use println for debugging because the logs arent printing

Author: eatwithforks

main.go

@@ -1,23 +1,21 @@
 package main
 
 import (
-	"go.uber.org/zap"
 	"flag"
+	"github.com/open-policy-agent/cert-controller/pkg/rotator"
+	"go.uber.org/zap"
 	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd/api"
 	"os"
-	"github.com/open-policy-agent/cert-controller/pkg/rotator"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	ctrl "sigs.k8s.io/controller-runtime"
-	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	"time"
 )
 
-// TODO: make all defaults "" and map loop to blow up when value is ""
-// TODO: call flag parse to maybe fix arguments
 var (
 	certDir        = flag.String("cert-dir", "", "The directory where certs are stored")
 	caName         = flag.String("ca-name", "", "The name of the ca cert")
@@ -29,17 +27,16 @@ var (
 	webhookName    = flag.String("webhook-name", "", "Your webhook name")
 )
 
-
-var webhooks = []rotator.WebhookInfo{
-	{
-		Name: *webhookName,
-		Type: rotator.Mutating, // Todo: allow selecting types
-	},
-}
-
 func main() {
 	flag.Parse()
 
+	var webhooks = []rotator.WebhookInfo{
+		{
+			Name: *webhookName,
+			Type: rotator.Mutating, // Todo: allow selecting types
+		},
+	}
+
 	// configure logging.
 	logger, _ := zap.NewDevelopment()
 

pkg/rotator/rotator.go

@@ -657,9 +657,11 @@ func (r *ReconcileWH) Reconcile(request reconcile.Request) (reconcile.Result, er
 		}
 
 		// Ensure certs on webhooks
+		fmt.Println("Starting cert injection")
 		if err := r.ensureCerts(artifacts.CertPEM); err != nil {
 			return reconcile.Result{}, err
 		}
+		fmt.Println("Finished cert injection")
 
 		// Set CAInjected if the reconciler has not exited early.
 		r.wasCAInjected.Store(true)
@@ -688,25 +690,32 @@ func (r *ReconcileWH) ensureCerts(certPem []byte) error {
 		updatedResource.SetGroupVersionKind(gvk)
 		if err := r.cache.Get(r.ctx, types.NamespacedName{Name: webhook.Name}, updatedResource); err != nil {
 			if k8sErrors.IsNotFound(err) {
+				fmt.Println("Webhook not found. Unable to update certificate.", err)
 				log.Error(err, "Webhook not found. Unable to update certificate.")
 				continue
 			}
 			anyError = err
 			log.Error(err, "Error getting webhook for certificate update.")
+			fmt.Println("Error getting webhook for certificate update.", err)
+
 			continue
 		}
 		if !updatedResource.GetDeletionTimestamp().IsZero() {
+			fmt.Println("Webhook is being deleted. Unable to update certificate")
 			log.Info("Webhook is being deleted. Unable to update certificate")
 			continue
 		}
 
 		log.Info("Ensuring CA cert", "name", webhook.Name, "gvk", gvk)
 		if err := injectCert(updatedResource, certPem, webhook.Type); err != nil {
+			fmt.Println("Unable to inject cert to webhook.:", err)
 			log.Error(err, "Unable to inject cert to webhook.")
 			anyError = err
 			continue
 		}
 		if err := r.writer.Update(r.ctx, updatedResource); err != nil {
+			fmt.Println("Error updating webhook with certificate:", err)
+
 			log.Error(err, "Error updating webhook with certificate")
 			anyError = err
 			continue

test.yaml

@@ -27,14 +27,14 @@ spec:
           readOnly: true
       - name: cert-controller
         args:
-          - cert-dir=/certs
-          - ca-name=foocaname
-          - secret-name=vpa-admission-controller-secret
-          - service-name=fooservice
-          - ca-organization=fooorg
-          - namespace=default
-          - dns-name=foo.bar.svc
-          - webhook-name=vpa-webhook-config
+          - -cert-dir=/certs
+          - -ca-name=foocaname
+          - -secret-name=vpa-admission-controller-secret
+          - -service-name=fooservice
+          - -ca-organization=fooorg
+          - -namespace=default
+          - -dns-name=foo.bar.svc
+          - -webhook-name=vpa-webhook-config
         imagePullPolicy: Never
         image: cert-controller
       volumes:
@@ -63,6 +63,7 @@ webhooks:
     operations:  ["CREATE"]
     resources:   ["pods"]
   clientConfig:
+    caBundle: Cg==
     service:
       namespace: default
       name: vpa-webhook
@@ -83,3 +84,5 @@ metadata:
   namespace: default
   annotations:
     samson/server_side_apply: 'true'
+
+# TODO: add clusterrole, clusterrolebinding, serviceaccount to read and update secrets and webhooks