enable webhooks

Author: Diaphteiros

api/crds/manifests/openmcp.cloud_clusterproviders.yaml

@@ -2265,6 +2265,17 @@ spec:
                 - info
                 - error
                 type: string
+              webhook:
+                description: Webhook contains the webhook configuration for the provider,
+                  if any.
+                properties:
+                  enabled:
+                    default: false
+                    description: Enabled indicates whether the webhook is enabled.
+                    type: boolean
+                required:
+                - enabled
+                type: object
             required:
             - image
             type: object

api/crds/manifests/openmcp.cloud_platformservices.yaml

@@ -2265,6 +2265,17 @@ spec:
                 - info
                 - error
                 type: string
+              webhook:
+                description: Webhook contains the webhook configuration for the provider,
+                  if any.
+                properties:
+                  enabled:
+                    default: false
+                    description: Enabled indicates whether the webhook is enabled.
+                    type: boolean
+                required:
+                - enabled
+                type: object
             required:
             - image
             type: object

api/crds/manifests/openmcp.cloud_serviceproviders.yaml

@@ -2265,6 +2265,17 @@ spec:
                 - info
                 - error
                 type: string
+              webhook:
+                description: Webhook contains the webhook configuration for the provider,
+                  if any.
+                properties:
+                  enabled:
+                    default: false
+                    description: Enabled indicates whether the webhook is enabled.
+                    type: boolean
+                required:
+                - enabled
+                type: object
             required:
             - image
             type: object

api/provider/v1alpha1/deployment_types.go

@@ -94,6 +94,16 @@ type DeploymentSpec struct {
 	// +listType=map
 	// +listMapKey=topologyKey
 	TopologySpreadConstraints []corev1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty" patchStrategy:"merge" patchMergeKey:"topologyKey"`
+
+	// Webhook contains the webhook configuration for the provider, if any.
+	// +optional
+	Webhook *WebhookConfiguration `json:"webhook,omitempty"`
+}
+
+type WebhookConfiguration struct {
+	// Enabled indicates whether the webhook is enabled.
+	// +kubebuilder:default=false
+	Enabled bool `json:"enabled"`
 }
 
 // DeploymentStatus defines the observed state of a provider.

api/provider/v1alpha1/zz_generated.deepcopy.go

@@ -16,6 +16,7 @@ import (
 	"github.com/openmcp-project/controller-utils/pkg/resources"
 
 	"github.com/openmcp-project/openmcp-operator/api/install"
+	libutils "github.com/openmcp-project/openmcp-operator/lib/utils"
 )
 
 type deploymentMutator struct {
@@ -57,6 +58,28 @@ func (m *deploymentMutator) Mutate(d *appsv1.Deployment) error {
 		return err
 	}
 
+	volumes := m.values.deploymentSpec.ExtraVolumes
+	volumeMounts := m.values.deploymentSpec.ExtraVolumeMounts
+	if m.values.deploymentSpec.Webhook != nil && m.values.deploymentSpec.Webhook.Enabled {
+		whSecretName, err := libutils.WebhookSecretName(m.values.provider.GetName())
+		if err != nil {
+			return err
+		}
+		volumes = append(volumes, corev1.Volume{
+			Name: "webhook-tls",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: whSecretName,
+				},
+			},
+		})
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      "webhook-tls",
+			MountPath: "/tmp/k8s-webhook-server/serving-certs",
+			ReadOnly:  true,
+		})
+	}
+
 	runCmd := slices.Clone(m.values.deploymentSpec.RunCommand)
 	if len(runCmd) == 0 {
 		runCmd = []string{"run"}
@@ -86,12 +109,12 @@ func (m *deploymentMutator) Mutate(d *appsv1.Deployment) error {
 						ImagePullPolicy: corev1.PullIfNotPresent,
 						Args:            runCmd,
 						Env:             env,
-						VolumeMounts:    m.values.deploymentSpec.ExtraVolumeMounts,
+						VolumeMounts:    volumeMounts,
 					},
 				},
 				ImagePullSecrets:          m.values.ImagePullSecrets(),
 				ServiceAccountName:        m.values.NamespacedDefaultResourceName(),
-				Volumes:                   m.values.deploymentSpec.ExtraVolumes,
+				Volumes:                   volumes,
 				TopologySpreadConstraints: m.values.deploymentSpec.TopologySpreadConstraints,
 			},
 		},

internal/controllers/provider/install/deployment.go

@@ -70,3 +70,13 @@ func StableMCPIdentifier(onboardingName, onboardingNamespace string) (string, er
 	}
 	return res, nil
 }
+
+// WebhookSecretName computes the name the secret containing the webhook TLS certificate is expected to have, based on the provider's name.
+func WebhookSecretName(providerName string) (string, error) {
+	suffix := "-webhook-tls"
+	base, err := controller.ShortenToXCharacters(providerName, controller.K8sMaxNameLength-len(suffix))
+	if err != nil {
+		return "", fmt.Errorf("error computing webhook secret name: %w", err)
+	}
+	return base + suffix, nil
+}