Share common webhook config between hosted and default mode

Signed-off-by: Ben Perry <[email protected]>

Author: bhperry

deploy/cluster-manager/chart/cluster-manager/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml

@@ -171,6 +171,24 @@ spec:
                               The Address must be reachable by apiserver of the hub cluster.
                             pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$
                             type: string
+                          healthProbeBindAddress:
+                            default: :8000
+                            description: |-
+                              HealthProbeBindAddress represents the healthcheck address of a webhook-server. The default value is ":8000".
+                              Healthchecks may be disabled by setting a value of "0" or "".
+                            type: string
+                          hostNetwork:
+                            description: |-
+                              HostNetwork enables running webhook pods with hostNetwork: true
+                              This may be required in some installations, such as EKS with Calico CNI,
+                              to allow the API Server to communicate with the webhook pods.
+                            type: boolean
+                          metricsBindAddress:
+                            default: :8080
+                            description: |-
+                              MetricsBindAddress represents the metrics address of a webhook-server. The default value is ":8080"
+                              Metrics may be disabled by setting a value of "0" or "".
+                            type: string
                           port:
                             default: 443
                             description: Port represents the port of a webhook-server.
@@ -192,6 +210,24 @@ spec:
                               The Address must be reachable by apiserver of the hub cluster.
                             pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$
                             type: string
+                          healthProbeBindAddress:
+                            default: :8000
+                            description: |-
+                              HealthProbeBindAddress represents the healthcheck address of a webhook-server. The default value is ":8000".
+                              Healthchecks may be disabled by setting a value of "0" or "".
+                            type: string
+                          hostNetwork:
+                            description: |-
+                              HostNetwork enables running webhook pods with hostNetwork: true
+                              This may be required in some installations, such as EKS with Calico CNI,
+                              to allow the API Server to communicate with the webhook pods.
+                            type: boolean
+                          metricsBindAddress:
+                            default: :8080
+                            description: |-
+                              MetricsBindAddress represents the metrics address of a webhook-server. The default value is ":8080"
+                              Metrics may be disabled by setting a value of "0" or "".
+                            type: string
                           port:
                             default: 443
                             description: Port represents the port of a webhook-server.

deploy/cluster-manager/config/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml

@@ -171,6 +171,24 @@ spec:
                               The Address must be reachable by apiserver of the hub cluster.
                             pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$
                             type: string
+                          healthProbeBindAddress:
+                            default: :8000
+                            description: |-
+                              HealthProbeBindAddress represents the healthcheck address of a webhook-server. The default value is ":8000".
+                              Healthchecks may be disabled by setting a value of "0" or "".
+                            type: string
+                          hostNetwork:
+                            description: |-
+                              HostNetwork enables running webhook pods with hostNetwork: true
+                              This may be required in some installations, such as EKS with Calico CNI,
+                              to allow the API Server to communicate with the webhook pods.
+                            type: boolean
+                          metricsBindAddress:
+                            default: :8080
+                            description: |-
+                              MetricsBindAddress represents the metrics address of a webhook-server. The default value is ":8080"
+                              Metrics may be disabled by setting a value of "0" or "".
+                            type: string
                           port:
                             default: 443
                             description: Port represents the port of a webhook-server.
@@ -192,6 +210,24 @@ spec:
                               The Address must be reachable by apiserver of the hub cluster.
                             pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$
                             type: string
+                          healthProbeBindAddress:
+                            default: :8000
+                            description: |-
+                              HealthProbeBindAddress represents the healthcheck address of a webhook-server. The default value is ":8000".
+                              Healthchecks may be disabled by setting a value of "0" or "".
+                            type: string
+                          hostNetwork:
+                            description: |-
+                              HostNetwork enables running webhook pods with hostNetwork: true
+                              This may be required in some installations, such as EKS with Calico CNI,
+                              to allow the API Server to communicate with the webhook pods.
+                            type: boolean
+                          metricsBindAddress:
+                            default: :8080
+                            description: |-
+                              MetricsBindAddress represents the metrics address of a webhook-server. The default value is ":8080"
+                              Metrics may be disabled by setting a value of "0" or "".
+                            type: string
                           port:
                             default: 443
                             description: Port represents the port of a webhook-server.

go.mod

@@ -3,7 +3,7 @@ module open-cluster-management.io/ocm
 go 1.23.6
 
 // TEMPORARY while waiting for upstream tag – must be removed before merge
-replace open-cluster-management.io/api => github.com/bhperry/ocm-api v0.0.0-20250612225613-ffa7865df0a9
+replace open-cluster-management.io/api => github.com/bhperry/ocm-api v0.0.0-20250709152251-dc6f14dcb9c0
 
 require (
 	github.com/aws/aws-sdk-go-v2 v1.36.3

go.sum

@@ -58,8 +58,8 @@ github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
 github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bhperry/ocm-api v0.0.0-20250612225613-ffa7865df0a9 h1:Cs8jDa7M7sGmQA3OmGYsnn+yD/aytxyhYym6qtZHsVs=
-github.com/bhperry/ocm-api v0.0.0-20250612225613-ffa7865df0a9/go.mod h1:/OeqXycNBZQoe3WG6ghuWsMgsKGuMZrK8ZpsU6gWL0Y=
+github.com/bhperry/ocm-api v0.0.0-20250709152251-dc6f14dcb9c0 h1:BGB/xHmOWNgwbuz6vqFBk+hf+dXhcSI5IBbRwim3CjA=
+github.com/bhperry/ocm-api v0.0.0-20250709152251-dc6f14dcb9c0/go.mod h1:/OeqXycNBZQoe3WG6ghuWsMgsKGuMZrK8ZpsU6gWL0Y=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/bwmarrin/snowflake v0.3.0 h1:xm67bEhkKh6ij1790JB83OujPR5CzNe8QuQqAgISZN0=

pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_controller.go

@@ -367,6 +367,10 @@ func ensureSAKubeconfigs(ctx context.Context, clusterManagerName, clusterManager
 
 // TODO: support IPV6 address
 func isIPFormat(address string) bool {
+	if address == "" {
+		return false
+	}
+
 	runes := []rune(address)
 	for i := 0; i < len(runes); i++ {
 		if (runes[i] < '0' || runes[i] > '9') && runes[i] != '.' {
@@ -379,44 +383,45 @@ func isIPFormat(address string) bool {
 func webhookConfigurations(deployOption operatorapiv1.ClusterManagerDeployOption) (registration, work manifests.Webhook) {
 	switch deployOption.Mode {
 	case operatorapiv1.InstallModeDefault:
-		if deployOption.Default == nil {
-			registration.Port = defaultWebhookPort
-			registration.HealthProbeBindAddress = defaultHealthProbeBindAddr
-			registration.MetricsBindAddress = defaultMetricsBindAddr
-			work.Port = defaultWebhookPort
-			work.HealthProbeBindAddress = defaultHealthProbeBindAddr
-			work.MetricsBindAddress = defaultMetricsBindAddr
-		} else {
+		if deployOption.Default != nil {
 			registration = convertDefaultWebhookConfiguration(deployOption.Default.RegistrationWebhookConfiguration)
 			work = convertDefaultWebhookConfiguration(deployOption.Default.WorkWebhookConfiguration)
+			return
 		}
 	case operatorapiv1.InstallModeHosted:
-		if deployOption.Hosted == nil {
-			registration.Port = defaultWebhookPort
-			work.Port = defaultWebhookPort
-		} else {
+		if deployOption.Hosted != nil {
 			registration = convertHostedWebhookConfiguration(deployOption.Hosted.RegistrationWebhookConfiguration)
 			work = convertHostedWebhookConfiguration(deployOption.Hosted.WorkWebhookConfiguration)
+			return
 		}
 	}
-	return registration, work
+
+	registration = manifests.Webhook{
+		Port:                   defaultWebhookPort,
+		HealthProbeBindAddress: defaultHealthProbeBindAddr,
+		MetricsBindAddress:     defaultMetricsBindAddr,
+	}
+	work = manifests.Webhook{
+		Port:                   defaultWebhookPort,
+		HealthProbeBindAddress: defaultHealthProbeBindAddr,
+		MetricsBindAddress:     defaultMetricsBindAddr,
+	}
+	return
 }
 
-func convertHostedWebhookConfiguration(webhookConfiguration operatorapiv1.WebhookConfiguration) manifests.Webhook {
-	// If we are deploying in the hosted mode, it requires us to create webhook in a different way with the default mode.
-	// In the hosted mode, the webhook servers is running in the management cluster but the users are accessing the hub cluster.
-	// So we need to add configuration to make the apiserver of the hub cluster could access the webhook servers on the management cluster.
+func convertDefaultWebhookConfiguration(webhookConfiguration operatorapiv1.DefaultWebhookConfiguration) manifests.Webhook {
 	return manifests.Webhook{
-		Address:    webhookConfiguration.Address,
-		Port:       webhookConfiguration.Port,
-		IsIPFormat: isIPFormat(webhookConfiguration.Address),
+		Port:                   webhookConfiguration.Port,
+		HealthProbeBindAddress: webhookConfiguration.HealthProbeBindAddress,
+		MetricsBindAddress:     webhookConfiguration.MetricsBindAddress,
+		HostNetwork:            webhookConfiguration.HostNetwork,
 	}
 }
 
-func convertDefaultWebhookConfiguration(webhookConfiguration operatorapiv1.WebhookDefaultConfiguration) manifests.Webhook {
-	// In default mode, webhooks run inside the hub cluster.
-	// These configurations allow the webhooks to configured for different kubernetes environements.
+func convertHostedWebhookConfiguration(webhookConfiguration operatorapiv1.HostedWebhookConfiguration) manifests.Webhook {
 	return manifests.Webhook{
+		Address:                webhookConfiguration.Address,
+		IsIPFormat:             isIPFormat(webhookConfiguration.Address),
 		Port:                   webhookConfiguration.Port,
 		HealthProbeBindAddress: webhookConfiguration.HealthProbeBindAddress,
 		MetricsBindAddress:     webhookConfiguration.MetricsBindAddress,

test/integration/operator/integration_suite_test.go

@@ -167,11 +167,11 @@ var _ = ginkgo.BeforeSuite(func() {
 			DeployOption: operatorapiv1.ClusterManagerDeployOption{
 				Mode: operatorapiv1.InstallModeHosted,
 				Hosted: &operatorapiv1.HostedClusterManagerConfiguration{
-					RegistrationWebhookConfiguration: operatorapiv1.WebhookConfiguration{
+					RegistrationWebhookConfiguration: operatorapiv1.HostedWebhookConfiguration{
 						Address: "localhost",
 						Port:    443,
 					},
-					WorkWebhookConfiguration: operatorapiv1.WebhookConfiguration{
+					WorkWebhookConfiguration: operatorapiv1.HostedWebhookConfiguration{
 						Address: "localhost",
 						Port:    443,
 					},

vendor/modules.txt

@@ -1718,7 +1718,7 @@ open-cluster-management.io/addon-framework/pkg/agent
 open-cluster-management.io/addon-framework/pkg/assets
 open-cluster-management.io/addon-framework/pkg/index
 open-cluster-management.io/addon-framework/pkg/utils
-# open-cluster-management.io/api v1.0.0 => github.com/bhperry/ocm-api v0.0.0-20250612225613-ffa7865df0a9
+# open-cluster-management.io/api v1.0.0 => github.com/bhperry/ocm-api v0.0.0-20250709152251-dc6f14dcb9c0
 ## explicit; go 1.23.6
 open-cluster-management.io/api/addon/v1alpha1
 open-cluster-management.io/api/client/addon/clientset/versioned
@@ -1948,4 +1948,4 @@ sigs.k8s.io/structured-merge-diff/v4/value
 sigs.k8s.io/yaml
 sigs.k8s.io/yaml/goyaml.v2
 sigs.k8s.io/yaml/goyaml.v3
-# open-cluster-management.io/api => github.com/bhperry/ocm-api v0.0.0-20250612225613-ffa7865df0a9
+# open-cluster-management.io/api => github.com/bhperry/ocm-api v0.0.0-20250709152251-dc6f14dcb9c0