")
+				os.Exit(1)
+			}
+			if err = (&esv1beta1.ClusterSecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+				setupLog.Error(err, errCreateWebhook, "webhook", "ClusterSecretStore-v1beta1")
+				os.Exit(1)
+			}
+			if err = (&esv1alpha1.ExternalSecret{}).SetupWebhookWithManager(mgr); err != nil {
+				setupLog.Error(err, errCreateWebhook, "webhook", "ExternalSecret-v1alpha1")
+				os.Exit(1)
+			}
+			if err = (&esv1alpha1.SecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+				setupLog.Error(err, errCreateWebhook, "webhook", "SecretStore-v1alpha1")
+				os.Exit(1)
+			}
+			if err = (&esv1alpha1.ClusterSecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+				setupLog.Error(err, errCreateWebhook, "webhook", "ClusterSecretStore-v1alpha1")
+				os.Exit(1)
+			}
 		}
-		if err = (&esv1alpha1.ExternalSecret{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "ExternalSecret-v1alpha1")
+	} else {
+
+		if err = (&secretstore.StoreReconciler{
+			Client:          mgr.GetClient(),
+			Log:             ctrl.Log.WithName("contllers").WithName("SecretStore"),
+			Scheme:          mgr.GetScheme(),
+			ControllerClass: controllerClass,
+			RequeueInterval: storeRequeueInterval,
+		}).SetupWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateController, "controller", "SecretStore")
 			os.Exit(1)
 		}
-		if err = (&esv1alpha1.SecretStore{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "SecretStore-v1alpha1")
+		if err = (&secretstore.ClusterStoreReconciler{
+			Client:          mgr.GetClient(),
+			Log:             ctrl.Log.WithName("controllers").WithName("ClusterSecretStore"),
+			Scheme:          mgr.GetScheme(),
+			ControllerClass: controllerClass,
+			RequeueInterval: storeRequeueInterval,
+		}).SetupWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateController, "controller", "ClusterSecretStore")
 			os.Exit(1)
 		}
-		if err = (&esv1alpha1.ClusterSecretStore{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "ClusterSecretStore-v1alpha1")
+		if err = (&externalsecret.Reconciler{
+			Client:          mgr.GetClient(),
+			Log:             ctrl.Log.WithName("controllers").WithName("ExternalSecret"),
+			Scheme:          mgr.GetScheme(),
+			ControllerClass: controllerClass,
+			RequeueInterval: time.Hour,
+		}).SetupWithManager(mgr, controller.Options{
+			MaxConcurrentReconciles: concurrent,
+		}); err != nil {
+			setupLog.Error(err, errCreateController, "controller", "ExternalSecret")
 			os.Exit(1)
 		}
 	}