split webhooks into multiple to avoid hitting max size (#5218)

Author: matthchr

Taskfile.yml

@@ -849,6 +849,7 @@ tasks:
     deps: 
       - controller:generate-types
       - controller:generate-genruntime-deepcopy
+      - scripts:build-python-venv
     sources:
       - "v2/api/**/*.go" # depends on all API types
       - "v2/pkg/genruntime/**/*.go" # Also depends on the genruntime types as they're embedded into the CRDs
@@ -858,13 +859,13 @@ tasks:
       - if [ -d "{{.CONTROLLER_OUTPUT}}/crd/generated/bases" ]; then find "{{.CONTROLLER_OUTPUT}}/crd/generated/bases" -type f -delete; fi
       - if [ -d "{{.CONTROLLER_OUTPUT}}/crd/generated/patches" ]; then find "{{.CONTROLLER_OUTPUT}}/crd/generated/patches" -type f -delete; fi
       - cd v2/api && controller-gen {{.OBJECT_OPTIONS}} paths=./...
-      - cd v2/api && controller-gen {{.CRD_OPTIONS}} {{.WEBHOOK_OPTIONS}} {{.RBAC_OPTIONS}} paths=./...
+      - cd v2/api && controller-gen {{.CRD_OPTIONS}} {{.RBAC_OPTIONS}} paths=./...
+      - "{{.SCRIPTS_ROOT}}/venv/bin/python3 {{.SCRIPTS_ROOT}}/generate-webhooks-per-group.py --api-dir v2/api --output-dir {{.CONTROLLER_OUTPUT}}/webhook/generated"
       - cmd: cd v2/api && gofumpt -l -w . # format all generated code
         ignore_error: true # Just in case the code doesn't build
     vars:
       OBJECT_OPTIONS: object:headerFile={{.HEADER_FILE}}
       CRD_OPTIONS: crd:crdVersions=v1,allowDangerousTypes=true output:crd:artifacts:config={{.CONTROLLER_OUTPUT}}/crd/generated/bases
-      WEBHOOK_OPTIONS: webhook output:webhook:artifacts:config={{.CONTROLLER_OUTPUT}}/webhook
       RBAC_OPTIONS: rbac:roleName=manager-role output:rbac:artifacts:config={{.CONTROLLER_OUTPUT}}/rbac
 
   controller:check-crd-size:

scripts/v2/generate-webhooks-per-group.py

@@ -0,0 +1,157 @@
+#!/usr/bin/env python3
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+
+"""
+Iterates through each API group folder and runs controller-gen to produce
+per-group webhook configurations (<group>-mwh.yaml / <group>-vwh.yaml),
+avoiding a single massive manifest that risks exceeding etcd size limits.
+
+Usage: generate-webhooks-per-group.py --api-dir <API_DIR> --output-dir <OUTPUT_DIR>
+"""
+
+import argparse
+import os
+import shutil
+import subprocess
+import sys
+import tempfile
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from pathlib import Path
+
+import yaml
+
+KIND_SUFFIXES = {
+    "MutatingWebhookConfiguration": "mwh",
+    "ValidatingWebhookConfiguration": "vwh",
+}
+
+
+def has_webhook_markers(group_dir: Path) -> bool:
+    """Check if any Go file in the directory tree contains a kubebuilder:webhook marker."""
+    for f in group_dir.rglob("*.go"):
+        if "kubebuilder:webhook" in f.read_text(errors="replace"):
+            return True
+    return False
+
+
+def run_controller_gen(api_dir: Path, group: str, output_dir: Path) -> None:
+    """Run controller-gen webhook for a single group."""
+    subprocess.run(
+        [
+            "controller-gen",
+            "webhook",
+            f"output:webhook:artifacts:config={output_dir}",
+            f"paths=./{group}/...",
+        ],
+        cwd=api_dir,
+        check=True,
+    )
+
+
+def split_manifests(manifests_path: Path, group: str, bases_dir: Path) -> list[str]:
+    """Split a multi-doc manifests.yaml into per-kind files with renamed metadata.name."""
+    generated = []
+    with open(manifests_path) as f:
+        docs = list(yaml.safe_load_all(f))
+
+    for doc in docs:
+        if doc is None:
+            continue
+        kind = doc.get("kind", "")
+        suffix = KIND_SUFFIXES.get(kind)
+        if suffix is None:
+            print(f"    WARNING: unexpected kind '{kind}' in {group}, skipping")
+            continue
+
+        doc["metadata"]["name"] = f"{group}-{suffix}"
+        out_file = bases_dir / f"{group}-{suffix}.yaml"
+        with open(out_file, "w") as f:
+            yaml.dump(doc, f, default_flow_style=False, sort_keys=False)
+
+        rel = f"bases/{out_file.name}"
+        generated.append(rel)
+        print(f"    Generated: {out_file.name}")
+
+    return generated
+
+
+def write_kustomization(output_dir: Path, resources: list[str]) -> None:
+    """Write a kustomization.yaml listing all generated resources."""
+    content = {
+        "resources": resources,
+    }
+    kustomization_path = output_dir / "kustomization.yaml"
+    with open(kustomization_path, "w") as f:
+        f.write("# This file is auto-generated by generate-webhooks-per-group.py\n")
+        f.write("# DO NOT EDIT manually\n")
+        yaml.dump(content, f, default_flow_style=False, sort_keys=False)
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("--api-dir", required=True, help="Path to the api directory (e.g. v2/api)")
+    parser.add_argument("--output-dir", required=True, help="Webhook output directory (e.g. v2/config/webhook/generated)")
+    args = parser.parse_args()
+
+    api_dir = Path(args.api_dir).resolve()
+    output_dir = Path(args.output_dir).resolve()
+    bases_dir = output_dir / "bases"
+
+    # Clean and create output directories
+    if bases_dir.exists():
+        shutil.rmtree(bases_dir)
+    bases_dir.mkdir(parents=True)
+
+    print("Generating per-group webhook configurations...")
+    print(f"  API directory:    {api_dir}")
+    print(f"  Output directory: {output_dir}")
+
+    all_resources: list[str] = []
+
+    with tempfile.TemporaryDirectory() as tmp:
+        tmp_path = Path(tmp)
+
+        # Phase 1: discover groups with webhook markers
+        groups: list[str] = []
+        group_tmp_dirs: dict[str, Path] = {}
+        for group_dir in sorted(api_dir.iterdir()):
+            if not group_dir.is_dir():
+                continue
+            if not has_webhook_markers(group_dir):
+                continue
+
+            group = group_dir.name
+            groups.append(group)
+            group_tmp = tmp_path / group
+            group_tmp.mkdir()
+            group_tmp_dirs[group] = group_tmp
+
+        # Phase 2: run controller-gen concurrently for all groups
+        print(f"  Running controller-gen for {len(groups)} groups concurrently...")
+        with ThreadPoolExecutor() as executor:
+            futures = {
+                executor.submit(run_controller_gen, api_dir, group, group_tmp_dirs[group]): group
+                for group in groups
+            }
+            for future in as_completed(futures):
+                group = futures[future]
+                future.result()  # raises on failure
+                print(f"    Completed: {group}")
+
+        # Phase 3: split and rename manifests
+        for group in groups:
+            manifests = tmp_path / group / "manifests.yaml"
+            if not manifests.exists():
+                print(f"    WARNING: no manifests.yaml for {group}, skipping")
+                continue
+            all_resources.extend(split_manifests(manifests, group, bases_dir))
+
+    # Phase 4: write kustomization.yaml
+    print(f"\nWriting kustomization.yaml with {len(all_resources)} resources...")
+    write_kustomization(output_dir, all_resources)
+    print(f"Done. Generated {len(all_resources)} webhook configuration files.")
+
+
+if __name__ == "__main__":
+    main()

scripts/v2/package-helm-manifest.sh

@@ -3,8 +3,8 @@
 # package-helm-manifest.sh script is used to copy the generated files by kustomize and package the helm chart.
 # The generated files are updated when a new resource is added. To eliminate the manual process of updating generated files, we use this script for automation.
 # Generated files include below files:
-# - admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_azureserviceoperator-mutating-webhook-configuration.yaml
-# - admissionregistration.k8s.io_v1_validatingwebhookconfiguration_azureserviceoperator-validating-webhook-configuration.yaml
+# - admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_azureserviceoperator-<group>-mwh.yaml (one per API group)
+# - admissionregistration.k8s.io_v1_validatingwebhookconfiguration_azureserviceoperator-<group>-vwh.yaml (one per API group)
 # - rbac.authorization.k8s.io_v1_clusterrole_azureserviceoperator-manager-role.yaml
 
 # Above files are always updated when a new resource is added
@@ -54,8 +54,8 @@ echo "Making sed replacements and copying generated yamls"
 for file in $(find "$TEMP_DIR" -type f)
 do
   # Append cluster or tenant guards to each file
-  if [[ $file == *"mutating-webhook-configuration"* ]] ||
-     [[ $file == *"validating-webhook-configuration"* ]] ||
+  if [[ $file == *"_mutatingwebhookconfiguration_"* ]] ||
+     [[ $file == *"_validatingwebhookconfiguration_"* ]] ||
      [[ $file == *"azureserviceoperator-manager-role.yaml" ]] ; then
         sed -i "1 s/^/$IF_CLUSTER\n/;$ a {{- end }}" "$file"
         sed -i 's/azureserviceoperator-system/{{ .Release.Namespace }}/g' "$file"

v2/.gitignore

@@ -1,5 +1,6 @@
 config/crd/generated
 config/webhook/manifests.yaml
+config/webhook/generated
 config/rbac/role.yaml
 test/perf/reports/graphs/
 out/

v2/config/default/kustomization.yaml

@@ -35,14 +35,20 @@ patchesStrategicMerge:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
 - manager_webhook_patch.yaml
 
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
-# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
-# 'CERTMANAGER' needs to be enabled to use ca injection
-- webhookcainjection_patch.yaml
-
 # - manager_credentials_patch.yaml
 
 patches:
+# [CERTMANAGER] Inject CA from cert-manager into all webhook configurations.
+- path: mutatingwebhook_cainjection_patch.yaml
+  target:
+    group: admissionregistration.k8s.io
+    version: v1
+    kind: MutatingWebhookConfiguration
+- path: validatingwebhook_cainjection_patch.yaml
+  target:
+    group: admissionregistration.k8s.io
+    version: v1
+    kind: ValidatingWebhookConfiguration
 - patch: |-
     - op: add
       path: /spec/template/spec/containers/0/args/-

v2/config/default/mutatingwebhook_cainjection_patch.yaml

@@ -0,0 +1,9 @@
+# This patch adds the cert-manager CA injection annotation to all MutatingWebhookConfigurations.
+# The variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) are substituted by kustomize.
+# Matching is done via the target selector in kustomization.yaml.
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: unused
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

v2/config/default/validatingwebhook_cainjection_patch.yaml

@@ -0,0 +1,9 @@
+# This patch adds the cert-manager CA injection annotation to all ValidatingWebhookConfigurations.
+# The variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) are substituted by kustomize.
+# Matching is done via the target selector in kustomization.yaml.
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: unused
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

v2/config/default/webhookcainjection_patch.yaml

@@ -1,7 +1,7 @@
 namePrefix: azureserviceoperator-
 
 resources:
-  - manifests.yaml
+  - generated
   - service.yaml
 
 configurations:

v2/config/webhook/kustomization.yaml

@@ -80,7 +80,7 @@ func createSharedEnvTest(
 	}
 
 	crdPath := filepath.Join(root, "v2/out/envtest/crds")
-	webhookPath := filepath.Join(root, "v2/config/webhook")
+	webhookPath := filepath.Join(root, "v2/config/webhook/generated/bases")
 
 	environment := envtest.Environment{
 		ErrorIfCRDPathMissing: true,