split off webhook certs management into separate command

devenv/kustomize/operator-deployment/kustomization.yaml

@@ -11,7 +11,8 @@ patches:
             "--tenant-id", $ARM_CLIENT_TENANT_ID,
             "--location", $RG_LOCATION,
             "--dns-zone-ids", "$DNS_ZONE_IDS",
-            "--cluster-uid", "$CLUSTER_UID"
+            "--cluster-uid", "$CLUSTER_UID",
+            "--operator-webhook-service", "app-routing-operator-webhook",
           ]
     target:
       kind: Deployment

devenv/kustomize/operator-deployment/operator.yaml

@@ -18,7 +18,6 @@ metadata:
   name: app-routing-operator
   namespace: kube-system
 spec:
-  replicas: 2
   selector:
     matchLabels:
       app: app-routing-operator
@@ -32,32 +31,14 @@ spec:
           image: mcr.microsoft.com/oss/kubernetes/pause:3.6-hotfix.20220114
           command: ["/aks-app-routing-operator"]
           args: []
-          volumeMounts:
-            - mountPath: /tmp/k8s-webhook-server/serving-certs
-              name: cert
-              readOnly: true
           livenessProbe:
             httpGet:
               path: /healthz
               port: 8080
-            periodSeconds: 5
           readinessProbe:
             httpGet:
               path: /readyz
               port: 8080
-            periodSeconds: 5
-          startupProbe:
-            failureThreshold: 7
-            httpGet:
-              path: /readyz
-              port: 8080
-            periodSeconds: 5
-      volumes:
-        - name: cert
-          secret:
-            defaultMode: 420
-            secretName: app-routing-webhook-secret
-            optional: true
 ---
 apiVersion: policy/v1
 kind: PodDisruptionBudget

main.go

@@ -31,7 +31,9 @@ func run() error {
 		return err
 	}
 
-	mgr, err := controller.NewManager(config.Flags)
+	rc := controller.NewRestConfig(config.Flags)
+
+	mgr, err := controller.NewManagerForRestConfig(config.Flags, rc)
 	if err != nil {
 		return err
 	}

pkg/config/config.go

@@ -42,12 +42,16 @@ func init() {
 	flag.StringVar(&Flags.ProbeAddr, "probe-addr", "0.0.0.0:8080", "address to serve readiness/liveness probes on")
 	flag.StringVar(&Flags.OperatorDeployment, "operator-deployment", "app-routing-operator", "name of the operator's k8s deployment")
 	flag.StringVar(&Flags.OperatorNs, "operator-namespace", "kube-system", "namespace of the operator's k8s deployment")
-	flag.StringVar(&Flags.OperatorWebhookService, "operator-webhook-service", "app-routing-operator-webhook", "name of the operator's webhook service")
+	flag.StringVar(&Flags.OperatorWebhookService, "operator-webhook-service", "", "name of the operator's webhook service")
+	flag.StringVar(&Flags.OperatorWebhookServiceUrl, "operator-webhook-service-url", "", "url of the operator's webhook service")
 	flag.IntVar(&Flags.WebhookPort, "webhook-port", 9443, "port to serve the webhook on")
 	flag.StringVar(&Flags.ClusterUid, "cluster-uid", "", "unique identifier of the cluster the add-on belongs to")
 	flag.DurationVar(&Flags.DnsSyncInterval, "dns-sync-interval", defaultDnsSyncInterval, "interval at which to sync DNS records")
 	flag.StringVar(&Flags.CrdPath, "crd", "/crd", "location of the CRD manifests. manifests should be directly in this directory, not in a subdirectory")
 	flag.StringVar(&Flags.CertDir, "cert-dir", "/tmp/k8s-webhook-server/serving-certs", "location of the certificates")
+	flag.StringVar(&Flags.CertName, "cert-name", "tls.crt", "name of the certificate file in the cert-dir")
+	flag.StringVar(&Flags.KeyName, "key-name", "tls.key", "name of the key file in the cert-dir")
+	flag.StringVar(&Flags.CaName, "ca-name", "ca.crt", "name of the CA file in the cert-dir")
 }
 
 type DnsZoneConfig struct {
@@ -70,14 +74,38 @@ type Config struct {
 	OperatorNs                          string
 	OperatorDeployment                  string
 	OperatorWebhookService              string
+	OperatorWebhookServiceUrl           string
 	WebhookPort                         int
 	ClusterUid                          string
 	DnsSyncInterval                     time.Duration
 	CrdPath                             string
 	CertDir                             string
+	CertName, KeyName, CaName           string
 }
 
 func (c *Config) Validate() error {
+	if c.OperatorNs == "" {
+		return errors.New("--operator-namespace is required")
+	}
+	if c.OperatorWebhookService == "" && c.OperatorWebhookServiceUrl == "" {
+		return errors.New("--operator-webhook-service or operator-webhook-service-url is required")
+	}
+	if c.OperatorWebhookService != "" && c.OperatorWebhookServiceUrl != "" {
+		return errors.New("only one of --operator-webhook-service or --operator-webhook-service-url should be specified")
+	}
+	if c.CertDir == "" {
+		return errors.New("--cert-dir is required")
+	}
+	if c.CertName == "" {
+		return errors.New("--cert-name is required")
+	}
+	if c.KeyName == "" {
+		return errors.New("--key-name is required")
+	}
+	if c.CaName == "" {
+		return errors.New("--ca-name is required")
+	}
+
 	if c.NS == "" {
 		return errors.New("--namespace is required")
 	}
@@ -102,18 +130,12 @@ func (c *Config) Validate() error {
 	if c.ConcurrencyWatchdogVotes < 1 {
 		return errors.New("--concurrency-watchdog-votes must be a positive number")
 	}
-	if c.OperatorNs == "" {
-		return errors.New("--operator-namespace is required")
-	}
 	if c.WebhookPort == 0 {
 		return errors.New("--webhook-port is required")
 	}
 	if c.OperatorDeployment == "" {
 		return errors.New("--operator-deployment is required")
 	}
-	if c.OperatorWebhookService == "" {
-		return errors.New("--operator-webhook-service is required")
-	}
 
 	if c.ClusterUid == "" {
 		return errors.New("--cluster-uid is required")
@@ -140,10 +162,6 @@ func (c *Config) Validate() error {
 		return fmt.Errorf("crd path %s is not a directory", c.CrdPath)
 	}
 
-	if c.CertDir == "" {
-		return errors.New("--cert-dir is required")
-	}
-
 	return nil
 }