Skip to content

fix(VPA): Do not update webhook CA when registerWebhook is disabled #8249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 20, 2025
Merged

fix(VPA): Do not update webhook CA when registerWebhook is disabled #8249

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions vertical-pod-autoscaler/pkg/admission-controller/certs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,11 @@ func (cr *certReloader) start(stop <-chan struct{}) error {
if err = watcher.Add(cr.tlsKeyPath); err != nil {
return err
}
if err = watcher.Add(cr.clientCaPath); err != nil {
return err
// we watch the CA file ony when registerWebhook is enabled
if cr.mutatingWebhookClient != nil {
if err = watcher.Add(cr.clientCaPath); err != nil {
return err
}
}

go func() {
Expand Down Expand Up @@ -123,6 +126,10 @@ func (cr *certReloader) load() error {

func (cr *certReloader) reloadWebhookCA() error {
client := cr.mutatingWebhookClient
if client == nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct me if I'm wrong, but in the current implementation, if the flag is off, then mutatingWebhookClient is set to nil, which means the reloadWebhookCA function will always return an error?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes but we don't watch the file when mutatingWebhookClient is nil so we should never call reloadWebhookCA().

Copy link
Contributor Author

@vflaux vflaux Jun 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I use mutatingWebhookClient as an indicator of whether registerWebhook is enabled, but introducing a new boolean variable in the struct certReloader might make the code clearer and easier to understand?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood. thanks! adding a comment above line 71 (https://github.com/kubernetes/autoscaler/pull/8249/files#diff-504643e3760ffc997b03797073b201284f6483f8276acd1cf9057c8734e9f5b9R71) will be enough.

// this should never happen as we don't watch the file if mutatingWebhookClient is nil
return fmt.Errorf("webhook client is not set")
}
webhook, err := client.Get(context.TODO(), webhookConfigName, metav1.GetOptions{})
if err != nil {
return err
Expand Down
7 changes: 6 additions & 1 deletion vertical-pod-autoscaler/pkg/admission-controller/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
"github.com/spf13/pflag"
"k8s.io/client-go/informers"
kube_client "k8s.io/client-go/kubernetes"
typedadmregv1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1"
kube_flag "k8s.io/component-base/cli/flag"
"k8s.io/klog/v2"

Expand Down Expand Up @@ -141,9 +142,13 @@ func main() {
as.Serve(w, r)
healthCheck.UpdateLastActivity()
})
var mutatingWebhookClient typedadmregv1.MutatingWebhookConfigurationInterface
if *registerWebhook {
mutatingWebhookClient = kubeClient.AdmissionregistrationV1().MutatingWebhookConfigurations()
}
server := &http.Server{
Addr: fmt.Sprintf(":%d", *port),
TLSConfig: configTLS(*certsConfiguration, *minTlsVersion, *ciphers, stopCh, kubeClient.AdmissionregistrationV1().MutatingWebhookConfigurations()),
TLSConfig: configTLS(*certsConfiguration, *minTlsVersion, *ciphers, stopCh, mutatingWebhookClient),
}
url := fmt.Sprintf("%v:%v", *webhookAddress, *webhookPort)
ignoredNamespaces := strings.Split(commonFlags.IgnoredVpaObjectNamespaces, ",")
Expand Down
Loading