feat(cli): configurable certgen images (#516)

* feat(cli): configurable certgen images Add two new command line options to the manager. -webhook-certificate-config-base-image string The base image for the certgen Jobs. (default "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.3.0") -webhook-certificate-config-shell-image string The shell image for the certgen Jobs. (default "busybox") Those are optional. If you omit them the defaults will be used which are the previous hard coded values. Signed-off-by: Arpad Kunszt <[email protected]> * feat(cli): cleanup code per review Removed unnecessary variable assignments. Signed-off-by: Arpad Kunszt <[email protected]> * feat(cli): add CHANGELOG entry Signed-off-by: Arpad Kunszt <[email protected]> * feat(cli): unit tests handle new arguments Signed-off-by: Arpad Kunszt <[email protected]> * feat(cli): move new configuration into Config Also created a constant for the shell image, so it is no more a hard coded string hidden in the code. Signed-off-by: Arpad Kunszt <[email protected]> * feat(cli): added UT for the new arguments The new unit test tests only if the command line arguments are set in the configuration. The other cases, the default configuration, the environmental variable handling are already tested in previous cases. The test does not cover if the values from the configuration are actually used but at the moment there are no tests for that part of the code at all. Signed-off-by: Arpad Kunszt <[email protected]> --------- Signed-off-by: Arpad Kunszt <[email protected]>
Kong · Aug 23, 2024 · cd09c47 · cd09c47
1 parent a322d59
commit cd09c47
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -50,6 +50,8 @@
   [#506](https://github.com/Kong/gateway-operator/pull/506)
 - Add `KongConsumerGroup` reconciler for Konnect control planes.
   [#510](https://github.com/Kong/gateway-operator/pull/510)
+- Added command line flags to configure the certificate generator job's images.
+  [#516](https://github.com/Kong/gateway-operator/pull/516)
 
 ### Fixed
 

diff --git a/modules/cli/cli.go b/modules/cli/cli.go
@@ -52,6 +52,8 @@ func New(m metadata.Info) *CLI {
 
 	// webhook and validation options
 	flagSet.BoolVar(&deferCfg.ValidatingWebhookEnabled, "enable-validating-webhook", true, "Enable the validating webhook.")
+	flagSet.StringVar(&cfg.WebhookCertificateConfigBaseImage, "webhook-certificate-config-base-image", consts.WebhookCertificateConfigBaseImage, "The base image for the certgen Jobs.")
+	flagSet.StringVar(&cfg.WebhookCertificateConfigShellImage, "webhook-certificate-config-shell-image", consts.WebhookCertificateConfigShellImage, "The shell image for the certgen Jobs.")
 
 	flagSet.BoolVar(&deferCfg.Version, "version", false, "Print version information.")
 

diff --git a/modules/cli/cli_test.go b/modules/cli/cli_test.go
@@ -78,6 +78,19 @@ func TestParse(t *testing.T) {
 				return cfg
 			},
 		},
+		{
+			name: "webhook certificate configuration arguments are set",
+			args: []string{
+				"--webhook-certificate-config-base-image=mybaseimage:42",
+				"--webhook-certificate-config-shell-image=shellimg",
+			},
+			expectedCfg: func() manager.Config {
+				cfg := expectedDefaultCfg()
+				cfg.WebhookCertificateConfigBaseImage = "mybaseimage:42"
+				cfg.WebhookCertificateConfigShellImage = "shellimg"
+				return cfg
+			},
+		},
 	}
 
 	for _, tC := range testCases {
@@ -153,6 +166,8 @@ func expectedDefaultCfg() manager.Config {
 		KonnectSyncPeriod:                       consts.DefaultKonnectSyncPeriod,
 		KongPluginInstallationControllerEnabled: false,
 		ValidatingWebhookEnabled:                true,
+		WebhookCertificateConfigBaseImage:       consts.WebhookCertificateConfigBaseImage,
+		WebhookCertificateConfigShellImage:      consts.WebhookCertificateConfigShellImage,
 		LoggerOpts:                              &zap.Options{},
 	}
 }
diff --git a/modules/manager/run.go b/modules/manager/run.go
@@ -92,7 +92,9 @@ type Config struct {
 	KonnectControllersEnabled bool
 
 	// webhook and validation options
-	ValidatingWebhookEnabled bool
+	ValidatingWebhookEnabled           bool
+	WebhookCertificateConfigBaseImage  string
+	WebhookCertificateConfigShellImage string
 }
 
 // DefaultConfig returns a default configuration for the manager.

diff --git a/modules/manager/webhook.go b/modules/manager/webhook.go
@@ -256,16 +256,18 @@ func (m *webhookManager) createWebhookResources(ctx context.Context) error {
 }
 
 func (m *webhookManager) createCertificateConfigJobs(ctx context.Context) error {
-	jobCertificateConfigImage := consts.WebhookCertificateConfigBaseImage
+	jobCertificateConfigBaseImage := m.cfg.WebhookCertificateConfigBaseImage
+	jobCertificateConfigShellImage := m.cfg.WebhookCertificateConfigShellImage
 	if relatedJobImage := os.Getenv("RELATED_IMAGE_CERTIFICATE_CONFIG"); relatedJobImage != "" {
 		// RELATED_IMAGE_CERTIFICATE_CONFIG is set by the operator-sdk when building the operator bundle.
 		// https://github.com/Kong/gateway-operator-archive/issues/261
-		jobCertificateConfigImage = relatedJobImage
+		jobCertificateConfigBaseImage = relatedJobImage
 	}
 	job := k8sresources.GenerateNewWebhookCertificateConfigJob(
 		m.cfg.ControllerNamespace,
 		consts.WebhookCertificateConfigName,
-		jobCertificateConfigImage,
+		jobCertificateConfigBaseImage,
+		jobCertificateConfigShellImage,
 		consts.WebhookCertificateConfigSecretName,
 		consts.WebhookName,
 	)

diff --git a/pkg/consts/consts.go b/pkg/consts/consts.go
@@ -128,6 +128,8 @@ const (
 const (
 	// WebhookCertificateConfigBaseImage is the image to use by the certificate config Jobs.
 	WebhookCertificateConfigBaseImage = "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.3.0"
+	// WebhookCertificateConfigShellImage is the image to use by the certificate config Jobs.
+	WebhookCertificateConfigShellImage = "busybox"
 	// WebhookName is the ValidatingWebhookConfiguration name.
 	WebhookName = "gateway-operator-validation.konghq.com"
 	// WebhookCertificateConfigSecretName is the name of the secret containing the webhook certificate.

diff --git a/pkg/utils/kubernetes/resources/jobs.go b/pkg/utils/kubernetes/resources/jobs.go
@@ -18,7 +18,8 @@ import (
 // GenerateNewWebhookCertificateConfigJob generates the create and patch jobs for the certificateConfig
 func GenerateNewWebhookCertificateConfigJob(namespace,
 	serviceAccountName,
-	imageName,
+	baseImageName,
+	shellImageName,
 	secretName,
 	webhookName string,
 ) *batchv1.Job {
@@ -39,7 +40,7 @@ func GenerateNewWebhookCertificateConfigJob(namespace,
 					fmt.Sprintf("--namespace=%s", namespace),
 					fmt.Sprintf("--secret-name=%s", secretName),
 				},
-				Image:           imageName,
+				Image:           baseImageName,
 				ImagePullPolicy: corev1.PullIfNotPresent,
 			},
 			{
@@ -53,15 +54,15 @@ func GenerateNewWebhookCertificateConfigJob(namespace,
 					fmt.Sprintf("--secret-name=%s", secretName),
 					"--patch-failure-policy=Fail",
 				},
-				Image:           imageName,
+				Image:           baseImageName,
 				ImagePullPolicy: corev1.PullIfNotPresent,
 			},
 		}
 
 		j.Spec.Template.Spec.Containers = []corev1.Container{
 			{
 				Name:            "done",
-				Image:           "busybox",
+				Image:           shellImageName,
 				Args:            []string{"echo", "done"},
 				ImagePullPolicy: corev1.PullIfNotPresent,
 			},