Merge pull request #950 from rollandf/webhookport

fix: support webhook network policy port env

Author: zeeke

bindata/manifests/operator-webhook/004-networkpolicy.yaml

@@ -10,11 +10,11 @@ spec:
   ingress:
   - ports:
     - protocol: TCP
-      port: 6443
+      port: {{.OperatorWebhookNetworkPolicyPort}}
   egress:
   - ports:
     - protocol: TCP
-      port: 6443
+      port: {{.OperatorWebhookNetworkPolicyPort}}
   policyTypes:
   - Ingress
   - Egress

bindata/manifests/webhook/005-networkpolicy.yaml

@@ -10,11 +10,11 @@ spec:
   ingress:
   - ports:
     - protocol: TCP
-      port: 6443
+      port: {{.InjectorWebhookNetworkPolicyPort}}
   egress:
   - ports:
     - protocol: TCP
-      port: 6443
+      port: {{.InjectorWebhookNetworkPolicyPort}}
   policyTypes:
   - Ingress
   - Egress

controllers/sriovoperatorconfig_controller.go

@@ -311,6 +311,18 @@ func (r *SriovOperatorConfigReconciler) syncWebhookObjs(ctx context.Context, dc
 		data.Data["InjectorWebhookSecretName"] = os.Getenv("ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME")
 		data.Data["InjectorWebhookCA"] = os.Getenv("ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT")
 
+		operatorWebhookPort := os.Getenv("OPERATOR_WEBHOOK_NETWORK_POLICY_PORT")
+		if operatorWebhookPort == "" {
+			operatorWebhookPort = "6443"
+		}
+		data.Data["OperatorWebhookNetworkPolicyPort"] = operatorWebhookPort
+
+		injectorWebhookPort := os.Getenv("INJECTOR_WEBHOOK_NETWORK_POLICY_PORT")
+		if injectorWebhookPort == "" {
+			injectorWebhookPort = "6443"
+		}
+		data.Data["InjectorWebhookNetworkPolicyPort"] = injectorWebhookPort
+
 		data.Data["ExternalControlPlane"] = false
 		if r.PlatformHelper.IsOpenshiftCluster() {
 			external := r.PlatformHelper.IsHypershift()

controllers/suite_test.go

@@ -120,6 +120,10 @@ var _ = BeforeSuite(func() {
 	Expect(err).NotTo(HaveOccurred())
 	err = os.Setenv("ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME", "network-resources-injector-cert")
 	Expect(err).NotTo(HaveOccurred())
+	err = os.Setenv("OPERATOR_WEBHOOK_NETWORK_POLICY_PORT", "6443")
+	Expect(err).NotTo(HaveOccurred())
+	err = os.Setenv("INJECTOR_WEBHOOK_NETWORK_POLICY_PORT", "6443")
+	Expect(err).NotTo(HaveOccurred())
 	err = os.Setenv("SRIOV_CNI_IMAGE", "mock-image")
 	Expect(err).NotTo(HaveOccurred())
 	err = os.Setenv("SRIOV_INFINIBAND_CNI_IMAGE", "mock-image")

deployment/sriov-network-operator-chart/templates/operator.yaml

@@ -113,6 +113,10 @@ spec:
             - name: STALE_NODE_STATE_CLEANUP_DELAY_MINUTES
               value: "{{ .Values.operator.staleNodeStateCleanupDelayMinutes }}"
         {{- if .Values.operator.admissionControllers.enabled }}
+            - name: OPERATOR_WEBHOOK_NETWORK_POLICY_PORT
+              value: "{{ .Values.operator.admissionControllers.networkPolicy.operator.port }}"
+            - name: INJECTOR_WEBHOOK_NETWORK_POLICY_PORT
+              value: "{{ .Values.operator.admissionControllers.networkPolicy.injector.port }}"
             - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME
               value: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }}
             - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME

deployment/sriov-network-operator-chart/values.yaml

@@ -42,6 +42,11 @@ operator:
       deployRules: false
   admissionControllers:
     enabled: false
+    networkPolicy:
+      operator:
+        port: "6443"
+      injector:
+        port: "6443"
     certificates:
       secretNames:
         operator: "operator-webhook-cert"

hack/env.sh

@@ -51,3 +51,5 @@ export ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT=${ADMISSION_CONTROLLER
 export DEV_MODE=${DEV_MODE:-"FALSE"}
 export METRICS_EXPORTER_SECRET_NAME=${METRICS_EXPORTER_SECRET_NAME:-"metrics-exporter-cert"}
 export METRICS_EXPORTER_PORT=${METRICS_EXPORTER_PORT:-"9110"}
+export OPERATOR_WEBHOOK_NETWORK_POLICY_PORT=${OPERATOR_WEBHOOK_NETWORK_POLICY_PORT:-"6443"}
+export INJECTOR_WEBHOOK_NETWORK_POLICY_PORT=${INJECTOR_WEBHOOK_NETWORK_POLICY_PORT:-"6443"}

hack/run-e2e-conformance-virtual-ocp.sh

@@ -183,6 +183,8 @@ kubectl patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spe
 kubectl patch ingresscontrollers.operator.openshift.io/default -n openshift-ingress-operator --patch '{"spec":{"replicas": 1}}' --type=merge
 
 export ADMISSION_CONTROLLERS_ENABLED=true
+export OPERATOR_WEBHOOK_NETWORK_POLICY_PORT=${OPERATOR_WEBHOOK_NETWORK_POLICY_PORT:-"6443"}
+export INJECTOR_WEBHOOK_NETWORK_POLICY_PORT=${INJECTOR_WEBHOOK_NETWORK_POLICY_PORT:-"6443"}
 export SKIP_VAR_SET=""
 export NAMESPACE="openshift-sriov-network-operator"
 export OPERATOR_NAMESPACE=$NAMESPACE

hack/virtual-cluster-redeploy.sh

@@ -29,6 +29,8 @@ if [ $CLUSTER_TYPE == "openshift" ]; then
   podman login -u serviceaccount -p ${pass} $registry --tls-verify=false
 
   export ADMISSION_CONTROLLERS_ENABLED=true
+  export OPERATOR_WEBHOOK_NETWORK_POLICY_PORT=${OPERATOR_WEBHOOK_NETWORK_POLICY_PORT:-"6443"}
+  export INJECTOR_WEBHOOK_NETWORK_POLICY_PORT=${INJECTOR_WEBHOOK_NETWORK_POLICY_PORT:-"6443"}
   export SKIP_VAR_SET=""
   export NAMESPACE="openshift-sriov-network-operator"
   export OPERATOR_NAMESPACE=$NAMESPACE
@@ -62,6 +64,8 @@ else
 fi
 
 export ADMISSION_CONTROLLERS_ENABLED=true
+export OPERATOR_WEBHOOK_NETWORK_POLICY_PORT=${OPERATOR_WEBHOOK_NETWORK_POLICY_PORT:-"6443"}
+export INJECTOR_WEBHOOK_NETWORK_POLICY_PORT=${INJECTOR_WEBHOOK_NETWORK_POLICY_PORT:-"6443"}
 export SKIP_VAR_SET=""
 export OPERATOR_NAMESPACE=$NAMESPACE
 export OPERATOR_EXEC=kubectl