store certs in secret so that webhook can have more replicas (fluid-c…

…loudnative#1295) * storage certs in a secret so that webhook can have more replicas Signed-off-by: yangyuliufeng <[email protected]> * add some test cases Signed-off-by: yangyuliufeng <[email protected]> Co-authored-by: cheyang <[email protected]>
shiwenwenya · Jan 4, 2022 · 32b374a · 32b374a
1 parent ea59bd9
commit 32b374a
Show file tree

Hide file tree

Showing 34 changed files with 1,048 additions and 228 deletions.
diff --git a/charts/fluid/fluid/templates/role/webhook/rabc.yaml b/charts/fluid/fluid/templates/role/webhook/rabc.yaml
@@ -32,6 +32,14 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/charts/fluid/fluid/templates/webhook/webhook.yaml b/charts/fluid/fluid/templates/webhook/webhook.yaml
@@ -10,7 +10,7 @@ spec:
   selector:
     matchLabels:
       control-plane: fluid-webhook
-  replicas: 1
+  replicas: {{ .Values.webhook.replicas }}
   template:
     metadata:
       labels:

diff --git a/charts/fluid/fluid/values.yaml b/charts/fluid/fluid/values.yaml
@@ -71,4 +71,5 @@ runtime:
 webhook:
   enabled: true
   image: fluidcloudnative/fluid-webhook:v0.7.0-2abefb0
+  replicas: 1
 
diff --git a/docker/Dockerfile.webhook b/docker/Dockerfile.webhook
@@ -11,7 +11,7 @@ RUN make webhook-build && \
 RUN go get github.com/go-delve/delve/cmd/dlv
 
 FROM alpine:3.10
-RUN apk add --update curl tzdata iproute2 bash libc6-compat openssl vim &&  \
+RUN apk add --update curl tzdata iproute2 bash libc6-compat vim &&  \
 	rm -rf /var/cache/apk/* && \
 	cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
 	echo "Asia/Shanghai" >  /etc/timezone
@@ -21,8 +21,6 @@ RUN curl -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-rel
 
 COPY --from=builder /go/bin/fluid-webhook /usr/local/bin/fluid-webhook
 COPY --from=builder /go/bin/dlv /usr/local/bin/dlv
-COPY tools/certificate.sh /usr/local/bin/certificate.sh
-
 
 RUN mkdir -p /etc/k8s-webhook-server/certs && \
 	chmod -R u+w /etc/k8s-webhook-server/certs && \ 

diff --git a/pkg/common/webhook.go b/pkg/common/webhook.go
@@ -26,8 +26,7 @@ const (
 	WebhookServiceName     = "fluid-pod-admission-webhook"
 	WebhookSchedulePodPath = "mutate-fluid-io-v1alpha1-schedulepod"
 
-	// CertificationGenerateFile comes from tools/certificate.sh
-	CertificationGenerateFile = "/usr/local/bin/certificate.sh"
+	CertSecretName         = "fluid-webhook-certs"
 )
 
 // AdmissionHandler wrappers admission.Handler, but adding client-go capablities

diff --git a/pkg/ddc/alluxio/ufs_internal.go b/pkg/ddc/alluxio/ufs_internal.go
@@ -22,6 +22,7 @@ import (
 	"github.com/fluid-cloudnative/fluid/pkg/common"
 	"github.com/fluid-cloudnative/fluid/pkg/ddc/alluxio/operations"
 	"github.com/fluid-cloudnative/fluid/pkg/utils"
+	"github.com/fluid-cloudnative/fluid/pkg/utils/kubeclient"
 	"github.com/pkg/errors"
 	"reflect"
 )
@@ -132,7 +133,7 @@ func (e *AlluxioEngine) processUpdatingUFS(ufsToUpdate *utils.UFSToUpdate) (err
 				key := encryptOption.Name
 				secretKeyRef := encryptOption.ValueFrom.SecretKeyRef
 
-				secret, err := utils.GetSecret(e.Client, secretKeyRef.Name, e.namespace)
+				secret, err := kubeclient.GetSecret(e.Client, secretKeyRef.Name, e.namespace)
 				if err != nil {
 					e.Log.Info("can't get the secret",
 						"namespace", e.namespace,
@@ -245,7 +246,7 @@ func (e *AlluxioEngine) genUFSMountOptions(m datav1alpha1.Mount) (map[string]str
 	for _, item := range m.EncryptOptions {
 
 		sRef := item.ValueFrom.SecretKeyRef
-		secret, err := utils.GetSecret(e.Client, sRef.Name, e.namespace)
+		secret, err := kubeclient.GetSecret(e.Client, sRef.Name, e.namespace)
 		if err != nil {
 			e.Log.Error(err, "get secret by mount encrypt options failed", "name", item.Name)
 			return mOptions, err

diff --git a/pkg/ddc/goosefs/ufs_internal.go b/pkg/ddc/goosefs/ufs_internal.go
@@ -24,6 +24,7 @@ import (
 	"github.com/fluid-cloudnative/fluid/pkg/common"
 	"github.com/fluid-cloudnative/fluid/pkg/ddc/goosefs/operations"
 	"github.com/fluid-cloudnative/fluid/pkg/utils"
+	"github.com/fluid-cloudnative/fluid/pkg/utils/kubeclient"
 	"github.com/pkg/errors"
 )
 
@@ -207,7 +208,7 @@ func (e *GooseFSEngine) processUpdatingUFS(ufsToUpdate *utils.UFSToUpdate) (err
 				key := encryptOption.Name
 				secretKeyRef := encryptOption.ValueFrom.SecretKeyRef
 
-				secret, err := utils.GetSecret(e.Client, secretKeyRef.Name, e.namespace)
+				secret, err := kubeclient.GetSecret(e.Client, secretKeyRef.Name, e.namespace)
 				if err != nil {
 					e.Log.Info("can't get the secret",
 						"namespace", e.namespace,
@@ -318,7 +319,7 @@ func (e *GooseFSEngine) genUFSMountOptions(m datav1alpha1.Mount) (map[string]str
 	for _, item := range m.EncryptOptions {
 
 		sRef := item.ValueFrom.SecretKeyRef
-		secret, err := utils.GetSecret(e.Client, sRef.Name, e.namespace)
+		secret, err := kubeclient.GetSecret(e.Client, sRef.Name, e.namespace)
 		if err != nil {
 			e.Log.Error(err, "get secret by mount encrypt options failed", "name", item.Name)
 			return mOptions, err

diff --git a/pkg/ddc/jindo/transform.go b/pkg/ddc/jindo/transform.go
@@ -2,6 +2,7 @@ package jindo
 
 import (
 	"fmt"
+	"github.com/fluid-cloudnative/fluid/pkg/utils/kubeclient"
 	"os"
 	"regexp"
 	"strconv"
@@ -206,7 +207,7 @@ func (e *JindoEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, metaPa
 		for _, encryptOption := range mount.EncryptOptions {
 			key := encryptOption.Name
 			secretKeyRef := encryptOption.ValueFrom.SecretKeyRef
-			secret, err := utils.GetSecret(e.Client, secretKeyRef.Name, e.namespace)
+			secret, err := kubeclient.GetSecret(e.Client, secretKeyRef.Name, e.namespace)
 			if err != nil {
 				e.Log.Info("can't get the secret")
 				break

diff --git a/pkg/ddc/juicefs/transform_fuse.go b/pkg/ddc/juicefs/transform_fuse.go
@@ -23,7 +23,7 @@ import (
 
 	datav1alpha1 "github.com/fluid-cloudnative/fluid/api/v1alpha1"
 	"github.com/fluid-cloudnative/fluid/pkg/common"
-	"github.com/fluid-cloudnative/fluid/pkg/utils"
+	"github.com/fluid-cloudnative/fluid/pkg/utils/kubeclient"
 )
 
 func (j *JuiceFSEngine) transformFuse(runtime *datav1alpha1.JuiceFSRuntime, dataset *datav1alpha1.Dataset, value *JuiceFS) (err error) {
@@ -53,7 +53,7 @@ func (j *JuiceFSEngine) transformFuse(runtime *datav1alpha1.JuiceFSRuntime, data
 	for _, encryptOption := range mount.EncryptOptions {
 		key := encryptOption.Name
 		secretKeyRef := encryptOption.ValueFrom.SecretKeyRef
-		secret, err := utils.GetSecret(j.Client, secretKeyRef.Name, j.namespace)
+		secret, err := kubeclient.GetSecret(j.Client, secretKeyRef.Name, j.namespace)
 		if err != nil {
 			j.Log.Info("can't get the secret",
 				"namespace", j.namespace,

diff --git a/pkg/utils/secret.go → pkg/utils/kubeclient/secret.go b/pkg/utils/secret.go → pkg/utils/kubeclient/secret.go
@@ -13,9 +13,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-//TODO(TrafalgarZZZ): Move secret.go to pkg/utils/kubeclient
-
-package utils
+package kubeclient
 
 import (
 	"context"
@@ -38,3 +36,17 @@ func GetSecret(client client.Client, name, namespace string) (*v1.Secret, error)
 	}
 	return &secret, nil
 }
+
+func CreateSecret(client client.Client, secret *v1.Secret) error {
+	if err := client.Create(context.TODO(), secret); err != nil {
+		return err
+	}
+	return nil
+}
+
+func UpdateSecret(client client.Client, secret *v1.Secret) error {
+	if err := client.Update(context.TODO(), secret); err != nil {
+		return err
+	}
+	return nil
+}