func shouldUpdateWebhook()

in reconcilers/reconciler.go [57:101]


func shouldUpdateWebhook(ctx context.Context, webhookConfig *admissionregistration.MutatingWebhookConfiguration,
	isKubeSystemNamespaceBlocked bool, clientset kubernetes.Interface) (bool, *error) {
	logger := log.MustGetLogger(ctx)

	admissionEnforcerDisabled, labelExist := webhookConfig.Labels[consts.AdmissionEnforcerDisabledLabel]
	//If the value of admissionEnforcerDisabled is false, the kube-system namespace is blocked.
	if isKubeSystemNamespaceBlocked {
		logger.Info(ctx, "kube-system should be blocked")
		if labelExist && admissionEnforcerDisabled == consts.AdmissionEnforcerDisabledValue {
			return true, nil
		}
	} else {
		logger.Info(ctx, "kube-system should be unblocked")
		if !labelExist || admissionEnforcerDisabled != consts.AdmissionEnforcerDisabledValue {
			logger.Info(ctx, "update webhookConfig for label")
			return true, nil
		}
	}

	secret, getErr := clientset.CoreV1().Secrets(config.AppConfig.Namespace).Get(ctx, utils.SecretName(), metav1.GetOptions{})
	if getErr != nil {
		logger.Errorf(ctx, "get secret error: %s", getErr)
		return false, &getErr
	}
	caCert := secret.Data["caCert.pem"]
	if len(webhookConfig.Webhooks) == 0 ||
		!bytes.Equal(webhookConfig.Webhooks[0].ClientConfig.CABundle, caCert) {
		logger.Info(ctx, "update webhookConfig for CABundle")
		logger.Debugf(ctx, "webhookConfig.Webhooks[0].ClientConfig.CABundle: %x", webhookConfig.Webhooks[0].ClientConfig.CABundle)
		logger.Debugf(ctx, "caCert: %x", caCert)
		return true, nil
	}
	webhookConfigFromConfig, err := getMutatingWebhookConfigFromConfigmap(ctx, clientset, caCert, isKubeSystemNamespaceBlocked)
	if err != nil {
		logger.Errorf(ctx, "get webhookConfig from configmap error: %s", *err)
		return false, err
	}

	if currentWebhookConfigAndConfigmapDifferent(ctx, webhookConfig, webhookConfigFromConfig) {
		logger.Info(ctx, "update webhookConfig for webhookConfigFromConfig")
		return true, nil
	}

	return false, nil
}