OLS-1435: add validation webhook for OLSConfig CRD

Makefile

@@ -260,7 +260,7 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
 
 .PHONY: deploy
 deploy: manifests kustomize yq ## Deploy controller to the K8s cluster specified in ~/.kube/config.
-	$(YQ) e -i ".patches[].patch |= sub(\"quay.io/openshift-lightspeed/lightspeed-operator:latest\", \"${IMG}\")" config/default/kustomization.yaml
+	$(YQ) e -i ".patches[0].patch |= sub(\"quay.io/openshift-lightspeed/lightspeed-operator:latest\", \"${IMG}\")" config/default/kustomization.yaml
 	$(KUSTOMIZE) build config/default | $(KUBECTL) apply -f -
 
 .PHONY: undeploy

PROJECT

@@ -20,4 +20,7 @@ resources:
   kind: OLSConfig
   path: github.com/openshift/lightspeed-operator/api/v1alpha1
   version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 version: "3"

bundle/manifests/lightspeed-operator-controller-manager-service_v1_service.yaml

@@ -15,6 +15,10 @@ metadata:
   name: lightspeed-operator-controller-manager-service
 spec:
   ports:
+  - name: webhook
+    port: 443
+    protocol: TCP
+    targetPort: webhook
   - name: metrics
     port: 8443
     protocol: TCP

bundle/manifests/lightspeed-operator-webhook-service_v1_service.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: webhook-server-cert
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/created-by: lightspeed-operator
+    app.kubernetes.io/instance: webhook-service
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: service
+    app.kubernetes.io/part-of: lightspeed-operator
+  name: lightspeed-operator-webhook-service
+spec:
+  ports:
+  - name: webhook
+    port: 443
+    protocol: TCP
+    targetPort: webhook
+  selector:
+    control-plane: controller-manager
+status:
+  loadBalancer: {}

bundle/manifests/lightspeed-operator.clusterserviceversion.yaml

@@ -601,6 +601,9 @@ spec:
                       periodSeconds: 20
                     name: manager
                     ports:
+                      - containerPort: 9443
+                        name: webhook
+                        protocol: TCP
                       - containerPort: 8443
                         name: metrics
                         protocol: TCP
@@ -624,6 +627,9 @@ spec:
                           - ALL
                       readOnlyRootFilesystem: true
                     volumeMounts:
+                      - mountPath: /tmp/k8s-webhook-server/serving-certs
+                        name: webhook-cert
+                        readOnly: true
                       - mountPath: /etc/tls/private
                         name: controller-manager-tls
                         readOnly: true
@@ -632,6 +638,10 @@ spec:
                 serviceAccountName: lightspeed-operator-controller-manager
                 terminationGracePeriodSeconds: 10
                 volumes:
+                  - name: webhook-cert
+                    secret:
+                      defaultMode: 420
+                      secretName: webhook-server-cert
                   - name: controller-manager-tls
                     secret:
                       secretName: controller-manager-tls
@@ -700,6 +710,27 @@ spec:
     name: Red Hat, Inc
     url: https://github.com/openshift/lightspeed-service
   version: 1.0.4
+  webhookdefinitions:
+    - admissionReviewVersions:
+        - v1
+      containerPort: 443
+      deploymentName: lightspeed-operator-controller-manager
+      failurePolicy: Fail
+      generateName: volsconfig.kb.io
+      rules:
+        - apiGroups:
+            - ols.openshift.io
+          apiVersions:
+            - v1alpha1
+          operations:
+            - CREATE
+            - UPDATE
+          resources:
+            - olsconfigs
+      sideEffects: None
+      targetPort: webhook
+      type: ValidatingAdmissionWebhook
+      webhookPath: /validate-ols-openshift-io-v1alpha1-olsconfig
   relatedImages:
     - name: lightspeed-service-api
       image: quay.io/openshift-lightspeed/lightspeed-service-api:latest

cmd/main.go

@@ -53,6 +53,7 @@ import (
 
 	"github.com/openshift/lightspeed-operator/internal/controller"
 	utiltls "github.com/openshift/lightspeed-operator/internal/tls"
+	"github.com/openshift/lightspeed-operator/internal/webhook"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -267,6 +268,10 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "OLSConfig")
 		os.Exit(1)
 	}
+	if err = webhook.SetupWebhookWithManager(mgr, mgr.GetClient(), namespace); err != nil {
+		setupLog.Error(err, "unable to create webhook", "webhook", "OLSConfig")
+		os.Exit(1)
+	}
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

config/crd/kustomization.yaml

@@ -5,15 +5,15 @@ resources:
 - bases/ols.openshift.io_olsconfigs.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
-patches:
+# patches:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
-#- path: patches/webhook_in_olsconfigs.yaml
+# - path: patches/webhook_in_olsconfigs.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-#- path: patches/cainjection_in_olsconfigs.yaml
+# - path: patches/cainjection_in_olsconfigs.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.