fix: cilium webhook with templated values (#1437)

**What problem does this PR solve?**:
Its possible that users may want to use a templated values with their
custom Cilium ConfigMap to enable kube-proxy replacement feature.
This fixes the webhook to support that.

**Which issue(s) this PR fixes**:
Fixes #

**How Has This Been Tested?**:
<!--
Please describe the tests that you ran to verify your changes.
Provide output from the tests and any manual steps needed to replicate
the tests.
-->

**Special notes for your reviewer**:
<!--
Use this to provide any additional information to the reviewers.
This may include:
- Best way to review the PR.
- Where the author wants the most review attention on.
- etc.
-->

Author: dkoshkin

pkg/webhook/cluster/cilium_configuration_validator.go

@@ -4,9 +4,12 @@
 package cluster
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"net/http"
+	"strings"
+	"text/template"
 
 	v1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -117,6 +120,33 @@ func hasSkipAnnotation(cluster *clusterv1.Cluster) bool {
 	return ok && val == "true"
 }
 
+// templateValues applies Go template expansion to the values string using only ControlPlaneEndpoint.
+func templateValues(cluster *clusterv1.Cluster, text string) (string, error) {
+	funcMap := template.FuncMap{
+		"trimPrefix": strings.TrimPrefix,
+	}
+	valuesTemplate, err := template.New("").Funcs(funcMap).Parse(text)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse template: %w", err)
+	}
+
+	type input struct {
+		ControlPlaneEndpoint clusterv1.APIEndpoint
+	}
+
+	templateInput := input{
+		ControlPlaneEndpoint: cluster.Spec.ControlPlaneEndpoint,
+	}
+
+	var b bytes.Buffer
+	err = valuesTemplate.Execute(&b, templateInput)
+	if err != nil {
+		return "", fmt.Errorf("failed templating values: %w", err)
+	}
+
+	return b.String(), nil
+}
+
 type ciliumValues struct {
 	KubeProxyReplacement bool `json:"kubeProxyReplacement"`
 }
@@ -156,9 +186,20 @@ func getCiliumValues(
 		return nil, nil
 	}
 
-	// Unmarshal the YAML
+	// Apply templating to the values
+	templatedValues, err := templateValues(cluster, valuesYAML)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to template Cilium values from ConfigMap %s/%s: %w",
+			configMapNamespace,
+			configMapName,
+			err,
+		)
+	}
+
+	// Unmarshal the templated YAML
 	values := &ciliumValues{}
-	if err := yaml.Unmarshal([]byte(valuesYAML), values); err != nil {
+	if err := yaml.Unmarshal([]byte(templatedValues), values); err != nil {
 		return nil, fmt.Errorf(
 			"failed to unmarshal Cilium values from ConfigMap %s/%s: %w",
 			configMapNamespace,

pkg/webhook/cluster/cilium_configuration_validator_test.go

@@ -420,6 +420,150 @@ kubeProxyReplacement: true
 			resp := validator.validate(context.Background(), req)
 			Expect(resp.Allowed).To(BeTrue())
 		})
+
+		It("should allow when ConfigMap uses templated values with ControlPlaneEndpoint", func() {
+			cni := &v1alpha1.CNI{
+				Provider: v1alpha1.CNIProviderCilium,
+				AddonConfig: v1alpha1.AddonConfig{
+					Values: &v1alpha1.AddonValues{
+						SourceRef: &v1alpha1.ValuesReference{
+							Kind: "ConfigMap",
+							Name: "cilium-values",
+						},
+					},
+				},
+			}
+			cluster := createTestClusterWithControlPlaneEndpoint(
+				"test-cluster",
+				"test-namespace",
+				v1alpha1.KubeProxyModeDisabled,
+				cni,
+				"192.168.1.100",
+				6443,
+			)
+			req := createAdmissionRequest(cluster)
+
+			// Create ConfigMap with templated values where kubeProxyReplacement depends on templating
+			// Without templating, this would fail because {{ true }} is not a valid boolean
+			configMap := &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "cilium-values",
+					Namespace: "test-namespace",
+				},
+				Data: map[string]string{
+					"values.yaml": `
+ipam:
+  mode: kubernetes
+# This will only work if templating is applied
+kubeProxyReplacement: true
+k8sServiceHost: "{{ trimPrefix .ControlPlaneEndpoint.Host "https://" }}"
+k8sServicePort: "{{ .ControlPlaneEndpoint.Port }}"
+`,
+				},
+			}
+
+			client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(configMap).Build()
+			validator = NewAdvancedCiliumConfigurationValidator(client, decoder)
+
+			resp := validator.validate(context.Background(), req)
+			Expect(resp.Allowed).To(BeTrue())
+		})
+
+		It("should deny when ConfigMap uses templated values that would be false after templating", func() {
+			cni := &v1alpha1.CNI{
+				Provider: v1alpha1.CNIProviderCilium,
+				AddonConfig: v1alpha1.AddonConfig{
+					Values: &v1alpha1.AddonValues{
+						SourceRef: &v1alpha1.ValuesReference{
+							Kind: "ConfigMap",
+							Name: "cilium-values",
+						},
+					},
+				},
+			}
+			cluster := createTestClusterWithControlPlaneEndpoint(
+				"test-cluster",
+				"test-namespace",
+				v1alpha1.KubeProxyModeDisabled,
+				cni,
+				"192.168.1.100",
+				6443,
+			)
+			req := createAdmissionRequest(cluster)
+
+			// Create ConfigMap with templated values that evaluate to false
+			configMap := &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "cilium-values",
+					Namespace: "test-namespace",
+				},
+				Data: map[string]string{
+					"values.yaml": `
+ipam:
+  mode: kubernetes
+kubeProxyReplacement: {{ false }}
+k8sServiceHost: "{{ trimPrefix .ControlPlaneEndpoint.Host "https://" }}"
+k8sServicePort: "{{ .ControlPlaneEndpoint.Port }}"
+`,
+				},
+			}
+
+			client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(configMap).Build()
+			validator = NewAdvancedCiliumConfigurationValidator(client, decoder)
+
+			resp := validator.validate(context.Background(), req)
+			Expect(resp.Allowed).To(BeFalse())
+			expectedMessage := "kube-proxy is disabled, but Cilium ConfigMap test-namespace/cilium-values does not have 'kubeProxyReplacement' enabled"
+			Expect(resp.Result.Message).To(Equal(expectedMessage))
+		})
+
+		It("should error out when ConfigMap uses unknown templated values", func() {
+			cni := &v1alpha1.CNI{
+				Provider: v1alpha1.CNIProviderCilium,
+				AddonConfig: v1alpha1.AddonConfig{
+					Values: &v1alpha1.AddonValues{
+						SourceRef: &v1alpha1.ValuesReference{
+							Kind: "ConfigMap",
+							Name: "cilium-values",
+						},
+					},
+				},
+			}
+			cluster := createTestClusterWithControlPlaneEndpoint(
+				"test-cluster",
+				"test-namespace",
+				v1alpha1.KubeProxyModeDisabled,
+				cni,
+				"192.168.1.100",
+				6443,
+			)
+			req := createAdmissionRequest(cluster)
+
+			// Create ConfigMap with unknown template field
+			configMap := &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "cilium-values",
+					Namespace: "test-namespace",
+				},
+				Data: map[string]string{
+					"values.yaml": `
+ipam:
+  mode: kubernetes
+kubeProxyReplacement: true
+k8sServiceHost: "{{ .UnknownField.Host }}"
+k8sServicePort: "{{ .ControlPlaneEndpoint.Port }}"
+`,
+				},
+			}
+
+			client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(configMap).Build()
+			validator = NewAdvancedCiliumConfigurationValidator(client, decoder)
+
+			resp := validator.validate(context.Background(), req)
+			Expect(resp.Allowed).To(BeFalse())
+			Expect(resp.Result.Message).To(ContainSubstring("failed templating values"))
+			Expect(resp.Result.Message).To(ContainSubstring("can't evaluate field UnknownField"))
+		})
 	})
 })
 
@@ -467,6 +611,21 @@ func createTestCluster(
 	}
 }
 
+func createTestClusterWithControlPlaneEndpoint(
+	name, namespace string,
+	kubeProxyMode v1alpha1.KubeProxyMode,
+	cni *v1alpha1.CNI,
+	host string,
+	port int32,
+) *clusterv1.Cluster {
+	cluster := createTestCluster(name, namespace, kubeProxyMode, cni)
+	cluster.Spec.ControlPlaneEndpoint = clusterv1.APIEndpoint{
+		Host: host,
+		Port: port,
+	}
+	return cluster
+}
+
 func createAdmissionRequest(cluster *clusterv1.Cluster) admission.Request {
 	objRaw, err := json.Marshal(cluster)
 	Expect(err).NotTo(HaveOccurred())