fix: configure webhook to ignore kube-system

enocom · enocom · commit 8d0ae3dbf6ee · 2023-12-08T09:43:43.000-07:00
Fixes #461.
diff --git a/config/crd/bases/cloudsql.cloud.google.com_authproxyworkloads.yaml b/config/crd/bases/cloudsql.cloud.google.com_authproxyworkloads.yaml
@@ -15,7 +15,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.9.2
+  creationTimestamp: null
   name: authproxyworkloads.cloudsql.cloud.google.com
 spec:
   group: cloudsql.cloud.google.com
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -14,6 +14,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  creationTimestamp: null
   name: manager-role
 rules:
   - apiGroups:
diff --git a/config/webhook/core_webhook.yaml b/config/webhook/core_webhook.yaml
@@ -39,6 +39,12 @@ webhooks:
     failurePolicy: Ignore
     name: pods.proxy.cloudsql.google.com
     matchPolicy: Equivalent
+    namespaceSelector:
+      matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values:
+            - kube-system
     rules:
       - apiGroups:
           - ""
diff --git a/docs/api.md b/docs/api.md
@@ -49,7 +49,9 @@ _Appears in:_
 | `maxConnections` _integer_ | MaxConnections limits the number of connections. Default value is no limit. This sets the proxy container's CLI argument `--max-connections` |
 | `maxSigtermDelay` _integer_ | MaxSigtermDelay is the maximum number of seconds to wait for connections to close after receiving a TERM signal. This sets the proxy container's CLI argument `--max-sigterm-delay` and configures `terminationGracePeriodSeconds` on the workload's PodSpec. |
 | `sqlAdminAPIEndpoint` _string_ | SQLAdminAPIEndpoint is a debugging parameter that when specified will change the Google Cloud api endpoint used by the proxy. |
-| `image` _string_ | Image is the URL to the proxy image. Optional, by default the operator will use the latest Cloud SQL Auth Proxy version as of the release of the operator. <br /><br /> The operator ensures that all workloads configured with the default proxy image are upgraded automatically to use to the latest released proxy image. <br /><br /> When the customer upgrades the operator, the operator upgrades all workloads using the default proxy image to the latest proxy image. The change to the proxy container image is applied in accordance with the RolloutStrategy. |
+| `image` _string_ | Image is the URL to the proxy image. Optional, by default the operator will use the latest Cloud SQL Auth Proxy version as of the release of the operator. 
+ The operator ensures that all workloads configured with the default proxy image are upgraded automatically to use to the latest released proxy image. 
+ When the customer upgrades the operator, the operator upgrades all workloads using the default proxy image to the latest proxy image. The change to the proxy container image is applied in accordance with the RolloutStrategy. |
 | `rolloutStrategy` _string_ | RolloutStrategy indicates the strategy to use when rolling out changes to the workloads affected by the results. When this is set to `Workload`, changes to this resource will be automatically applied to a running Deployment, StatefulSet, DaemonSet, or ReplicaSet in accordance with the Strategy set on that workload. When this is set to `None`, the operator will take no action to roll out changes to affected workloads. `Workload` will be used by default if no value is set. See: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
 | `quiet` _boolean_ | Quiet configures the proxy's --quiet flag to limit the amount of logging generated by the proxy container. |
 
@@ -142,7 +144,7 @@ _Appears in:_
 | `prometheusNamespace` _string_ | PrometheusNamespace is used the provided Prometheus namespace for metrics This sets the proxy container's CLI argument `--prometheus-namespace` |
 | `telemetryProject` _string_ | TelemetryProject enables Cloud Monitoring and Cloud Trace with the provided project ID. This sets the proxy container's CLI argument `--telemetry-project` |
 | `telemetryPrefix` _string_ | TelemetryPrefix is the prefix for Cloud Monitoring metrics. This sets the proxy container's CLI argument `--telemetry-prefix` |
-| `telemetrySampleRate` _[int](#int)_ | TelemetrySampleRate is the Cloud Trace sample rate. A smaller number means more traces. This sets the proxy container's CLI argument `--telemetry-sample-rate` |
+| `telemetrySampleRate` _integer_ | TelemetrySampleRate is the Cloud Trace sample rate. A smaller number means more traces. This sets the proxy container's CLI argument `--telemetry-sample-rate` |
 | `httpPort` _integer_ | HTTPPort the port for Prometheus and health check server. This sets the proxy container's CLI argument `--http-port` |
 | `disableTraces` _boolean_ | DisableTraces disables Cloud Trace testintegration (used with telemetryProject) This sets the proxy container's CLI argument `--disable-traces` |
 | `disableMetrics` _boolean_ | DisableMetrics disables Cloud Monitoring testintegration (used with telemetryProject) This sets the proxy container's CLI argument `--disable-metrics` |
@@ -179,6 +181,7 @@ _Appears in:_
 | `version` _string_ |  |
 | `namespace` _string_ |  |
 | `name` _string_ |  |
-| `conditions` _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta) array_ | Conditions show the status of the AuthProxyWorkload resource on this matching workload. <br /><br /> The "UpToDate" condition indicates that the proxy was successfully applied to all matching workloads. See ConditionUpToDate. |
+| `conditions` _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta) array_ | Conditions show the status of the AuthProxyWorkload resource on this matching workload. 
+ The "UpToDate" condition indicates that the proxy was successfully applied to all matching workloads. See ConditionUpToDate. |
 
 
diff --git a/installer/cloud-sql-proxy-operator.yaml b/installer/cloud-sql-proxy-operator.yaml
@@ -24,7 +24,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     cert-manager.io/inject-ca-from: cloud-sql-proxy-operator-system/cloud-sql-proxy-operator-serving-cert
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.9.2
   name: authproxyworkloads.cloudsql.cloud.google.com
 spec:
   conversion:
@@ -1259,6 +1259,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  creationTimestamp: null
   name: cloud-sql-proxy-operator-manager-role
 rules:
   - apiGroups:
@@ -1605,6 +1606,12 @@ webhooks:
     failurePolicy: Ignore
     matchPolicy: Equivalent
     name: pods.proxy.cloudsql.google.com
+    namespaceSelector:
+      matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values:
+            - kube-system
     rules:
       - apiGroups:
           - ""
diff --git a/internal/api/v1/zz_generated.deepcopy.go b/internal/api/v1/zz_generated.deepcopy.go
