check CA bundle injection for readiness

Signed-off-by: Wei Weng <[email protected]>

Author: Wei Weng

cmd/hubagent/main.go

@@ -20,6 +20,7 @@ import (
 	"flag"
 	"fmt"
 	"math"
+	"net/http"
 	"os"
 	"strings"
 	"sync"
@@ -157,11 +158,25 @@ func main() {
 
 	if opts.EnableWebhook {
 		whiteListedUsers := strings.Split(opts.WhiteListedUsers, ",")
-		if err := SetupWebhook(mgr, options.WebhookClientConnectionType(opts.WebhookClientConnectionType), opts.WebhookServiceName, whiteListedUsers,
-			opts.EnableGuardRail, opts.EnableV1Beta1APIs, opts.DenyModifyMemberClusterLabels, opts.EnableWorkload, opts.NetworkingAgentsEnabled, opts.UseCertManager, opts.WebhookCertDir, opts.WebhookCertName, opts.WebhookCertSecretName); err != nil {
+		webhookConfig, err := SetupWebhook(mgr, options.WebhookClientConnectionType(opts.WebhookClientConnectionType), opts.WebhookServiceName, whiteListedUsers,
+			opts.EnableGuardRail, opts.EnableV1Beta1APIs, opts.DenyModifyMemberClusterLabels, opts.EnableWorkload, opts.NetworkingAgentsEnabled, opts.UseCertManager, opts.WebhookCertDir, opts.WebhookCertName, opts.WebhookCertSecretName)
+		if err != nil {
 			klog.ErrorS(err, "unable to set up webhook")
 			exitWithErrorFunc()
 		}
+
+		// When using cert-manager, add a readiness check to ensure CA bundles are injected before marking ready.
+		// This prevents the pod from accepting traffic before cert-manager has populated the webhook CA bundles,
+		// which would cause webhook calls to fail.
+		if opts.UseCertManager {
+			if err := mgr.AddReadyzCheck("cert-manager-ca-injection", func(req *http.Request) error {
+				return webhookConfig.CheckCAInjection(req.Context())
+			}); err != nil {
+				klog.ErrorS(err, "unable to set up cert-manager CA injection readiness check")
+				exitWithErrorFunc()
+			}
+			klog.V(2).InfoS("Added cert-manager CA injection readiness check")
+		}
 	}
 
 	ctx := ctrl.SetupSignalHandler()
@@ -200,21 +215,22 @@ func main() {
 }
 
 // SetupWebhook generates the webhook cert and then set up the webhook configurator.
+// Returns the webhook Config so it can be used for readiness checks.
 func SetupWebhook(mgr manager.Manager, webhookClientConnectionType options.WebhookClientConnectionType, webhookServiceName string,
-	whiteListedUsers []string, enableGuardRail, isFleetV1Beta1API bool, denyModifyMemberClusterLabels bool, enableWorkload bool, networkingAgentsEnabled bool, useCertManager bool, webhookCertDir string, webhookCertName string, webhookCertSecretName string) error {
+	whiteListedUsers []string, enableGuardRail, isFleetV1Beta1API bool, denyModifyMemberClusterLabels bool, enableWorkload bool, networkingAgentsEnabled bool, useCertManager bool, webhookCertDir string, webhookCertName string, webhookCertSecretName string) (*webhook.Config, error) {
 	// Generate self-signed key and crt files in webhookCertDir for the webhook server to start.
 	w, err := webhook.NewWebhookConfig(mgr, webhookServiceName, FleetWebhookPort, &webhookClientConnectionType, webhookCertDir, enableGuardRail, denyModifyMemberClusterLabels, enableWorkload, useCertManager, webhookCertName, webhookCertSecretName)
 	if err != nil {
 		klog.ErrorS(err, "fail to generate WebhookConfig")
-		return err
+		return nil, err
 	}
 	if err = mgr.Add(w); err != nil {
 		klog.ErrorS(err, "unable to add WebhookConfig")
-		return err
+		return nil, err
 	}
 	if err = webhook.AddToManager(mgr, whiteListedUsers, denyModifyMemberClusterLabels, networkingAgentsEnabled); err != nil {
 		klog.ErrorS(err, "unable to register webhooks to the manager")
-		return err
+		return nil, err
 	}
-	return nil
+	return w, nil
 }

pkg/webhook/webhook.go

@@ -219,6 +219,56 @@ func (w *Config) Start(ctx context.Context) error {
 	return nil
 }
 
+// CheckCAInjection verifies that cert-manager has injected the CA bundle into all webhook configurations.
+// This is used as a readiness check when useCertManager is enabled.
+// Returns nil when CA bundles are injected, or an error if they are missing.
+func (w *Config) CheckCAInjection(ctx context.Context) error {
+	if !w.useCertManager {
+		// Not using cert-manager, no need to check
+		return nil
+	}
+
+	cl := w.mgr.GetClient()
+
+	// Check mutating webhook configuration
+	var mutatingCfg admv1.MutatingWebhookConfiguration
+	if err := cl.Get(ctx, client.ObjectKey{Name: fleetMutatingWebhookCfgName}, &mutatingCfg); err != nil {
+		return fmt.Errorf("failed to get MutatingWebhookConfiguration %s: %w", fleetMutatingWebhookCfgName, err)
+	}
+	for _, webhook := range mutatingCfg.Webhooks {
+		if len(webhook.ClientConfig.CABundle) == 0 {
+			return fmt.Errorf("MutatingWebhookConfiguration %s webhook %s is missing CA bundle (cert-manager injection pending)", fleetMutatingWebhookCfgName, webhook.Name)
+		}
+	}
+
+	// Check validating webhook configuration
+	var validatingCfg admv1.ValidatingWebhookConfiguration
+	if err := cl.Get(ctx, client.ObjectKey{Name: fleetValidatingWebhookCfgName}, &validatingCfg); err != nil {
+		return fmt.Errorf("failed to get ValidatingWebhookConfiguration %s: %w", fleetValidatingWebhookCfgName, err)
+	}
+	for _, webhook := range validatingCfg.Webhooks {
+		if len(webhook.ClientConfig.CABundle) == 0 {
+			return fmt.Errorf("ValidatingWebhookConfiguration %s webhook %s is missing CA bundle (cert-manager injection pending)", fleetValidatingWebhookCfgName, webhook.Name)
+		}
+	}
+
+	// Check guard rail webhook configuration if enabled
+	if w.enableGuardRail {
+		var guardRailCfg admv1.ValidatingWebhookConfiguration
+		if err := cl.Get(ctx, client.ObjectKey{Name: fleetGuardRailWebhookCfgName}, &guardRailCfg); err != nil {
+			return fmt.Errorf("failed to get ValidatingWebhookConfiguration %s: %w", fleetGuardRailWebhookCfgName, err)
+		}
+		for _, webhook := range guardRailCfg.Webhooks {
+			if len(webhook.ClientConfig.CABundle) == 0 {
+				return fmt.Errorf("ValidatingWebhookConfiguration %s webhook %s is missing CA bundle (cert-manager injection pending)", fleetGuardRailWebhookCfgName, webhook.Name)
+			}
+		}
+	}
+
+	klog.V(2).InfoS("All webhook configurations have CA bundles injected by cert-manager")
+	return nil
+}
+
 // createFleetWebhookConfiguration creates the ValidatingWebhookConfiguration object for the webhook.
 func (w *Config) createFleetWebhookConfiguration(ctx context.Context) error {
 	if err := w.createMutatingWebhookConfiguration(ctx, w.buildFleetMutatingWebhooks(), fleetMutatingWebhookCfgName); err != nil {

pkg/webhook/webhook_test.go

@@ -1,20 +1,25 @@
 package webhook
 
 import (
+	"context"
 	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/stretchr/testify/assert"
+	admv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
 	"github.com/kubefleet-dev/kubefleet/cmd/hubagent/options"
 	"github.com/kubefleet-dev/kubefleet/pkg/utils"
+	testmanager "github.com/kubefleet-dev/kubefleet/test/utils/manager"
 )
 
-const testWebhookServiceName = "test-webhook"
-
 func TestBuildFleetMutatingWebhooks(t *testing.T) {
 	url := options.WebhookClientConnectionType("url")
 	testCases := map[string]struct {
@@ -340,3 +345,250 @@ func TestCreateClientConfig(t *testing.T) {
 		})
 	}
 }
+
+func TestCheckCAInjection(t *testing.T) {
+	testCases := map[string]struct {
+		config           Config
+		existingObjects  []client.Object
+		expectError      bool
+		expectedErrorMsg string
+	}{
+		"useCertManager is false - returns nil without checking": {
+			config: Config{
+				useCertManager:  false,
+				enableGuardRail: false,
+			},
+			expectError: false,
+		},
+		"useCertManager is true, all CA bundles present": {
+			config: Config{
+				useCertManager:  true,
+				enableGuardRail: false,
+			},
+			existingObjects: []client.Object{
+				&admv1.MutatingWebhookConfiguration{
+					ObjectMeta: metav1.ObjectMeta{Name: fleetMutatingWebhookCfgName},
+					Webhooks: []admv1.MutatingWebhook{
+						{
+							Name: "test-mutating-webhook",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: []byte("fake-ca-bundle"),
+							},
+						},
+					},
+				},
+				&admv1.ValidatingWebhookConfiguration{
+					ObjectMeta: metav1.ObjectMeta{Name: fleetValidatingWebhookCfgName},
+					Webhooks: []admv1.ValidatingWebhook{
+						{
+							Name: "test-validating-webhook-1",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: []byte("fake-ca-bundle"),
+							},
+						},
+						{
+							Name: "test-validating-webhook-2",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: []byte("fake-ca-bundle"),
+							},
+						},
+					},
+				},
+			},
+			expectError: false,
+		},
+		"useCertManager is true, mutating webhook missing CA bundle": {
+			config: Config{
+				useCertManager:  true,
+				enableGuardRail: false,
+			},
+			existingObjects: []client.Object{
+				&admv1.MutatingWebhookConfiguration{
+					ObjectMeta: metav1.ObjectMeta{Name: fleetMutatingWebhookCfgName},
+					Webhooks: []admv1.MutatingWebhook{
+						{
+							Name: "test-mutating-webhook",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: nil, // Missing CA bundle
+							},
+						},
+					},
+				},
+				&admv1.ValidatingWebhookConfiguration{
+					ObjectMeta: metav1.ObjectMeta{Name: fleetValidatingWebhookCfgName},
+					Webhooks: []admv1.ValidatingWebhook{
+						{
+							Name: "test-validating-webhook",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: []byte("fake-ca-bundle"),
+							},
+						},
+					},
+				},
+			},
+			expectError:      true,
+			expectedErrorMsg: "test-mutating-webhook is missing CA bundle",
+		},
+		"useCertManager is true, validating webhook missing CA bundle": {
+			config: Config{
+				useCertManager:  true,
+				enableGuardRail: false,
+			},
+			existingObjects: []client.Object{
+				&admv1.MutatingWebhookConfiguration{
+					ObjectMeta: metav1.ObjectMeta{Name: fleetMutatingWebhookCfgName},
+					Webhooks: []admv1.MutatingWebhook{
+						{
+							Name: "test-mutating-webhook",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: []byte("fake-ca-bundle"),
+							},
+						},
+					},
+				},
+				&admv1.ValidatingWebhookConfiguration{
+					ObjectMeta: metav1.ObjectMeta{Name: fleetValidatingWebhookCfgName},
+					Webhooks: []admv1.ValidatingWebhook{
+						{
+							Name: "test-validating-webhook-1",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: []byte("fake-ca-bundle"),
+							},
+						},
+						{
+							Name: "test-validating-webhook-2",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: []byte{}, // Empty CA bundle
+							},
+						},
+					},
+				},
+			},
+			expectError:      true,
+			expectedErrorMsg: "test-validating-webhook-2 is missing CA bundle",
+		},
+		"useCertManager is true with guard rail, all CA bundles present": {
+			config: Config{
+				useCertManager:  true,
+				enableGuardRail: true,
+			},
+			existingObjects: []client.Object{
+				&admv1.MutatingWebhookConfiguration{
+					ObjectMeta: metav1.ObjectMeta{Name: fleetMutatingWebhookCfgName},
+					Webhooks: []admv1.MutatingWebhook{
+						{
+							Name: "test-mutating-webhook",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: []byte("fake-ca-bundle"),
+							},
+						},
+					},
+				},
+				&admv1.ValidatingWebhookConfiguration{
+					ObjectMeta: metav1.ObjectMeta{Name: fleetValidatingWebhookCfgName},
+					Webhooks: []admv1.ValidatingWebhook{
+						{
+							Name: "test-validating-webhook",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: []byte("fake-ca-bundle"),
+							},
+						},
+					},
+				},
+				&admv1.ValidatingWebhookConfiguration{
+					ObjectMeta: metav1.ObjectMeta{Name: fleetGuardRailWebhookCfgName},
+					Webhooks: []admv1.ValidatingWebhook{
+						{
+							Name: "test-guard-rail-webhook",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: []byte("fake-ca-bundle"),
+							},
+						},
+					},
+				},
+			},
+			expectError: false,
+		},
+		"useCertManager is true with guard rail, guard rail webhook missing CA bundle": {
+			config: Config{
+				useCertManager:  true,
+				enableGuardRail: true,
+			},
+			existingObjects: []client.Object{
+				&admv1.MutatingWebhookConfiguration{
+					ObjectMeta: metav1.ObjectMeta{Name: fleetMutatingWebhookCfgName},
+					Webhooks: []admv1.MutatingWebhook{
+						{
+							Name: "test-mutating-webhook",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: []byte("fake-ca-bundle"),
+							},
+						},
+					},
+				},
+				&admv1.ValidatingWebhookConfiguration{
+					ObjectMeta: metav1.ObjectMeta{Name: fleetValidatingWebhookCfgName},
+					Webhooks: []admv1.ValidatingWebhook{
+						{
+							Name: "test-validating-webhook",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: []byte("fake-ca-bundle"),
+							},
+						},
+					},
+				},
+				&admv1.ValidatingWebhookConfiguration{
+					ObjectMeta: metav1.ObjectMeta{Name: fleetGuardRailWebhookCfgName},
+					Webhooks: []admv1.ValidatingWebhook{
+						{
+							Name: "test-guard-rail-webhook",
+							ClientConfig: admv1.WebhookClientConfig{
+								CABundle: nil, // Missing CA bundle
+							},
+						},
+					},
+				},
+			},
+			expectError:      true,
+			expectedErrorMsg: "test-guard-rail-webhook is missing CA bundle",
+		},
+		"useCertManager is true, webhook configuration not found": {
+			config: Config{
+				useCertManager:  true,
+				enableGuardRail: false,
+			},
+			existingObjects:  []client.Object{},
+			expectError:      true,
+			expectedErrorMsg: "failed to get MutatingWebhookConfiguration",
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			// Create a fake client with a proper scheme
+			scheme := runtime.NewScheme()
+			_ = admv1.AddToScheme(scheme)
+			fakeClient := fake.NewClientBuilder().
+				WithScheme(scheme).
+				WithObjects(tc.existingObjects...).
+				Build()
+
+			// Create a fake manager that returns our fake client
+			tc.config.mgr = &testmanager.FakeManager{Client: fakeClient}
+
+			err := tc.config.CheckCAInjection(context.Background())
+
+			if tc.expectError {
+				if err == nil {
+					t.Errorf("Expected error but got nil")
+				} else if !strings.Contains(err.Error(), tc.expectedErrorMsg) {
+					t.Errorf("Expected error message to contain %q, but got: %v", tc.expectedErrorMsg, err)
+				}
+			} else {
+				if err != nil {
+					t.Errorf("Expected no error but got: %v", err)
+				}
+			}
+		})
+	}
+}