fix: bad webhook rules

Author: lockwobr

operator/internal/controller/webhook_controller.go

@@ -232,7 +232,7 @@ func (r *WebhookController) CheckOrUpdateWebhookConfigurations(ctx context.Conte
 	}
 
 	needUpdate := false
-	expectedRules := webhookRule()
+	expectedRules := validatingWebhookRules()
 	for i := range existingValidating.Webhooks {
 		if validatingWebhookNeedsUpdate(&existingValidating.Webhooks[i], caBundle, expectedRules) {
 			needUpdate = true
@@ -257,8 +257,9 @@ func (r *WebhookController) CheckOrUpdateWebhookConfigurations(ctx context.Conte
 	}
 
 	needUpdate = false
+	mutatingRules := mutatingWebhookRules()
 	for i := range existingMutating.Webhooks {
-		if mutatingWebhookNeedsUpdate(&existingMutating.Webhooks[i], caBundle, expectedRules) {
+		if mutatingWebhookNeedsUpdate(&existingMutating.Webhooks[i], caBundle, mutatingRules) {
 			needUpdate = true
 		}
 	}
@@ -284,7 +285,15 @@ func webhookValidatingWebhookConfiguration(namespace, serviceName string, secret
 				Name:                    "validate-skyhook.nvidia.com",
 				ClientConfig:            webhookClient(serviceName, namespace, "/validate-skyhook-nvidia-com-v1alpha1-skyhook", secret),
 				FailurePolicy:           ptr(admissionregistrationv1.Fail),
-				Rules:                   webhookRule(),
+				Rules:                   validatingWebhookRules(),
+				SideEffects:             ptr(admissionregistrationv1.SideEffectClassNone),
+				AdmissionReviewVersions: []string{"v1"},
+			},
+			{
+				Name:                    "validate-deploymentpolicy.nvidia.com",
+				ClientConfig:            webhookClient(serviceName, namespace, "/validate-skyhook-nvidia-com-v1alpha1-deploymentpolicy", secret),
+				FailurePolicy:           ptr(admissionregistrationv1.Fail),
+				Rules:                   validatingWebhookRules(),
 				SideEffects:             ptr(admissionregistrationv1.SideEffectClassNone),
 				AdmissionReviewVersions: []string{"v1"},
 			},
@@ -305,15 +314,15 @@ func webhookMutatingWebhookConfiguration(namespace, serviceName string, secret *
 				Name:                    "mutate-skyhook.nvidia.com",
 				ClientConfig:            webhookClient(serviceName, namespace, "/mutate-skyhook-nvidia-com-v1alpha1-skyhook", secret),
 				FailurePolicy:           ptr(admissionregistrationv1.Fail),
-				Rules:                   webhookRule(),
+				Rules:                   mutatingWebhookRules(),
 				SideEffects:             ptr(admissionregistrationv1.SideEffectClassNone),
 				AdmissionReviewVersions: []string{"v1"},
 			},
 			{
 				Name:                    "mutate-deploymentpolicy.nvidia.com",
 				ClientConfig:            webhookClient(serviceName, namespace, "/mutate-skyhook-nvidia-com-v1alpha1-deploymentpolicy", secret),
 				FailurePolicy:           ptr(admissionregistrationv1.Fail),
-				Rules:                   webhookRule(),
+				Rules:                   mutatingWebhookRules(),
 				SideEffects:             ptr(admissionregistrationv1.SideEffectClassNone),
 				AdmissionReviewVersions: []string{"v1"},
 			},
@@ -358,7 +367,7 @@ func webhookClient(serviceName, namespace, path string, secret *corev1.Secret) a
 	}
 }
 
-func webhookRule() []admissionregistrationv1.RuleWithOperations {
+func validatingWebhookRules() []admissionregistrationv1.RuleWithOperations {
 	return []admissionregistrationv1.RuleWithOperations{
 		{
 			Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update},
@@ -379,6 +388,27 @@ func webhookRule() []admissionregistrationv1.RuleWithOperations {
 	}
 }
 
+func mutatingWebhookRules() []admissionregistrationv1.RuleWithOperations {
+	return []admissionregistrationv1.RuleWithOperations{
+		{
+			Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update},
+			Rule: admissionregistrationv1.Rule{
+				APIGroups:   []string{v1alpha1.GroupVersion.Group},
+				APIVersions: []string{v1alpha1.GroupVersion.Version},
+				Resources:   []string{"skyhooks"},
+			},
+		},
+		{
+			Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update},
+			Rule: admissionregistrationv1.Rule{
+				APIGroups:   []string{v1alpha1.GroupVersion.Group},
+				APIVersions: []string{v1alpha1.GroupVersion.Version},
+				Resources:   []string{"deploymentpolicies"},
+			},
+		},
+	}
+}
+
 // validatingWebhookNeedsUpdate checks if a validating webhook needs to be updated with new CABundle or Rules
 // Returns true if updates were made to the webhook
 func validatingWebhookNeedsUpdate(webhook *admissionregistrationv1.ValidatingWebhook, caBundle []byte, expectedRules []admissionregistrationv1.RuleWithOperations) bool {

operator/internal/controller/webhook_controller_test.go

@@ -254,15 +254,15 @@ var _ = Describe("WebhookController", Ordered, func() {
 			}
 
 			caBundle := []byte("new-ca")
-			expectedRules := webhookRule()
+			expectedRules := validatingWebhookRules()
 
 			needsUpdate := validatingWebhookNeedsUpdate(&webhook, caBundle, expectedRules)
 			Expect(needsUpdate).To(BeTrue(), "should detect rules mismatch")
 			Expect(webhook.Rules).To(Equal(expectedRules), "rules should be updated")
 		})
 
 		It("should not update when rules are identical", func() {
-			expectedRules := webhookRule()
+			expectedRules := validatingWebhookRules()
 
 			webhook := admissionregistrationv1.ValidatingWebhook{
 				ClientConfig: admissionregistrationv1.WebhookClientConfig{
@@ -278,7 +278,7 @@ var _ = Describe("WebhookController", Ordered, func() {
 		})
 
 		It("should update CABundle when empty", func() {
-			expectedRules := webhookRule()
+			expectedRules := mutatingWebhookRules()
 
 			webhook := admissionregistrationv1.MutatingWebhook{
 				ClientConfig: admissionregistrationv1.WebhookClientConfig{