Skip to content

Commit ffd18e3

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #8249 from vflaux/fix_8248
fix(VPA): Do not update webhook CA when registerWebhook is disabled
2 parents ee360d4 + 19b6295 commit ffd18e3

File tree

2 files changed

+15
-3
lines changed

2 files changed

+15
-3
lines changed

vertical-pod-autoscaler/pkg/admission-controller/certs.go

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -68,8 +68,11 @@ func (cr *certReloader) start(stop <-chan struct{}) error {
6868
if err = watcher.Add(cr.tlsKeyPath); err != nil {
6969
return err
7070
}
71-
if err = watcher.Add(cr.clientCaPath); err != nil {
72-
return err
71+
// we watch the CA file ony when registerWebhook is enabled
72+
if cr.mutatingWebhookClient != nil {
73+
if err = watcher.Add(cr.clientCaPath); err != nil {
74+
return err
75+
}
7376
}
7477

7578
go func() {
@@ -123,6 +126,10 @@ func (cr *certReloader) load() error {
123126

124127
func (cr *certReloader) reloadWebhookCA() error {
125128
client := cr.mutatingWebhookClient
129+
if client == nil {
130+
// this should never happen as we don't watch the file if mutatingWebhookClient is nil
131+
return fmt.Errorf("webhook client is not set")
132+
}
126133
webhook, err := client.Get(context.TODO(), webhookConfigName, metav1.GetOptions{})
127134
if err != nil {
128135
return err

vertical-pod-autoscaler/pkg/admission-controller/main.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ import (
2727
"github.com/spf13/pflag"
2828
"k8s.io/client-go/informers"
2929
kube_client "k8s.io/client-go/kubernetes"
30+
typedadmregv1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1"
3031
kube_flag "k8s.io/component-base/cli/flag"
3132
"k8s.io/klog/v2"
3233

@@ -141,9 +142,13 @@ func main() {
141142
as.Serve(w, r)
142143
healthCheck.UpdateLastActivity()
143144
})
145+
var mutatingWebhookClient typedadmregv1.MutatingWebhookConfigurationInterface
146+
if *registerWebhook {
147+
mutatingWebhookClient = kubeClient.AdmissionregistrationV1().MutatingWebhookConfigurations()
148+
}
144149
server := &http.Server{
145150
Addr: fmt.Sprintf(":%d", *port),
146-
TLSConfig: configTLS(*certsConfiguration, *minTlsVersion, *ciphers, stopCh, kubeClient.AdmissionregistrationV1().MutatingWebhookConfigurations()),
151+
TLSConfig: configTLS(*certsConfiguration, *minTlsVersion, *ciphers, stopCh, mutatingWebhookClient),
147152
}
148153
url := fmt.Sprintf("%v:%v", *webhookAddress, *webhookPort)
149154
ignoredNamespaces := strings.Split(commonFlags.IgnoredVpaObjectNamespaces, ",")

0 commit comments

Comments
 (0)