images/kube-webhook-certgen/rootfs: add support for patching APIService objects

images/kube-webhook-certgen/rootfs/.gitignore

@@ -0,0 +1 @@
+/kube-webhook-certgen

images/kube-webhook-certgen/rootfs/cmd/create.go

@@ -1,6 +1,8 @@
 package cmd
 
 import (
+	"context"
+
 	"github.com/jet/kube-webhook-certgen/pkg/certs"
 	"github.com/jet/kube-webhook-certgen/pkg/k8s"
 	log "github.com/sirupsen/logrus"
@@ -16,13 +18,17 @@ var create = &cobra.Command{
 }
 
 func createCommand(cmd *cobra.Command, args []string) {
-	k := k8s.New(newKubernetesClient(cfg.kubeconfig))
-	ca := k.GetCaFromSecret(cfg.secretName, cfg.namespace)
+	clientset, aggregatorClientset := newKubernetesClients(cfg.kubeconfig)
+	k := k8s.New(clientset, aggregatorClientset)
+
+	ctx := context.TODO()
+
+	ca := k.GetCaFromSecret(ctx, cfg.secretName, cfg.namespace)
 	if ca == nil {
 		log.Info("creating new secret")
 		newCa, newCert, newKey := certs.GenerateCerts(cfg.host)
 		ca = newCa
-		k.SaveCertsToSecret(cfg.secretName, cfg.namespace, cfg.certName, cfg.keyName, ca, newCert, newKey)
+		k.SaveCertsToSecret(ctx, cfg.secretName, cfg.namespace, cfg.certName, cfg.keyName, ca, newCert, newKey)
 	} else {
 		log.Info("secret already exists")
 	}

images/kube-webhook-certgen/rootfs/cmd/patch.go

@@ -1,6 +1,10 @@
 package cmd
 
 import (
+	"context"
+	"errors"
+	"fmt"
+
 	"github.com/jet/kube-webhook-certgen/pkg/k8s"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -9,49 +13,109 @@ import (
 
 var patch = &cobra.Command{
 	Use:    "patch",
-	Short:  "Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'",
-	Long:   "Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'",
-	PreRun: prePatchCommand,
+	Short:  "Patch a ValidatingWebhookConfiguration, MutatingWebhookConfiguration or APIService 'object-name' by using the ca from 'secret-name' in 'namespace'",
+	Long:   "Patch a ValidatingWebhookConfiguration, MutatingWebhookConfiguration or APIService 'object-name' by using the ca from 'secret-name' in 'namespace'",
+	PreRun: configureLogging,
 	Run:    patchCommand,
 }
 
-func prePatchCommand(cmd *cobra.Command, args []string) {
-	configureLogging(cmd, args)
-	if !cfg.patchMutating && !cfg.patchValidating {
-		log.Fatal("patch-validating=false, patch-mutating=false. You must patch at least one kind of webhook, otherwise this command is a no-op")
+type PatchConfig struct {
+	PatchMutating      bool
+	PatchValidating    bool
+	PatchFailurePolicy string
+	APIServiceName     string
+	WebhookName        string
+
+	SecretName string
+	Namespace  string
+
+	Patcher Patcher
+}
+
+type Patcher interface {
+	PatchObjects(ctx context.Context, options k8s.PatchOptions) error
+	GetCaFromSecret(ctx context.Context, secretName, namespace string) []byte
+}
+
+func Patch(ctx context.Context, cfg *PatchConfig) error {
+	if cfg.Patcher == nil {
+		return fmt.Errorf("no patcher defined")
 	}
-	switch cfg.patchFailurePolicy {
+
+	if !cfg.PatchMutating && !cfg.PatchValidating && cfg.APIServiceName == "" {
+		return fmt.Errorf("patch-validating=false, patch-mutating=false. You must patch at least one kind of webhook, otherwise this command is a no-op")
+	}
+
+	var failurePolicy admissionv1.FailurePolicyType
+
+	switch cfg.PatchFailurePolicy {
 	case "":
 		break
 	case "Ignore":
 	case "Fail":
-		failurePolicy = admissionv1.FailurePolicyType(cfg.patchFailurePolicy)
+		failurePolicy = admissionv1.FailurePolicyType(cfg.PatchFailurePolicy)
 		break
 	default:
-		log.Fatalf("patch-failure-policy %s is not valid", cfg.patchFailurePolicy)
+		return fmt.Errorf("patch-failure-policy %s is not valid", cfg.PatchFailurePolicy)
+	}
+
+	ca := cfg.Patcher.GetCaFromSecret(ctx, cfg.SecretName, cfg.Namespace)
+
+	if ca == nil {
+		return fmt.Errorf("no secret with '%s' in '%s'", cfg.SecretName, cfg.Namespace)
+	}
+
+	options := k8s.PatchOptions{
+		CABundle:          ca,
+		FailurePolicyType: failurePolicy,
+		APIServiceName:    cfg.APIServiceName,
 	}
+
+	if cfg.PatchMutating {
+		options.MutatingWebhookConfigurationName = cfg.WebhookName
+	}
+
+	if cfg.PatchValidating {
+		options.ValidatingWebhookConfigurationName = cfg.WebhookName
+	}
+
+	return cfg.Patcher.PatchObjects(ctx, options)
 }
 
 func patchCommand(_ *cobra.Command, _ []string) {
-	k := k8s.New(newKubernetesClient(cfg.kubeconfig))
-	ca := k.GetCaFromSecret(cfg.secretName, cfg.namespace)
+	client, aggregationClient := newKubernetesClients(cfg.kubeconfig)
 
-	if ca == nil {
-		log.Fatalf("no secret with '%s' in '%s'", cfg.secretName, cfg.namespace)
+	config := &PatchConfig{
+		SecretName:         cfg.secretName,
+		Namespace:          cfg.namespace,
+		PatchMutating:      cfg.patchMutating,
+		PatchValidating:    cfg.patchValidating,
+		PatchFailurePolicy: cfg.patchFailurePolicy,
+		APIServiceName:     cfg.apiServiceName,
+		WebhookName:        cfg.webhookName,
+		Patcher:            k8s.New(client, aggregationClient),
 	}
 
-	k.PatchWebhookConfigurations(cfg.webhookName, ca, &failurePolicy, cfg.patchMutating, cfg.patchValidating)
+	ctx := context.TODO()
+
+	if err := Patch(ctx, config); err != nil {
+		if wrappedErr := errors.Unwrap(err); wrappedErr != nil {
+			log.WithField("err", wrappedErr).Fatal(err.Error())
+		}
+
+		log.Fatal(err.Error())
+	}
 }
 
 func init() {
 	rootCmd.AddCommand(patch)
 	patch.Flags().StringVar(&cfg.secretName, "secret-name", "", "Name of the secret where certificate information will be read from")
 	patch.Flags().StringVar(&cfg.namespace, "namespace", "", "Namespace of the secret where certificate information will be read from")
-	patch.Flags().StringVar(&cfg.webhookName, "webhook-name", "", "Name of validatingwebhookconfiguration and mutatingwebhookconfiguration that will be updated")
-	patch.Flags().BoolVar(&cfg.patchValidating, "patch-validating", true, "If true, patch validatingwebhookconfiguration")
-	patch.Flags().BoolVar(&cfg.patchMutating, "patch-mutating", true, "If true, patch mutatingwebhookconfiguration")
+	patch.Flags().StringVar(&cfg.webhookName, "webhook-name", "", "Name of ValidatingWebhookConfiguration and MutatingWebhookConfiguration that will be updated")
+	patch.Flags().StringVar(&cfg.apiServiceName, "apiservice-name", "", "Name of APIService that will be patched")
+	patch.Flags().BoolVar(&cfg.patchValidating, "patch-validating", true, "If true, patch ValidatingWebhookConfiguration")
+	patch.Flags().BoolVar(&cfg.patchMutating, "patch-mutating", true, "If true, patch MutatingWebhookConfiguration")
 	patch.Flags().StringVar(&cfg.patchFailurePolicy, "patch-failure-policy", "", "If set, patch the webhooks with this failure policy. Valid options are Ignore or Fail")
 	patch.MarkFlagRequired("secret-name")
 	patch.MarkFlagRequired("namespace")
-	patch.MarkFlagRequired("webhook-name")
 }