From 7a5e3fe223641a13f0910d12ae4db84da480dd48 Mon Sep 17 00:00:00 2001
From: Antonin Bas <abas@vmware.com>
Date: Tue, 8 Mar 2022 14:02:18 -0800
Subject: [PATCH] Unconditionally sync CA cert for Controller webhooks

Webhooks are used by other features besided AntreaPolicy. At the moment,
if someone tries to disable AnteraPolicy and enable Egress for example,
the webhooks would not be using the correct CA cert and the Egress API
would not be usable.

Given that we unconditionally create these webhooks in the Antrea
deployment manifest, it makes sense to unconditionally sync the CA cert
for them.

Signed-off-by: Antonin Bas <abas@vmware.com>
---
 .../certificate/cacert_controller.go          | 20 +++++++++----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/pkg/apiserver/certificate/cacert_controller.go b/pkg/apiserver/certificate/cacert_controller.go
index db27fb702f3..0de71e59ba4 100644
--- a/pkg/apiserver/certificate/cacert_controller.go
+++ b/pkg/apiserver/certificate/cacert_controller.go
@@ -34,7 +34,6 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 
-	"antrea.io/antrea/pkg/features"
 	"antrea.io/antrea/pkg/util/env"
 )
 
@@ -118,17 +117,16 @@ func (c *CACertController) syncCACert() error {
 		return err
 	}
 
-	if features.DefaultFeatureGate.Enabled(features.AntreaPolicy) {
-		if err := c.syncMutatingWebhooks(caCert); err != nil {
-			return err
-		}
-		if err := c.syncValidatingWebhooks(caCert); err != nil {
-			return err
-		}
-		if err := c.syncConversionWebhooks(caCert); err != nil {
-			return err
-		}
+	if err := c.syncMutatingWebhooks(caCert); err != nil {
+		return err
+	}
+	if err := c.syncValidatingWebhooks(caCert); err != nil {
+		return err
 	}
+	if err := c.syncConversionWebhooks(caCert); err != nil {
+		return err
+	}
+
 	return nil
 }