add: enable webhook patching with flag (kedacore#6396)

* add: enable webhook patching with flag

Signed-off-by: krishna sindhur <[email protected]>

* update: should enable/disable only the webhook

Signed-off-by: krishna sindhur <[email protected]>

* changelog: put webhook patching flag to 'New' section

Signed-off-by: Jan Wozniak <[email protected]>

---------

Signed-off-by: krishna sindhur <[email protected]>
Signed-off-by: Jan Wozniak <[email protected]>
Co-authored-by: krishna sindhur <[email protected]>
Co-authored-by: Jan Wozniak <[email protected]>

CHANGELOG.md

@@ -60,6 +60,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio
 
 - **General**: Enable OpenSSF Scorecard to enhance security practices across the project ([#5913](https://github.com/kedacore/keda/issues/5913))
 - **General**: Introduce new NSQ scaler ([#3281](https://github.com/kedacore/keda/issues/3281))
+- **General**: Operator flag to control patching of webhook resources certificates ([#6184](https://github.com/kedacore/keda/issues/6184))
 
 #### Experimental
 

cmd/operator/main.go

@@ -85,6 +85,7 @@ func main() {
 	var enableCertRotation bool
 	var validatingWebhookName string
 	var caDirs []string
+	var enableWebhookPatching bool
 	pflag.BoolVar(&enablePrometheusMetrics, "enable-prometheus-metrics", true, "Enable the prometheus metric of keda-operator.")
 	pflag.BoolVar(&enableOpenTelemetryMetrics, "enable-opentelemetry-metrics", false, "Enable the opentelemetry metric of keda-operator.")
 	pflag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the prometheus metric endpoint binds to.")
@@ -107,6 +108,7 @@ func main() {
 	pflag.BoolVar(&enableCertRotation, "enable-cert-rotation", false, "enable automatic generation and rotation of TLS certificates/keys")
 	pflag.StringVar(&validatingWebhookName, "validating-webhook-name", "keda-admission", "ValidatingWebhookConfiguration name. Defaults to keda-admission")
 	pflag.StringArrayVar(&caDirs, "ca-dir", []string{"/custom/ca"}, "Directory with CA certificates for scalers to authenticate TLS connections. Can be specified multiple times. Defaults to /custom/ca")
+	pflag.BoolVar(&enableWebhookPatching, "enable-webhook-patching", true, "Enable patching of webhook resources. Defaults to true.")
 	opts := zap.Options{}
 	opts.BindFlags(flag.CommandLine)
 	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
@@ -305,6 +307,7 @@ func main() {
 			APIServiceName:        "v1beta1.external.metrics.k8s.io",
 			Logger:                setupLog,
 			Ready:                 certReady,
+			EnableWebhookPatching: enableWebhookPatching,
 		}
 		if err := certManager.AddCertificateRotation(ctx, mgr); err != nil {
 			setupLog.Error(err, "unable to set up cert rotation")

pkg/certificates/certificate_manager.go

@@ -50,21 +50,29 @@ type CertManager struct {
 	APIServiceName        string
 	Logger                logr.Logger
 	Ready                 chan struct{}
+	EnableWebhookPatching bool
 }
 
 // AddCertificateRotation registers all needed services to generate the certificates and patches needed resources with the caBundle
 func (cm CertManager) AddCertificateRotation(ctx context.Context, mgr manager.Manager) error {
-	var rotatorHooks = []rotator.WebhookInfo{
-		{
-			Name: cm.ValidatingWebhookName,
-			Type: rotator.Validating,
-		},
+	rotatorHooks := []rotator.WebhookInfo{
 		{
 			Name: cm.APIServiceName,
 			Type: rotator.APIService,
 		},
 	}
 
+	if cm.EnableWebhookPatching {
+		rotatorHooks = append(rotatorHooks,
+			rotator.WebhookInfo{
+				Name: cm.ValidatingWebhookName,
+				Type: rotator.Validating,
+			},
+		)
+	} else {
+		cm.Logger.V(1).Info("Webhook patching is disabled, skipping webhook certificates")
+	}
+
 	err := cm.ensureSecret(ctx, mgr, cm.SecretName)
 	if err != nil {
 		return err