make webhook configurable (#529)

* make webhook configurable * make check * change namespace default to placeholder * fix bug * make shell pretty * adress comment * address wire shell format * address wire shell format * address comment * address shell format
pingcap · May 30, 2019 · a9897a1 · a9897a1
1 parent 83ad7c3
commit a9897a1
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 9 deletions.
diff --git a/manifests/create-cert.sh b/manifests/create-cert.sh
@@ -14,11 +14,35 @@ detailed explantion and additional instructions.
 
 The server key/cert k8s CA cert are stored in a k8s secret.
 
+       -n,--namespace        Namespace where webhook service and secret reside.
 EOF
     exit 1
 }
 
-namespace=default
+optstring=":-:n"
+
+while getopts "$optstring" opt; do
+    case $opt in
+        -)
+            case "$OPTARG" in
+                namespace)
+                    namespace="${2}"
+                    ;;
+                *)
+                    usage
+                    ;;
+            esac
+            ;;
+        n)
+            namespace="${2}"
+            ;;
+        *)
+            usage
+            ;;
+    esac
+done
+
+namespace=${namespace:-tidb-admin}
 service=admission-controller-svc
 secret=admission-controller-certs
 
@@ -27,6 +51,12 @@ if [ ! -x "$(command -v openssl)" ]; then
     exit 1
 fi
 
+CURDIR=$(cd $(dirname ${BASH_SOURCE[0]}); pwd )
+
+# reset namespace and ca_bundle of webhook.yaml
+sed -i "s/caBundle:.*/caBundle: \${CA_BUNDLE}/g" $CURDIR/webhook.yaml
+sed -i "s/namespace:.*/namespace: \${NAMESPACE}/g" $CURDIR/webhook.yaml
+
 csrName=${service}.${namespace}
 tmpdir=$(mktemp -d)
 
@@ -99,3 +129,5 @@ kubectl create secret generic ${secret} \
         --from-file=cert.pem=${tmpdir}/server-cert.pem \
         --dry-run -o yaml |
     kubectl -n ${namespace} apply -f -
+
+sed -i "s/namespace: .*$/namespace: ${namespace}/g" $CURDIR/webhook.yaml
diff --git a/manifests/webhook.yaml b/manifests/webhook.yaml
@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: admission-controller-cr
-  namespace: default
+  namespace: ${NAMESPACE}
   labels:
     app: admission-webhook
 rules:
@@ -17,21 +17,21 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: admission-controller-sa
-  namespace: default
+  namespace: ${NAMESPACE}
   labels:
     app: admission-controller
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: admission-controller-crb
-  namespace: default
+  namespace: ${NAMESPACE}
   labels:
     app: admission-controller
 subjects:
 - kind: ServiceAccount
   name: admission-controller-sa
-  namespace: default
+  namespace: ${NAMESPACE}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -41,7 +41,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: admission-controller-svc
-  namespace: default
+  namespace: ${NAMESPACE}
   labels:
     app: admission-controller
 spec:
@@ -55,7 +55,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: admission-controller
-  namespace: default
+  namespace: ${NAMESPACE}
   labels:
     app: admission-controller
 spec:
@@ -99,7 +99,7 @@ webhooks:
     clientConfig:
       service:
         name: admission-controller-svc
-        namespace: default
+        namespace: ${NAMESPACE}
         path: "/statefulsets"
       caBundle: ${CA_BUNDLE}
     rules:

diff --git a/tests/actions.go b/tests/actions.go
@@ -394,7 +394,7 @@ func (oa *operatorActions) DeployOperator(info *OperatorConfig) error {
 	}
 
 	// create cert and secret for webhook
-	cmd = fmt.Sprintf("%s/create-cert.sh", oa.manifestPath(info.Tag))
+	cmd = fmt.Sprintf("%s/create-cert.sh --namespace %s", oa.manifestPath(info.Tag), info.Namespace)
 	glog.Info(cmd)
 
 	res, err = exec.Command("/bin/sh", "-c", cmd).CombinedOutput()