[CLI] Add —disableWebhook in controller (#931)

Jeffwan · Copilot · web-flow · commit 6c325828b220 · 2025-04-08T15:18:59.000+08:00
* [CLI] Add —disableWebhook in controller

Signed-off-by: Jiaxin Shan &lt;seedjeffwan@gmail.com&gt;

* Disable webhook for some standalone controllers

Signed-off-by: Jiaxin Shan &lt;seedjeffwan@gmail.com&gt;

* Update cmd/controllers/main.go

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
Signed-off-by: Jiaxin Shan &lt;seedjeffwan@gmail.com&gt;

---------

Signed-off-by: Jiaxin Shan &lt;seedjeffwan@gmail.com&gt;
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/cmd/controllers/main.go b/cmd/controllers/main.go
@@ -111,6 +111,7 @@ func main() {
 	var controllers string
 	var modeladapterSchedulerPolicy string
 	var enableRuntimeSidecar bool
+	var disableWebhook bool
 	var debugMode bool
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
@@ -136,6 +137,8 @@ func main() {
 	flag.StringVar(&modeladapterSchedulerPolicy, "model-adapter-scheduler-policy", modeladapter.DefaultModelAdapterSchedulerPolicy, "model-adapter-scheduler-policy is the name of the scheduler policy to use for model adapter controller.")
 	flag.BoolVar(&enableRuntimeSidecar, "enable-runtime-sidecar", false,
 		"If set, Runtime management API will be enabled for the metrics, model adapter and model downloading interactions, control plane will not talk to engine directly anymore")
+	flag.BoolVar(&disableWebhook, "disable-webhook", false,
+		"If set, mutation and validation webhook will be disabled, this will be only used in standalone setup mode for some controllers")
 	flag.BoolVar(&debugMode, "debug-mode", false,
 		"If set, control plane will talk to localhost nodePort for testing purpose")
 
@@ -178,9 +181,12 @@ func main() {
 
 	runtimeConfig := config.NewRuntimeConfig(enableRuntimeSidecar, debugMode, modeladapterSchedulerPolicy)
 
-	webhookServer := webhook.NewServer(webhook.Options{
-		TLSOpts: tlsOpts,
-	})
+	var webhookServer webhook.Server
+	if !disableWebhook {
+		webhookServer = webhook.NewServer(webhook.Options{
+			TLSOpts: tlsOpts,
+		})
+	}
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme: scheme,
@@ -240,9 +246,14 @@ func main() {
 
 	certsReady := make(chan struct{})
 
-	if err = cert.CertsManager(mgr, leaderElectionNamespace, certsReady); err != nil {
-		setupLog.Error(err, "unable to setup cert rotation")
-		os.Exit(1)
+	if disableWebhook {
+		setupLog.Info("Closing the certsReady channel because the webhook is disabled, this is to avoid blocking setupControllers")
+		close(certsReady)
+	} else {
+		if err = cert.CertsManager(mgr, leaderElectionNamespace, certsReady); err != nil {
+			setupLog.Error(err, "unable to setup cert rotation")
+			os.Exit(1)
+		}
 	}
 
 	// Initialize controllers
@@ -254,7 +265,7 @@ func main() {
 	// Cert won't be ready until manager starts, so start a goroutine here which
 	// will block until the cert is ready before setting up the controllers.
 	// Controllers who register after manager starts will start directly.
-	go setupControllers(mgr, runtimeConfig, certsReady)
+	go setupControllers(mgr, runtimeConfig, certsReady, disableWebhook)
 
 	//+kubebuilder:scaffold:builder
 
@@ -274,12 +285,15 @@ func main() {
 	}
 }
 
-func setupControllers(mgr ctrl.Manager, runtimeConfig config.RuntimeConfig, certsReady chan struct{}) {
+// TODO: if the argument list will grow, we should create a ControllerSetupOptions struct instead.
+func setupControllers(mgr ctrl.Manager, runtimeConfig config.RuntimeConfig, certsReady chan struct{}, disableWebhook bool) {
 	// The controllers won't work until the webhooks are operating,
 	// and the webhook won't work until the certs are all in places.
-	setupLog.Info("waiting for the cert generation to complete")
-	<-certsReady
-	setupLog.Info("certs ready")
+	if !disableWebhook {
+		setupLog.Info("waiting for the cert generation to complete")
+		<-certsReady
+		setupLog.Info("certs ready")
+	}
 
 	// Kind controller registration is encapsulated inside the pkg/controller/controller.go
 	// So here we can use more clean registration flow and there's no need to change logics in future.
@@ -288,8 +302,12 @@ func setupControllers(mgr ctrl.Manager, runtimeConfig config.RuntimeConfig, cert
 		os.Exit(1)
 	}
 
-	if err := apiwebhook.SetupBackendRuntimeWebhook(mgr); err != nil {
-		setupLog.Error(err, "unable to create webhook", "webhook", "Model")
-		os.Exit(1)
+	if !disableWebhook {
+		if err := apiwebhook.SetupBackendRuntimeWebhook(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "Model")
+			os.Exit(1)
+		}
+	} else {
+		setupLog.Info("webhook setup skipped due to --disable-webhook flag")
 	}
 }
diff --git a/config/standalone/autoscaler-controller/patch.yaml b/config/standalone/autoscaler-controller/patch.yaml
@@ -13,4 +13,5 @@ spec:
             - --leader-election-id=aibrix-pod-autoscaler-controller
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=0
-            - --controllers=pod-autoscaler-controller
+            - --controllers=pod-autoscaler-controller
+            - --disable-webhook
diff --git a/config/standalone/distributed-inference-controller/patch.yaml b/config/standalone/distributed-inference-controller/patch.yaml
@@ -13,4 +13,5 @@ spec:
             - --leader-election-id=aibrix-distributed-inference-controller
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=0
-            - --controllers=distributed-inference-controller
+            - --controllers=distributed-inference-controller
+            - --disable-webhook
diff --git a/config/standalone/model-adapter-controller/kustomization.yaml b/config/standalone/model-adapter-controller/kustomization.yaml
@@ -6,6 +6,9 @@ resources:
   - ../../rbac/model
   - ../../rbac/controller-manager
   - ../../manager
+  # lora needs webhook manifest
+  - ../../webhook
+  - ../../internalcert
 
 # Adds namespace to all resources.
 namespace: aibrix-system
diff --git a/config/standalone/model-adapter-controller/patch.yaml b/config/standalone/model-adapter-controller/patch.yaml
@@ -13,4 +13,18 @@ spec:
             - --leader-election-id=aibrix-model-adapter-controller
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=0
-            - --controllers=model-adapter-controller
+            - --controllers=model-adapter-controller
+          # following patch is from config/default/manager_webhook_patch.yaml
+          ports:
+            - containerPort: 9443
+              name: webhook-server
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: cert
+              readOnly: true
+      volumes:
+        - name: cert
+          secret:
+            defaultMode: 420
+            secretName: webhook-server-cert
