Fix invalid name for webhook config in cert

Signed-off-by: Andrey Velichkevich <[email protected]>
kubeflow · Oct 17, 2024 · 6a58c51 · 6a58c51
1 parent 647abba
commit 6a58c51
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 17 deletions.
diff --git a/Makefile b/Makefile
@@ -41,7 +41,8 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust
 		output:crd:artifacts:config=manifests/base/crds \
 		output:rbac:artifacts:config=manifests/base/rbac \
 		output:webhook:artifacts:config=manifests/base/webhook
-	$(CONTROLLER_GEN) "crd:generateEmbeddedObjectMeta=true" rbac:roleName=training-operator-v2 webhook paths="./pkg/apis/kubeflow.org/v2alpha1/...;./pkg/controller.v2/...;./pkg/webhook.v2/..." \
+	$(CONTROLLER_GEN) "crd:generateEmbeddedObjectMeta=true" rbac:roleName=training-operator-v2 webhook \
+		paths="./pkg/apis/kubeflow.org/v2alpha1/...;./pkg/controller.v2/...;./pkg/webhook.v2/...;./pkg/cert/..." \
 		output:crd:artifacts:config=manifests/v2/base/crds \
 		output:rbac:artifacts:config=manifests/v2/base/rbac \
 		output:webhook:artifacts:config=manifests/v2/base/webhook

diff --git a/cmd/training-operator.v1/main.go b/cmd/training-operator.v1/main.go
@@ -52,6 +52,8 @@ import (
 const (
 	// EnvKubeflowNamespace is an environment variable for namespace when deployed on kubernetes
 	EnvKubeflowNamespace = "KUBEFLOW_NAMESPACE"
+
+	webhookConfigurationName = "validator.training-operator.kubeflow.org"
 )
 
 var (
@@ -150,8 +152,9 @@ func main() {
 	certsReady := make(chan struct{})
 	defer close(certsReady)
 	certGenerationConfig := cert.Config{
-		WebhookSecretName:  webhookSecretName,
-		WebhookServiceName: webhookServiceName,
+		WebhookSecretName:        webhookSecretName,
+		WebhookServiceName:       webhookServiceName,
+		WebhookConfigurationName: webhookConfigurationName,
 	}
 	if err = cert.ManageCerts(mgr, certGenerationConfig, certsReady); err != nil {
 		setupLog.Error(err, "Unable to set up cert rotation")

diff --git a/cmd/training-operator.v2alpha1/main.go b/cmd/training-operator.v2alpha1/main.go
@@ -44,6 +44,10 @@ import (
 	webhookv2 "github.com/kubeflow/training-operator/pkg/webhook.v2"
 )
 
+const (
+	webhookConfigurationName = "validator.training-operator-v2.kubeflow.org"
+)
+
 var (
 	scheme   = apiruntime.NewScheme()
 	setupLog = ctrl.Log.WithName("setup")
@@ -124,8 +128,9 @@ func main() {
 
 	certsReady := make(chan struct{})
 	if err = cert.ManageCerts(mgr, cert.Config{
-		WebhookSecretName:  webhookSecretName,
-		WebhookServiceName: webhookServiceName,
+		WebhookSecretName:        webhookSecretName,
+		WebhookServiceName:       webhookServiceName,
+		WebhookConfigurationName: webhookConfigurationName,
 	}, certsReady); err != nil {
 		setupLog.Error(err, "unable to set up cert rotation")
 		os.Exit(1)

diff --git a/manifests/v2/base/manager/manager.yaml b/manifests/v2/base/manager/manager.yaml
@@ -11,14 +11,17 @@ spec:
       training.kubeflow.org/component: manager
   template:
     metadata:
-      annotations:
-        kubectl.kubernetes.io/default-container: manager
       labels:
         training.kubeflow.org/component: manager
     spec:
       containers:
         - name: manager
-          image: docker.io/kubeflow/training-operator-v2
+          image: kubeflow/training-operator-v2
+          env:
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
           volumeMounts:
             - mountPath: /tmp/k8s-webhook-server/serving-certs
               name: cert

diff --git a/manifests/v2/base/rbac/role.yaml b/manifests/v2/base/rbac/role.yaml
@@ -4,6 +4,24 @@ kind: ClusterRole
 metadata:
   name: training-operator-v2
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - jobset.x-k8s.io
   resources:

diff --git a/manifests/v2/overlays/standalone/kustomization.yaml b/manifests/v2/overlays/standalone/kustomization.yaml
@@ -6,9 +6,8 @@ resources:
   # TODO (andreyvelich): JobSet should support kubeflow-system namespace.
   - https://github.com/kubernetes-sigs/jobset/releases/download/v0.6.0/manifests.yaml
 images:
-  - name: docker.io/kubeflow/training-operator-v2
-    newTag: v2alpha1-6965c1a
-    newName: docker.io/kubeflow/training-operator
+  - name: kubeflow/training-operator-v2
+    newTag: latest
 secretGenerator:
   - name: training-operator-v2-webhook-cert
     namespace: kubeflow-system

diff --git a/pkg/cert/cert.go b/pkg/cert/cert.go
@@ -27,19 +27,19 @@ import (
 
 const (
 	certDir                  = "/tmp/k8s-webhook-server/serving-certs"
-	vwcName                  = "validator.training-operator.kubeflow.org"
 	caName                   = "training-operator-ca"
 	caOrganization           = "training-operator"
 	defaultOperatorNamespace = "kubeflow"
 )
 
 type Config struct {
-	WebhookServiceName string
-	WebhookSecretName  string
+	WebhookServiceName       string
+	WebhookSecretName        string
+	WebhookConfigurationName string
 }
 
-// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update
-// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;update
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update
+//+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;update
 
 // ManageCerts creates all certs for webhooks.
 func ManageCerts(mgr ctrl.Manager, cfg Config, setupFinished chan struct{}) error {
@@ -61,7 +61,7 @@ func ManageCerts(mgr ctrl.Manager, cfg Config, setupFinished chan struct{}) erro
 		IsReady:        setupFinished,
 		Webhooks: []cert.WebhookInfo{{
 			Type: cert.Validating,
-			Name: vwcName,
+			Name: cfg.WebhookConfigurationName,
 		}},
 		// When training-operator is running in the leader election mode,
 		// we expect webhook server will run in primary and secondary instance