in reconcilers/reconciler.go [132:178]
func createOrUpdateWebhook(ctx context.Context, clientset kubernetes.Interface, isKubeSystemNamespaceBlocked bool) *error {
logger := log.MustGetLogger(ctx)
secret, err := clientset.CoreV1().Secrets(config.AppConfig.Namespace).Get(ctx, utils.SecretName(), metav1.GetOptions{})
if err != nil {
logger.Infof(ctx, "fail to get secret %s. error: %s", utils.SecretName(), err)
return &err
}
client := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations()
webhook, getErr := client.Get(ctx, utils.WebhookConfigName(), metav1.GetOptions{})
if k8serrors.IsNotFound(getErr) {
logger.Infof(ctx, "mutating webhook configuration %s doesn't exist", utils.WebhookConfigName())
cerr := createMutatingWebhookConfig(ctx, clientset, secret.Data["caCert.pem"], isKubeSystemNamespaceBlocked)
if cerr != nil {
logger.Errorf(ctx, "Create mutating webhook configuration failed. error: %s", *cerr)
return cerr
}
logger.Info(ctx, "Create mutating webhook configuration succeed.")
return nil
}
if getErr != nil {
logger.Errorf(ctx, "get mutating webhook configuration error: %s", getErr)
return &getErr
}
if v, exist := webhook.ObjectMeta.Labels[consts.ManagedLabelKey]; !exist || v != consts.ManagedLabelValue {
logger.Warningf(ctx, "found mutating webhook configuration %s not managed by AKS", utils.WebhookConfigName())
return nil
}
logger.Infof(ctx, "mutating webhook configuration %s is managed by AKS", utils.WebhookConfigName())
shouldUpdate, cerr := shouldUpdateWebhook(ctx, webhook, isKubeSystemNamespaceBlocked, clientset)
if cerr != nil {
return cerr
}
if shouldUpdate {
cerr = updateMutatingWebhookConfig(ctx, clientset, isKubeSystemNamespaceBlocked, secret.Data["caCert.pem"])
if cerr != nil {
logger.Errorf(ctx, "Update mutating webhook configuration failed. error: %s", *cerr)
return cerr
}
logger.Info(ctx, "Update mutating webhook configuration succeed.")
}
return nil
}